IOC Report

loading gif

Files

File Path
Type
Category
Malicious
3nkW4MtwSD.rtf
Rich Text Format data, unknown version
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
downloaded
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp
Composite Document File V2 Document, Cannot read section info
dropped
malicious
C:\Users\Public\vbc.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{105A16FA-9724-40E9-B86D-EF139A6795E6}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E201F6-E172-4FB7-8EA2-C5E78A0177C3}.tmp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3nkW4MtwSD.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 26 00:24:08 2021, mtime=Fri Nov 26 00:24:08 2021, atime=Fri Nov 26 00:24:12 2021, length=22268, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
dropped
clean
C:\Users\user\Desktop\~$kW4MtwSD.rtf
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
malicious
C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
malicious
C:\Users\Public\vbc.exe
C:\Users\Public\vbc.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\raserver.exe
C:\Windows\SysWOW64\raserver.exe
malicious
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
clean
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
clean

URLs

Name
IP
Malicious
www.cuteprofessionalscrubs.com/9gr5/
malicious
http://198.46.199.153/70007/vbc.exe
198.46.199.153
malicious
http://www.windows.com/pctv.
unknown
clean
http://www.msn.com/?ocid=iehpg
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://wellformedweb.org/CommentAPI/
unknown
clean
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
unknown
clean
http://www.iis.fhg.de/audioPA
unknown
clean
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
unknown
clean
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1-220
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://treyresearch.net
unknown
clean
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
unknown
clean
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
http://java.sun.com
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
unknown
clean
http://investor.msn.com/
unknown
clean
http://www.msn.com/?ocid=iehp
unknown
clean
http://www.msn.com/de-de/?ocid=iehp
unknown
clean
http://www.piriform.com/ccleaner
unknown
clean
http://computername/printers/printername/.printer
unknown
clean
http://www.%s.comPA
unknown
clean
http://www.autoitscript.com/autoit3
unknown
clean
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=18(P&
unknown
clean
http://www.mountfrenchlodge.net/9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8
34.102.136.180
clean
http://www.msn.com/?ocid=iehps
unknown
clean
https://support.mozilla.org
unknown
clean
http://www.cuteprofessionalscrubs.com/9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8
34.102.136.180
clean
http://servername/isapibackend.dll
unknown
clean
There are 23 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
troddu.com
162.240.31.112
malicious
www.troddu.com
unknown
malicious
www.cuteprofessionalscrubs.com
unknown
malicious
www.mountfrenchlodge.net
unknown
malicious
cuteprofessionalscrubs.com
34.102.136.180
clean
mountfrenchlodge.net
34.102.136.180
clean

IPs

IP
Domain
Country
Malicious
198.46.199.153
unknown
United States
malicious
34.102.136.180
cuteprofessionalscrubs.com
United States
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
$8-
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
l9-
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
?;-
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
clean
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\2DDE1
2DDE1
clean