IOC Report

loading gif

Files

File Path
Type
Category
Malicious
CompensationClaim-1033191014-09282021.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Tue Sep 28 08:54:40 2021, Security: 0
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].dat
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\Drezd.red
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
dropped
clean
C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -silent ..\Drezd.red
malicious
C:\Windows\SysWOW64\regsvr32.exe
-silent ..\Drezd.red
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -silent ..\Drezd1.red
malicious
C:\Windows\SysWOW64\schtasks.exe
'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -silent ..\Drezd2.red
malicious
C:\Windows\System32\regsvr32.exe
regsvr32.exe -s 'C:\Users\user\Drezd.red'
malicious
C:\Windows\SysWOW64\regsvr32.exe
-s 'C:\Users\user\Drezd.red'
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Windows\System32\reg.exe
C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ciwuywu' /d '0'
malicious
C:\Windows\System32\reg.exe
C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uvelq' /d '0'
malicious
C:\Windows\System32\regsvr32.exe
regsvr32.exe -s 'C:\Users\user\Drezd.red'
malicious
C:\Windows\SysWOW64\regsvr32.exe
-s 'C:\Users\user\Drezd.red'
malicious
There are 4 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://www.%s.comPA
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
http://190.14.37.187/44467.9218096065.dat
190.14.37.187
clean
http://servername/isapibackend.dll
unknown
clean

IPs

IP
Domain
Country
Malicious
185.141.27.213
unknown
Netherlands
clean
190.14.37.187
unknown
Panama
clean
94.140.112.126
unknown
Latvia
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
f.
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2EDE7
2EDE7
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0
NULL
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0\FLAGS
NULL
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0\0\win32
NULL
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0\HELPDIR
NULL
clean
HKEY_CURRENT_USER_CLASSES\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0
NULL
clean
HKEY_CURRENT_USER_CLASSES\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0\FLAGS
NULL
clean
HKEY_CURRENT_USER_CLASSES\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0\0\win32
NULL
clean
HKEY_CURRENT_USER_CLASSES\TypeLib\{54B3FCCA-9061-4E1B-B225-C5E2A2C452F2}\2.0\HELPDIR
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
NULL
clean