IOC Report

loading gif

Files

File Path
Type
Category
Malicious
PO P232-2111228.xlsx
CDFV2 Encrypted
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
downloaded
malicious
C:\Users\user\AppData\Local\Temp\nsv6C8A.tmp\gqsrfnlttu.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\Desktop\~$PO P232-2111228.xlsx
data
dropped
malicious
C:\Users\Public\vbc.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\20BB155C.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30E35F10.png
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37DCE79E.png
PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B7C84B6.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48D05749.png
PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49FEBDAD.png
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BFC33D1.png
PNG image data, 600 x 306, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E46C943.png
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7553EA68.png
PNG image data, 600 x 306, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\78EEB707.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97F9413F.png
PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD94E032.png
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7678FCA.png
PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6C54E8B.png
PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9815DB5.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
dropped
clean
C:\Users\user\AppData\Local\Temp\nui7qhl0vyqjy5hwe1a
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF4E1314DB88821996.TMP
CDFV2 Encrypted
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFB2A7C221D7E594E8.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFC80E7B9FF80D6354.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFF8360FFA42CFF728.TMP
data
dropped
clean
There are 15 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
malicious
C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
malicious
C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\wscript.exe
C:\Windows\SysWOW64\wscript.exe
malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
clean
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
clean

URLs

Name
IP
Malicious
www.lesventsfavorables.com/ecaq/
malicious
http://www.gzz06j.cloud/ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=4YbOQk8AO0vy4k2VmRJxI3NcMocUM9+uNZ05HSgMgTndh1RwRX9NSBB2ccr9KRceRZRXnw==
45.139.238.65
malicious
http://103.167.92.57/981900000_2/vbc.exe
103.167.92.57
malicious
http://www.14d7.com/ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=+tTxZdgcqU79mMd7wf6ovAKHVoLw/EhrDF3C/ckFTtMjuwl+tr3xRs8m7m6dFdAioc4v8g==
154.23.172.42
malicious
http://www.flagimir.store/ecaq/?z6BXjz6=qIaOAylHD+7nuLCKVj0dqMEagOlqUztLhCHwuYmgFKo0pBs1u2Qf4sHa5T8Epw0dehH0mQ==&k0Dli=0bA4dpDh3xCt
45.130.41.10
malicious
http://www.windows.com/pctv.
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://wellformedweb.org/CommentAPI/
unknown
clean
http://www.iis.fhg.de/audioPA
unknown
clean
https://credit-b2b.mn.co//ecaq/?z6BXjz6=bfQv/FP2vMWCXJ5
unknown
clean
http://www.mozilla.com0
unknown
clean
http://nsis.sf.net/NSIS_ErrorError
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://treyresearch.net
unknown
clean
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
http://java.sun.com
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
http://nsis.sf.net/NSIS_Error
unknown
clean
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
unknown
clean
http://investor.msn.com/
unknown
clean
http://www.piriform.com/ccleaner
unknown
clean