IOC Report

loading gif

Files

File Path
Type
Category
Malicious
TT COPY_02101011.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\5itxry81kuzl8up3
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\TT COPY_02101011.exe
"C:\Users\user\Desktop\TT COPY_02101011.exe"
malicious
C:\Users\user\Desktop\TT COPY_02101011.exe
"C:\Users\user\Desktop\TT COPY_02101011.exe"
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\NETSTAT.EXE
C:\Windows\SysWOW64\NETSTAT.EXE
malicious
C:\Windows\SysWOW64\autoconv.exe
C:\Windows\SysWOW64\autoconv.exe
clean
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
www.helpfromjames.com/e8ia/
malicious
http://www.blttsperma.quest/e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz
37.123.118.150
malicious
http://www.gadget198.xyz/e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz
172.67.158.42
malicious
http://www.yesrecompensas.lat/e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz
3.96.23.237
malicious
http://www.intelldat.com/e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz
143.95.80.65
malicious
http://www.webartsolution.net/e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz
198.54.125.56
malicious
http://www.le-hameau-enchanteur.com/e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz
213.186.33.5
malicious
http://nsis.sf.net/NSIS_Error
unknown
clean
http://nsis.sf.net/NSIS_ErrorError
unknown
clean

Domains

Name
IP
Malicious
www.le-hameau-enchanteur.com
213.186.33.5
malicious
www.blttsperma.quest
37.123.118.150
malicious
www.bestinvest-4-you.com
104.21.31.204
malicious
helpfromjames.com
185.65.236.168
malicious
webartsolution.net
198.54.125.56
malicious
www.yesrecompensas.lat
3.96.23.237
malicious
www.gadget198.xyz
172.67.158.42
malicious
w2y6q8s9.stackpathcdn.com
151.139.128.11
malicious
intelldat.com
143.95.80.65
malicious
www.webartsolution.net
unknown
malicious
www.mcclureic.xyz
unknown
malicious
www.henleygirlscricket.com
unknown
malicious
www.intelldat.com
unknown
malicious
www.dandftrading.com
unknown
malicious
www.helpfromjames.com
unknown
malicious
wss.easycompanies.com.au
13.210.99.21
clean
www.weprepareamerica-planet.com
208.91.197.27
clean
There are 7 hidden domains, click here to show them.

IPs

IP
Domain
Country
Malicious
37.123.118.150
www.blttsperma.quest
United Kingdom
malicious
213.186.33.5
www.le-hameau-enchanteur.com
France
malicious
185.65.236.168
helpfromjames.com
United Kingdom
malicious
198.54.125.56
webartsolution.net
United States
malicious
151.139.128.11
w2y6q8s9.stackpathcdn.com
United States
malicious
143.95.80.65
intelldat.com
United States
malicious
3.96.23.237
www.yesrecompensas.lat
United States
malicious
172.67.158.42
www.gadget198.xyz
United States
malicious

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page execute and read and write
malicious
400000
unkown image
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
CC0000
unkown image
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
760000
unkown image
page execute and read and write
malicious
2A30000
unkown
page read and write
malicious
F349000
unkown image
page execute and read and write
malicious
5B0000
unkown image
page execute and read and write
malicious
F349000
unkown image
page execute and read and write
malicious
5E0000
unkown image
page execute and read and write
malicious
CF0000
unkown
page read and write
malicious
12E4D637000
unkown
page read and write
clean
775C000
unkown image
page readonly
clean
7FFB2000
unkown image
page readonly
clean
8DF000
unkown
page read and write
clean
1C97FB83000
unkown
page read and write
clean
2AD51770000
unkown
page read and write
clean