IOCReport

loading gif

Files

File Path
Type
Category
Malicious
Sign-1870635479_637332644.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 10:48:36 2021, Security: 0
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
downloaded
malicious
C:\Users\user\BASE.BABAA
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
dropped
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
dropped
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
dropped
clean
C:\Users\user\AppData\Local\Temp\B7DE0000
data
dropped
clean
C:\Users\user\AppData\Local\Temp\Cab563C.tmp
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
clean
C:\Users\user\AppData\Local\Temp\Tar563D.tmp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Feb 20 16:47:41 2021, atime=Sat Feb 20 16:47:41 2021, length=12288, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Sign-1870635479_637332644.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Sat Feb 20 16:47:41 2021, atime=Sat Feb 20 16:47:41 2021, length=168448, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\QNetMonitor3154395120\AlternateServices.txt
ASCII text, with very long lines, with CRLF line terminators
modified
clean
C:\Users\user\Desktop\EADE0000
Applesoft BASIC program data, first line number 16
dropped
clean
There are 5 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\BASE.BABAA,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\BASE.BABAA,DllRegisterServer
malicious
C:\Windows\System32\wermgr.exe
C:\Windows\system32\wermgr.exe
malicious
C:\Windows\System32\wermgr.exe
C:\Windows\system32\wermgr.exe
malicious
C:\Windows\System32\rundll32.exe
C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor3154395120\ujBASEmc.rrd',DllRegisterServer
malicious
C:\Windows\System32\taskeng.exe
taskeng.exe {C999D15C-7BEE-4793-989A-0EF4E6A22007} S-1-5-18:NT AUTHORITY\System:Service:
clean

URLs

Name
IP
Malicious
http://www.chipmania.it/mails/open.php
185.81.0.78
malicious
http://www.windows.com/pctv.
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://crl.entrust.net/server1.crl0
unknown
clean
https://ident.me/
unknown
clean
http://cps.letsencrypt.org0
unknown
clean
http://ocsp.entrust.net03
unknown
clean
http://crl.microsofv
unknown
clean
https://193.8.194.96/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/14/NAT%20status/client%20
unknown
clean
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
unknown
clean
http://www.diginotar.nl/cps/pkioverheid0
unknown
clean
http://r3.i.lencr.org/0;
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
https://103.233.118.34:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/
unknown
clean
http://investor.msn.com/
unknown
clean
https://103.220.47.220:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/
unknown
clean
https://45.155.173.242/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/file/
unknown
clean
http://r3.o.lencr.org0
unknown
clean
http://www.%s.comPA
unknown
clean
http://ocsp.entrust.net0D
unknown
clean
https://secure.comodo.com/CPS0
unknown
clean
http://servername/isapibackend.dll
unknown
clean
http://crl.entrust.net/2048ca.crl0
unknown
clean
http://cps.root-x1.letsencrypt.org0
unknown
clean
There are 20 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
ident.me
176.58.123.25
clean
chipmania.it
185.81.0.78
clean
38.52.17.84.zen.spamhaus.org
unknown
clean
38.52.17.84.cbl.abuseat.org
unknown
clean
38.52.17.84.dnsbl-1.uceprotect.net
unknown
clean
www.chipmania.it
unknown
clean
38.52.17.84.b.barracudacentral.org
unknown
clean
38.52.17.84.spam.dnsbl.sorbs.net
unknown
clean

IPs

IP
Domain
Country
Active
Malicious
45.155.173.242
unknown
Germany
unknown
malicious
5.202.150.151
unknown
Iran (ISLAMIC Republic Of)
unknown
malicious
193.8.194.96
unknown
United Kingdom
unknown
malicious
185.81.0.78
unknown
Italy
unknown
clean
194.5.249.156
unknown
Romania
unknown
clean
103.220.47.220
unknown
Indonesia
unknown
clean
176.58.123.25
unknown
United Kingdom
unknown
clean

Registry

Path
Value
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ya1
clean