Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\user\AppData\Roaming\sharon38892.exe

"C:\Users\user\AppData\Roaming\sharon38892.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp"

C:\Users\user\AppData\Roaming\sharon38892.exe

"C:\Users\user\AppData\Roaming\sharon38892.exe"

C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp7D2B.tmp"

C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe

"C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\System32\taskeng.exe

taskeng.exe {E2BA91ED-D885-4B20-9033-3784D17E4A5D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]

There are 4 hidden processes, click here to show them.

URLs

Name

Malicious

https://universalmovies.top/sharonzx.exe

104.21.74.191

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.top/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.trade/alien/fre.php

rocheholding.top/evie3/five/fre.php

http://rocheholding.top/evie3/five/fre.php

188.114.97.3

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources

unknown

https://universalmovies.top/

unknown

http://crl.entrust.net/server1.crl0

unknown

http://ocsp.entrust.net03

unknown

http://www.ibsensoftware.com/

unknown

https://universalmovies.top/sharonzx.exeoC:

unknown

http://tempuri.org/DataSet1.xsd

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://universalmovies.top/sharonzx.exej

unknown

http://ocsp.entrust.net0D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://secure.comodo.com/CPS0

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://universalmovies.top/sharonzx.exemmC:

unknown

There are 14 hidden URLs, click here to show them.

Domains

Name

Malicious

universalmovies.top

104.21.74.191

Details

Name:	universalmovies.top
IP:	104.21.74.191
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

rocheholding.top

188.114.97.3

Details

Name:	rocheholding.top
IP:	188.114.97.3
TargetID:	12
Current Path:	C:\Users\user\AppData\Roaming\sharon38892.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

188.114.96.9

unknown

European Union

Details

IP:	188.114.96.9
TargetID:	12
Current Path:	C:\Users\user\AppData\Roaming\sharon38892.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

104.21.74.191

universalmovies.top

United States

Details

IP:	104.21.74.191
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	universalmovies.top

Signature Hits	Behavior Group	Mitre Attack
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.97.3

rocheholding.top

European Union

Details

IP:	188.114.97.3
TargetID:	12
Current Path:	C:\Users\user\AppData\Roaming\sharon38892.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	rocheholding.top

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

188.114.96.3

unknown

European Union

Details

IP:	188.114.96.3
TargetID:	12
Current Path:	C:\Users\user\AppData\Roaming\sharon38892.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

188.114.97.9

unknown

European Union

Details

IP:	188.114.97.9
TargetID:	12
Current Path:	C:\Users\user\AppData\Roaming\sharon38892.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

oz+

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

'{+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

o|+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\27C22

27C22