vxCube — Report

Behavior

malicious
- Creating a process from a recently created file
- Enabling autorun with system ini files
- Sending an HTTP POST request to a potentially dangerous server
suspicious
- Sending an HTTP GET request
- Launching a file downloaded from the Internet
- Forced shutdown of a system process
- Unauthorized injection to a system process
- Stealing user critical data
- Connection attempt to a potentially dangerous server
neutral
- Creating a window
- Launching a process
- DNS request
- Creating a file in the %AppData% directory
- Creating a file in the %temp% directory
- Creating a file
- Delayed writing of the file
- Launching cmd.exe command interpreter
- Deleting a recently created file
- Reading critical registry keys
- Launching a service
- Changing a file
- Replacing files
- Creating a file in the %AppData% subdirectories
- Enabling the 'hidden' option for recently created files

Process graph

sample

known threat

process creation

injection

web query

RPC request

1

100

process maliciousness

PID: 2948
Full path: %ProgramFiles%\microsoft office\office14\excel.exe
Run parameters: /dde
Behavior: Creating a window

PID: 552
Full path: <SYSTEM32>\svchost.exe
Run parameters: -k DcomLaunch
Behavior: Launching a process

PID: 276
Full path: <SYSTEM32>\svchost.exe
Run parameters: -k NetworkService
Behavior: DNS request

PID: 1396
Full path: %CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe
Run parameters: -Embedding
Behavior: Sending an HTTP GET request, Creating a file in the %AppData% directory, Launching a file downloaded from the Internet, Creating a process from a recently created file

PID: 1392
Full path: %APPDATA%\vbc.exe
Behavior: Creating a file in the %temp% directory, Creating a file, Creating a process from a recently created file, Deleting a recently created file

PID: 2624
Full path: %TEMP%\norway.exe
Behavior: Enabling autorun with system ini files, Delayed writing of the file, Forced shutdown of a system process, Unauthorized injection to a system process, Launching cmd.exe command interpreter

PID: 1072
Full path: %WINDIR%\syswow64\cmd.exe
Run parameters: "<SYSTEM32>\cmd.exe"
Behavior: Reading critical registry keys, Stealing user critical data, Changing a file, Replacing files, Connection attempt to a potentially dangerous server, Sending an HTTP POST request to a potentially dangerous server, Creating a file in the %AppData% subdirectories, Deleting a recently created file, Enabling the 'hidden' option for recently created files

PID: 412
Full path: <SYSTEM32>\services.exe
Behavior: Launching a service

PID: 428
Full path: <SYSTEM32>\lsass.exe
Behavior: Creating a file

PID: 1320
Full path: %WINDIR%\syswow64\cmd.exe
Behavior

PID: 1028
Full path: %WINDIR%\explorer.exe
Behavior

PID: 332
Full path: <SYSTEM32>\wininit.exe
Behavior

Address: <DNS_SERVER> (8.8.8.8)
Port: 53
Protocol level: Transport: UDP, Application: DNS
Query: ASK nationafourlindustrialandgooglednsline.duckdns.org

Address: nationafourlindustrialandgooglednsline.duckdns.org (23.249.162.173)
Port: 80
Protocol level: Transport: TCP, Application: HTTP
URL: GET http://nationafourlindustrialandgooglednsline.duckdns.org/secure/vbc.exe

Address: 107.175.150.73
Port: 80
Protocol level: Transport: TCP, Application: HTTP
URL: POST http://107.175.150.73/~giftioz/.golob/fre.php

← Previous connection Next connection →

Address: 107.175.150.73
Port: 80
Protocol level: Transport: TCP, Application: HTTP
URL: POST http://107.175.150.73/~giftioz/.golob/fre.php

← Previous connection Next connection →

Address: 107.175.150.73
Port: 80
Protocol level: Transport: TCP, Application: HTTP
URL: POST http://107.175.150.73/~giftioz/.golob/fre.php

← Previous connection Next connection →

Description

To ensure autorun and distribution

Creates or modifies the following files

%WINDIR%\win.ini

Malicious functions

Creates and executes the following

'' (downloaded from the Internet)

Creates and executes the following (exploit)

'%APPDATA%\vbc.exe'

Injects code into

the following system processes:

%WINDIR%\syswow64\cmd.exe

Terminates or attempts to terminate

the following system processes:

%WINDIR%\syswow64\cmd.exe

Reads files which store third party applications passwords

%APPDATA%\opera software\opera stable\login data
%APPDATA%\thunderbird\profiles.ini

Modifies file system

Creates the following files

%APPDATA%\vbc.exe
%TEMP%\$rptsprg9mref
%TEMP%\relax-ng-compact-syntax.xml
%TEMP%\trapezium
%TEMP%\norway.exe
%TEMP%\whorehouse.dll
%TEMP%\nsze666.tmp\userinfo.dll
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
%LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
%APPDATA%\e6f983\35a09b.hdb
%APPDATA%\e6f983\35a09b.lck
%APPDATA%\e6f983\35a09b.exe

Sets the 'hidden' attribute to the following files

%APPDATA%\e6f983\35a09b.exe

Deletes the following files

%TEMP%\nsze666.tmp\userinfo.dll
%APPDATA%\e6f983\35a09b.lck

Substitutes the following files

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1960123792-2022915161-3775307078-1001\f58155b4b1d5a524ca0261c3ee99fb50_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee

Network activity

Connects to

'107.175.150.73':80

TCP

HTTP GET requests

http://nationafourlindustrialandgooglednsline.duckdns.org/secure/vbc.exe

HTTP POST requests

http://107.175.150.73/~giftioz/.golob/fre.php

UDP

DNS ASK nationafourlindustrialandgooglednsline.duckdns.org

Miscellaneous

Creates and executes the following

'%TEMP%\norway.exe'

Executes the following

'%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
'%WINDIR%\syswow64\cmd.exe'

Created files [0]
Dumps [0]

Path	SHA1	Detected

File name	SHA1	PID	Detected

API log [0]

show all

Time	Process	Event	Arguments

Network activity map

less than 5 connections

5-10 connections

more than 10 connections

Protocol	Address	Application level data