IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Document_748968552-10062021.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Wed Oct 6 08:51:31 2021, Security: 0
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[1].dat
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[2].dat
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[3].dat
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\Celod.wac
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\Celod.wac1
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\Celod.wac2
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
dropped
clean
C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -silent ..\Celod.wac
malicious
C:\Windows\SysWOW64\regsvr32.exe
-silent ..\Celod.wac
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -silent ..\Celod.wac1
malicious
C:\Windows\SysWOW64\regsvr32.exe
-silent ..\Celod.wac1
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kzlufjnad /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac\'' /SC ONCE /Z /ST 16:57 /ET 17:09
malicious
C:\Windows\System32\regsvr32.exe
regsvr32.exe -s 'C:\Users\user\Celod.wac'
malicious
C:\Windows\SysWOW64\regsvr32.exe
-s 'C:\Users\user\Celod.wac'
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -silent ..\Celod.wac2
malicious
C:\Windows\SysWOW64\regsvr32.exe
-silent ..\Celod.wac2
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Windows\System32\reg.exe
C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fmjlcuic' /d '0'
malicious
C:\Windows\System32\reg.exe
C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Adbwawqor' /d '0'
malicious
C:\Windows\System32\regsvr32.exe
regsvr32.exe -s 'C:\Users\user\Celod.wac'
malicious
C:\Windows\SysWOW64\regsvr32.exe
-s 'C:\Users\user\Celod.wac'
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
There are 8 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://188.165.62.50/44475.7050777778.dat
188.165.62.50
clean
http://190.14.37.107/44475.7050777778.dat
190.14.37.107
clean
http://www.%s.comPA
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
http://94.140.114.111/44475.7050777778.dat
94.140.114.111
clean
http://servername/isapibackend.dll
unknown
clean

IPs

IP
Domain
Country
Malicious
94.140.114.111
unknown
Latvia
clean
190.14.37.107
unknown
Panama
clean
188.165.62.50
unknown
France
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
ar*
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2D9DB
2D9DB
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0
NULL
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0\FLAGS
NULL
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0\0\win32
NULL
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0\HELPDIR
NULL
clean
HKEY_CURRENT_USER_CLASSES\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0
NULL
clean
HKEY_CURRENT_USER_CLASSES\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0\FLAGS
NULL
clean
HKEY_CURRENT_USER_CLASSES\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0\0\win32
NULL
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B1FBDDBF-6DF4-4984-82DD-F1F5F37504FD}\2.0\HELPDIR
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
NULL
clean
HKEY_CURRENT_USER_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
NULL