IOC Report

loading gif

Files

File Path
Type
Category
Malicious
7165.xlsb
Microsoft Excel 2007+
initial sample
malicious
C:\ProgramData\HIXhaYv.rtf
HTML document, ASCII text, with very long lines, with CRLF line terminators
dropped
malicious
C:\Users\user\Desktop\~$7165.xlsb
data
dropped
malicious
C:\ProgramData\uLbchwVzJ.txt
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
ASCII text, with no line terminators
downloaded
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1075D7F.png
PNG image data, 256 x 51, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E075974.png
PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Temp\33DC.tmp
Microsoft Excel 2007+
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
malicious
C:\Windows\System32\wbem\WMIC.exe
wmic process call create "mshta C:\ProgramData\HIXhaYv.rtf"
malicious
C:\Windows\System32\mshta.exe
mshta C:\ProgramData\HIXhaYv.rtf
clean

URLs

Name
IP
Malicious
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
http://www.windows.com/pctv.
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://www.%s.comPA
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://servername/isapibackend.dll
unknown
clean
http://investor.msn.com/
unknown
clean
http://157.245.108.215:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
157.245.108.215
clean
There are 2 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
157.245.108.215
unknown
United States
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
$i*
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2D384
2D384
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
wo*
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
ProductNonBootFilesIntl_1033
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
OriginalAttachmentPath
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
TemporaryAttachmentName
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400100000000F01FEC\Usage
OutlookMAPI2Intl_1033
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
EXCELFiles
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
ProductNonBootFilesIntl_1033
clean
There are 7 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
264000
heap private
page read and write
clean
408000
unkown
page read and write
clean
179000
unkown
page read and write
clean
1DA000
heap private
page read and write
clean
30EE000
stack
page read and write
clean
442000
unkown
page read and write
clean
3F37000
unkown
page read and write
clean
7EFE0000
unkown image
page readonly
clean
25D0000
heap private
page read and write
clean
3E60000
heap private
page read and write
clean
2370000
unkown
page read and write
clean
22E0000
unkown
page read and write
clean
1F0000
unkown
page read and write
clean
2E73000
unkown
page read and write
clean
420000
heap default
page read and write
clean
7FFFFFC2000
unkown image
page readonly
clean
23E5000
heap private
page read and write
clean
7FFFFFD0000
unkown image
page readonly
clean
3F4F000
unkown
page read and write
clean
3700000
unkown image
page readonly
clean
1E0000
unkown image
page read and write
clean
5E4000
heap private
page read and write
clean
18D000
unkown
page read and write
clean
3FF0000
heap private
page read and write
clean
2DB0000
heap private
page read and write
clean
3F9000
unkown
page read and write
clean
20000
unkown image
page read and write
clean
2860000
unkown
page read and write
clean
4E6000
heap default
page read and write
clean
2328000
unkown
page read and write
clean
427000
heap default
page read and write
clean
3F14000
unkown
page read and write
clean
22DC000
unkown
page read and write
clean
160000
unkown
page read and write
clean