IOC Report

loading gif

Files

File Path
Type
Category
Malicious
request-0132311.xlsb
Microsoft Excel 2007+
initial sample
malicious
C:\ProgramData\vULADISfrveNTj.rtf
HTML document, ASCII text, with very long lines, with CRLF line terminators
dropped
malicious
C:\Users\user\Desktop\~$request-0132311.xlsb
data
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A714D2F.png
PNG image data, 224 x 317, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7F83466.png
PNG image data, 284 x 58, 8-bit/color RGB, non-interlaced
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
malicious
C:\Windows\System32\wbem\WMIC.exe
wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf"
malicious
C:\Windows\System32\mshta.exe
mshta C:\ProgramData\vULADISfrveNTj.rtf
clean

URLs

Name
IP
Malicious
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
http://www.windows.com/pctv.
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://www.%s.comPA
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://servername/isapibackend.dll
unknown
clean
http://investor.msn.com/
unknown
clean
There are 1 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
136.144.181.174
unknown
Netherlands
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
aw'
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2CA51
2CA51
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
r~'
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
ProductNonBootFilesIntl_1033
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
EXCELFiles
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
ProductNonBootFilesIntl_1033
clean
There are 4 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
2260000
unkown
page read and write
clean
3417000
unkown image
page readonly
clean
7FFFFFD0000
unkown image
page readonly
clean
4807000
unkown
page read and write
clean
2D5C000
unkown
page read and write
clean
2D5A000
unkown
page read and write
clean
46F000
unkown
page read and write
clean
35C000
unkown
page read and write
clean
21DC000
unkown
page read and write
clean
29FF000
stack
page read and write
clean
1BA000
heap private
page read and write
clean
7FFFFFB0000
unkown image
page readonly
clean
46A000
unkown
page read and write
clean
1F94000
heap private
page read and write
clean
47F6000
unkown
page read and write
clean
2D5B000
unkown
page read and write
clean
7FFFFFC2000
unkown image
page readonly
clean
2230000
unkown
page read and write
clean
48B000
unkown
page read and write
clean
5B0000
heap private
page read and write
clean
47F0000
unkown
page read and write
clean
30000
unkown image
page readonly
clean
324000
unkown
page read and write
clean
46F000
unkown
page read and write
clean
2240000
unkown
page read and write
clean
2CD0000
heap private
page read and write
clean
1B0000
heap private
page read and write
clean
567000
heap default
page read and write
clean
43B000
unkown
page read and write
clean
430000
unkown
page read and write
clean
7FFFFFB0000
unkown image
page readonly
clean
300000
unkown image
page read and write
clean
46F000
unkown
page read and write
clean
1FA000
unkown
page read and write
clean
2284000
unkown
page read and write
clean
2800000
unkown
page read and write
clean
4FAF000
stack
page read and write
clean
4C7000
heap default
page read and write
clean
2580000
heap private
page read and write
clean
2214000
unkown
page read and write
clean
32D000
unkown
page read and write
clean
2090000
unkown image
page readonly
clean