IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
"C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
malicious
C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
malicious
C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
malicious
C:\Windows\System32\rundll32.exe
C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
clean
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
www.thesocialmediacreator.com/i638/
malicious
https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download
172.217.168.1
clean

Domains

Name
IP
Malicious
drive.google.com
172.217.168.46
clean
googlehosted.l.googleusercontent.com
172.217.168.1
clean
doc-0c-ao-docs.googleusercontent.com
unknown
clean

IPs

IP
Domain
Country
Malicious
172.217.168.46
drive.google.com
United States
clean
172.217.168.1
googlehosted.l.googleusercontent.com
United States
clean

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
wextract_cleanup0
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
67A000
unkown image
page execute and read and write
malicious
75FE000
unkown image
page execute and read and write
malicious
A0000
unkown image
page execute and read and write
malicious
2D20000
unkown image
page execute and read and write
malicious
1E760000
unkown image
page execute and read and write
malicious
35C0000
unkown
page read and write
malicious
75FE000
unkown image
page execute and read and write
malicious
3590000
unkown image
page execute and read and write
malicious
2AA0000
unkown
page execute and read and write
malicious
868E000
unkown
page read and write
clean
2C9D000
unkown image
page readonly
clean
7FF5AB843000
unkown image
page readonly
clean
7FF53F8B0000
unkown image
page readonly
clean
7FFB2000
unkown image
page readonly
clean
71D7000
unkown image
page readonly
clean
EF75000
unkown
page read and write
clean
7FF563E67000
unkown image
page readonly
clean
2B6C000
unkown image
page readonly
clean
1050000
unkown image
page readonly
clean
7FF563B5E000
unkown image
page readonly
clean
7FF563E53000
unkown image
page readonly
clean
7FF563970000
unkown image
page readonly
clean
88CD000
unkown
page read and write
clean
17D1E260000
unkown
page read and write
clean
7FF563B6A000
unkown image
page readonly
clean
7FF563982000
unkown image
page readonly
clean
400000
unkown image
page execute and read and write
clean
1ED4B000
unkown
page execute and read and write
clean
7FF58CE29000
unkown image
page readonly
clean
E50000
unkown image
page readonly
clean
7FFC77825000
unkown image
page read and write
clean
B7D000
heap default
page read and write
clean
88E2000
unkown
page read and write
clean
7FF58CDA5000
unkown image
page readonly
clean
226AEA0F000
unkown
page read and write
clean
1099CCB000
unkown
page read and write
clean
7FEE0000
unkown image
page readonly
clean
86C9000
unkown
page read and write
clean
4330000
unkown
page read and write
clean
7FF56372E000
unkown image
page readonly
clean
7FF5AB700000
unkown image
page readonly
clean