IOC Report

loading gif

Files

File Path
Type
Category
Malicious
PROFORMA INVOICE.xlsx
CDFV2 Encrypted
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
downloaded
malicious
C:\Users\user\AppData\Local\Temp\tmp5580.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\Desktop\~$PROFORMA INVOICE.xlsx
data
dropped
malicious
C:\Users\Public\vbc.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30913362.png
PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49DB89C0.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C948E5C.png
PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\566AA7FB.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\597470CA.png
PNG image data, 600 x 306, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B2EFE3F.png
PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C45E1A5.png
PNG image data, 600 x 306, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A725389E.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8B07368.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CED70334.png
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8E0D407.png
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ECCEF5B6.png
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3943643.png
PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4194C49.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB3FE2AD.png
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF179E4FABD168830C.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF364B1570347A7C36.TMP
CDFV2 Encrypted
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF5ABA8F4F45C955BE.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFC39337F99D373AF1.TMP
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6DVTRGQEANC1QDSD4KFD.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
data
dropped
clean
There are 17 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
malicious
C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp
malicious
C:\Users\Public\vbc.exe
C:\Users\Public\vbc.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
clean
C:\Windows\SysWOW64\autofmt.exe
C:\Windows\SysWOW64\autofmt.exe
clean

URLs

Name
IP
Malicious
http://107.173.229.133/90009/vbc.exe
107.173.229.133
malicious
www.septemberstockevent200.com/ht08/
malicious
http://www.deboraverdian.com/ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR
151.106.119.46
malicious
http://www.franquiciasexclusivas.tienda/ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR
108.167.189.66
malicious
http://www.trashwasher.com/ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR
151.101.66.159
malicious
http://www.noyoucantridemyonewheel.com/ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR
192.0.78.25
malicious
http://www.windows.com/pctv.
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://wellformedweb.org/CommentAPI/
unknown
clean
http://www.hacticum.com/ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR
34.102.136.180
clean
http://www.iis.fhg.de/audioPA
unknown
clean
http://www.mozilla.com0
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown