IOC Report

loading gif

Files

File Path
Type
Category
Malicious
sale order.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\System32\drivers\etc\hosts
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
ASCII text, with CRLF line terminators
modified
clean
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sale order.exe.log
ASCII text, with CRLF line terminators
dropped
clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\sale order.exe
'C:\Users\user\Desktop\sale order.exe'
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
malicious
C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
malicious
C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://127.0.0.1:HTTP/1.1
unknown
clean
http://www.fontbureau.com/designersG
unknown
clean
http://www.fontbureau.com/designers/?
unknown
clean
http://www.founder.com.cn/cn/bThe
unknown
clean
https://certs.starfieldtech.com/repository/0
unknown
clean
http://certificates.starfieldtech.com/repository/0
unknown
clean
http://www.fontbureau.com/designers?
unknown
clean
http://crl.starfieldtech.com/sfig2s1-169.crl0c
unknown
clean
http://www.tiro.com
unknown
clean
http://eOPeED.com
unknown
clean
http://ocsp.starfieldtech.com/0;
unknown
clean
http://www.fontbureau.com/designers
unknown
clean
http://www.goodfont.co.kr
unknown
clean
http://www.collada.org/2005/11/COLLADASchema9Done
unknown
clean
http://ocsp.starfieldtech.com/0F
unknown
clean
http://www.sajatypeworks.com
unknown
clean
http://www.typography.netD
unknown
clean
http://www.founder.com.cn/cn/cThe
unknown
clean
http://www.galapagosdesign.com/staff/dennis.htm
unknown
clean
http://fontfabrik.com
unknown
clean
http://www.founder.com.cn/cn/c
unknown
clean
http://crl.microsoft.co
unknown
clean
http://www.galapagosdesign.com/DPlease
unknown
clean
https://92rgATMXZYKxK.net
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
http://www.fonts.com
unknown
clean
http://www.sandoll.co.kr
unknown
clean
http://www.urwpp.deDPlease
unknown
clean
http://www.zhongyicts.com.cn
unknown
clean
http://crl.starfieldtech.co
unknown
clean
http://www.sakkal.com
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
unknown
clean
http://www.apache.org/licenses/LICENSE-2.0
unknown
clean
http://www.fontbureau.com
unknown
clean
http://DynDns.comDynDNS
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
http://certs.starfieldtech.com/repository/1402
unknown
clean
http://crl.starfieldtech.com/sfroot-g2.crl0L
unknown
clean
http://www.tiro.comn
unknown
clean
http://sg2plcpnl0023.prod.sin2.secureserver.net
unknown
clean
https://api.ipify.org%$
unknown
clean
http://www.carterandcone.coml
unknown
clean
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
clean
http://www.founder.com.cn/cn
unknown
clean
http://www.fontbureau.com/designers/frere-jones.html
unknown
clean
http://www.fontbureau.comm
unknown
clean
http://www.jiyu-kobo.co.jp/
unknown
clean
http://certs.starfieldtech.com/reposi
unknown
clean
http://www.fontbureau.como
unknown
clean
http://www.fontbureau.com/designers8
unknown
clean
http://certificates.starfieldtech.com/repository/sfig2.crt0
unknown
clean
There are 41 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
sg2plcpnl0023.prod.sin2.secureserver.net
182.50.132.92
clean

IPs

IP
Domain
Country
Malicious
182.50.132.92
sg2plcpnl0023.prod.sin2.secureserver.net
Singapore
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NXLun
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
NXLun
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
40E9000
unkown
page read and write
malicious
3215000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
2F11000
unkown
page read and write
malicious
3187000
unkown
page read and write
malicious