IOCReport

loading gif

Files

File Path
Type
Category
Malicious
LIQUIDACION INTERBANCARIA 02_22_2021.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Dexter MORGAN, Last Saved By: HP PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 3 22:00:53 2020, Last Saved Time/Date: Mon Feb 22 09:51:33 2021, Security: 0
initial sample
malicious
C:\ProgramData\a.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
downloaded
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a.exe.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
clean
C:\Users\user\AppData\Local\Temp\44D40000
data
dropped
clean
C:\Users\user\AppData\Local\Temp\499262.js
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0trfj0zt.2gs.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmghts1r.j24.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Mon Feb 22 18:34:51 2021, atime=Mon Feb 22 18:34:51 2021, length=8192, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\LIQUIDACION INTERBANCARIA 02_22_2021.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:54 2020, mtime=Mon Feb 22 18:34:51 2021, atime=Mon Feb 22 18:34:51 2021, length=783360, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
dropped
clean
C:\Users\user\Documents\20210222\PowerShell_transcript.715575.WxOfaCb9.20210222203513.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\7AEE0000
data
dropped
clean
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
malicious
C:\ProgramData\a.exe
C:\PROGRAMDATA\a.exe
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
malicious
C:\Windows\SysWOW64\wscript.exe
'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\SysWOW64\timeout.exe
timeout 4
clean
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://pastex.pro
unknown
malicious
https://api.diagnosticssdf.office.com
unknown
clean
https://login.microsoftonline.com/
unknown
clean
https://shell.suite.office.com:1443
unknown
clean
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
unknown
clean
http://us2.smtp.mailhostbox.com
unknown
clean
https://autodiscover-s.outlook.com/
unknown
clean
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
unknown
clean
https://cdn.entity.
unknown
clean
https://api.addins.omex.office.net/appinfo/query
unknown
clean
https://wus2-000.contentsync.
unknown
clean
https://clients.config.office.net/user/v1.0/tenantassociationkey
unknown
clean
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
unknown
clean
https://powerlift.acompli.net
unknown
clean
https://rpsticket.partnerservices.getmicrosoftkey.com
unknown
clean
https://lookup.onenote.com/lookup/geolocation/v1
unknown
clean
https://cortana.ai
unknown
clean
http://www.fontbureau.com/designers
unknown
clean
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://cloudfiles.onenote.com/upload.aspx
unknown
clean
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
unknown
clean
https://entitlement.diagnosticssdf.office.com
unknown
clean
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
unknown
clean
https://api.aadrm.com/
unknown
clean
http://www.sajatypeworks.com
unknown
clean