IOC Report
#U2749VER CUENTA#U2749_#U2467#U2464#U2465#U2466#U2465#U2466#U2463#U2462.hta

Files

File Path

Type

Category

Malicious

#U2749VER CUENTA#U2749_#U2467#U2464#U2465#U2466#U2465#U2466#U2463#U2462.hta

HTML document, ASCII text, with CRLF line terminators

initial sample

C:\Users\Public\6720bdf2273b1.vbs

ASCII text, with CRLF line terminators

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\6720bdf2273ae[1].vbs

ASCII text, with CRLF line terminators

dropped

C:\_6720bdf2272bc\BLOCKBUSTER.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\6720bdf227263[1].js

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Composite Document File V2 Document, Cannot read section info

dropped

C:\_6720bdf2272bc\7zxa.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\_6720bdf2272bc\BLOCKBUSTER.dll

data

dropped

C:\_6720bdf2272bc\downloaded.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\_6720bdf2272bc\hc.dll

data

dropped

C:\_6720bdf2272bc\unrar.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

There are 2 hidden files, click here to show them.

URLs

Name

IP

Malicious

http://109.234.39.156/mod-mx282/mx2810.zip

109.234.39.156

Details

Name:	http://109.234.39.156/mod-mx282/mx2810.zip
IP:	109.234.39.156
TargetID:	8
From Memory:	false
Current Path:	C:\Windows\SysWOW64\wscript.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

http://109.234.39.156/mx/mx2810.php?nomepc=user-PC

109.234.39.156

Details

Name:	http://109.234.39.156/mx/mx2810.php?nomepc=user-PC
IP:	109.234.39.156
TargetID:	8
From Memory:	false
Current Path:	C:\Windows\SysWOW64\wscript.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Domains

Name

IP

Malicious

acess.mailcffemx.com

172.67.195.227

Details

Name:	acess.mailcffemx.com
IP:	172.67.195.227
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious MSHTA Child Process	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Executes visual basic scripts	System Summary	Scripting
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

IP

Domain

Country

Malicious

172.67.195.227

acess.mailcffemx.com

United States

Details

IP:	172.67.195.227
TargetID:	0
Current Path:	C:\Windows\SysWOW64\mshta.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	acess.mailcffemx.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

109.234.39.156

unknown

Russian Federation

Details

IP:	109.234.39.156
TargetID:	8
Current Path:	C:\Windows\SysWOW64\wscript.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	48282
ASN name:	VDSINA-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

127.0.0.1

unknown

unknown