IOC Report
Payment_copy28476450.exe

loading gif

Files

File Path
Type
Category
Malicious
Payment_copy28476450.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Temp\wcycejenv.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)
PE32 executable (console) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\nsg6B4D.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\ntwcyphb.r
data
dropped
C:\Users\user\AppData\Local\Temp\stvrrcrc.d
data
dropped
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
very short file (no magic)
dropped
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
data
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Payment_copy28476450.exe
C:\Users\user\Desktop\Payment_copy28476450.exe
malicious
C:\Users\user\AppData\Local\Temp\wcycejenv.exe
"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
malicious
C:\Users\user\AppData\Local\Temp\wcycejenv.exe
"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
http://sempersim.su/gl20/fre.php
95.213.216.202
malicious
http://kbfvzoboss.bid/alien/fre.php
malicious
http://alphastand.win/alien/fre.php
malicious
http://alphastand.trade/alien/fre.php
malicious
http://alphastand.top/alien/fre.php
malicious
http://nsis.sf.net/NSIS_Error
unknown
http://nsis.sf.net/NSIS_ErrorError
unknown
http://www.ibsensoftware.com/
unknown

Domains

Name
IP
Malicious
sempersim.su
95.213.216.202
malicious

IPs

IP
Domain
Country
Malicious
95.213.216.202
sempersim.su
Russian Federation
malicious
192.168.2.1
unknown
unknown

Memdumps

Base Address
Regiontype
Protect
Malicious
737000
heap
page read and write
malicious
400000
system
page execute and read and write
malicious
400000
system
page execute and read and write
malicious
610000
direct allocation
page read and write
malicious
2130000
heap
page read and write
1F543261000
heap
page read and write
9D000
stack
page read and write
28DF000
direct allocation
page read and write
27C0000
direct allocation
page read and write
2247000
direct allocation
page read and write
500000
trusted library allocation
page read and write
22EF7C6E000
heap
page read and write
29DBC750000
heap
page read and write
1D8A2CD0000
heap
page read and write
407000
unkown
page readonly
4FE000
stack
page read and write
786000
heap
page read and write
1F543313000
heap
page read and write
409000
unkown
page write copy
78F000
heap
page read and write
27C0000
direct allocation
page read and write
1D8A2D30000
heap
page read and write
1F543140000
heap
page read and write
233F000
stack
page read and write
786000
heap
page read and write
776000
heap
page read and write
773000
heap
page read and write
401000
unkown
page execute read
28DB000
direct allocation
page read and write
470000
trusted library allocation
page read and write
22EF7C3A000
heap
page read and write
22EF7C79000
heap
page read and write
29DBC900000
heap
page read and write
22EF7C6B000
heap
page read and write
1C0000
remote allocation
page read and write
67C9A7E000
stack
page read and write
786000
heap
page read and write
1F54323C000
heap
page read and write
783000
heap
page read and write
DCECDFE000
stack
page read and write
E45C0FA000
stack
page read and write
C3B737F000
stack
page read and write
1C0000
remote allocation
page read and write
2746000
direct allocation
page read and write
67C92FB000
stack
page read and write
783000
heap
page read and write
DCECCFE000
stack
page read and write
29DBD202000
trusted library allocation
page read and write
2746000
direct allocation
page read and write
67C9CFD000
stack
page read and write
C3B757B000
stack
page read and write