IOCReport

loading gif

Files

File Path
Type
Category
Malicious
0708_3355614568218.doc
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Mr.Administrator, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jul 7 12:34:00 2021, Last Saved Time/Date: Wed Jul 7 12:34:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
initial sample
malicious
C:\Users\user\AppData\Local\Temp\nimb.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\kaosdma.txt
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\VFZ0HUO0.txt
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2581227F.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE9CCB3-349E-46EF-BF24-C3A751787722}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\msohtmlclip1\01\clip_colorschememapping.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\msohtmlclip1\01\clip_image001.emz
gzip compressed data, max speed, from NTFS filesystem (NT)
dropped
clean
C:\Users\user\AppData\Local\Temp\msohtmlclip1\01\clip_image002.png
PNG image data, 1 x 1, 1-bit grayscale, non-interlaced
modified
clean
C:\Users\user\AppData\Local\Temp\msohtmlclip1\01\clip_themedata.thmx
Microsoft OOXML
dropped
clean
C:\Users\user\AppData\Local\Temp\nimb.dll:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\0708_3355614568218.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Fri Jul 9 09:06:34 2021, length=900096, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
dropped
clean
C:\Users\user\Desktop\~$08_3355614568218.doc
data
dropped
clean
There are 5 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
malicious
C:\Windows\System32\rundll32.exe
'C:\Windows\System32\rundll32.exe' c:\users\user\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR
malicious
C:\Windows\SysWOW64\rundll32.exe
'C:\Windows\System32\rundll32.exe' c:\users\user\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR
malicious
C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
malicious

URLs

Name
IP
Malicious
http://srand04rf.ru/7hfjsdfjks.exe
8.211.241.0
malicious
http://sudepallon.com/8/forum.php
77.222.42.67
malicious
http://thentabecon.ru/8/forum.php
malicious
http://anspossthrly.ru/8/forum.php
malicious
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
http://www.windows.com/pctv.
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
unknown
clean
http://investor.msn.com/
unknown
clean
http://api.ipify.org/
50.19.92.227
clean
http://www.%s.comPA
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://api.ipify.org/?format=xml
23.21.211.162
clean
http://api.ipify.org
unknown
clean
There are 8 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
srand04rf.ru
8.211.241.0
malicious
pospvisis.com
95.213.179.67
malicious
sudepallon.com
77.222.42.67
malicious
elb097307-934924932.us-east-1.elb.amazonaws.com
50.19.92.227
clean
api.ipify.org
unknown
clean

IPs

IP
Domain
Country
Malicious
77.222.42.67
sudepallon.com
Russian Federation
malicious
8.211.241.0
srand04rf.ru
Singapore
malicious
23.21.211.162
unknown
United States
malicious
95.213.179.67
pospvisis.com
Russian Federation
malicious
50.19.92.227
elb097307-934924932.us-east-1.elb.amazonaws.com
United States
clean

Registry

Path
Value
Malicious
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
8x9
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
MTTT
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
ay9
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
%{9
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
VBAFiles
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
ReviewToken
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
EC84E
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
FontCachePath
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Arial Unicode MS
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Batang
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@BatangChe
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@DFKai-SB
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Dotum
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@DotumChe
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@FangSong
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Gulim
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@GulimChe
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Gungsuh
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@GungsuhChe
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@KaiTi
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Malgun Gothic
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Meiryo
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Meiryo UI
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Microsoft JhengHei
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@Microsoft YaHei
clean
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
@MingLiU