Sample File: MD5 hash: 5758fa614527357c9ededdec3eaf3233 SHA1 hash: 81a7421c63abf275c67a2caaf27737b24fcfc3de SHA256 hash: 4ef2c020a2f45b6891a9094d5a042472417657961c05358f67ef58e7e8f9d4c4 SSDEEP hash: 192:HmA5uwX7LGJah0ssb5bk8xgNAO8cCDNCuzFG6Gk72oBjLXZsR700UJkFAil1YYjv:75BXYah7sg56IsFG6F7//o7yMAiv1jv Filename(s): RFQ13262.docx Filetype: Word Document Mutex IOCs: 2151P0RSCS468WZz 598MPR44-CZEWG7B Local\!PrivacIE!SharedMemory!Mutex S-1-5-21-2345716-9241181358254 Registry Key IOCs: HKEY_CLASSES_ROOT\.vBS HKEY_CLASSES_ROOT\VBSFile\ScriptEngine HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup\Print_Background HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main\Install Directory HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\ HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L4NHR Domain IOCs: 82.118.242.107 urlz.fr www.babyboomerrx.com www.maga.style www.sgnaturn.com IP IOCs: 104.28.15.54 82.118.242.107 198.54.121.5 URL IOCs: https://urlz.fr/8h15 http://82.118.242.107/~able/1_ga/al/al.exe http://82.118.242.107/~able/1_ga/al/alWExploit.doc http://82.118.242.107/~able/1_ga/al/AXVHa.hta http://www.sgnaturn.com/al/?Kp2L=6gVvmFPDoiNbAIhnhTeuXmZIQvIKuazDxjJR9H5MhAeFNhXp9sPapi0HkLC6+HTKwqelpMhjL3Y=&fbc8=EFQdiN_822M File IOCs: Filenames: C:\Program Files\Microsoft Office\Root\Office16 C:\Users\aETAdzjz\AppData\Local\Temp C:\Windows\system32 JSTCHV.eXe ZMXZAA.vBS \??\C:\Program Files (x86)\Flpxdufw0\mskr8xjle.exe \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe \??\C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data \??\C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215log.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215log00.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logcl.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logim.jpeg \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrc.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrf.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrg.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logri.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrm.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logro.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrt.ini \??\C:\Users\aETAdzjz\AppData\Roaming\2151P0RS\215logrv.ini \??\C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data \??\C:\Users\aETAdzjz\AppData\Roaming\Temp\JSTCHV.eXe \??\C:\Windows\SysWOW64\cmstp.exe \??\C:\Windows\SysWOW64\ntdll.dll \??\C:\Windows\System32\drivers\etc\hosts MD5 hashes: aa0f5dcdc1424111970aed667a1bf9af f2a1e85ad4553d1635710f8f2fc7b05c SHA1 hashes: 0b05a450c38c4e170cb70a70772ff4aa2f64dd96 5b0615a2f233d44247b622c28609482c37011479 SHA256 hashes: 248b516edaa5d1a7492b81d113e0833b21b939d6889eafd4de26a9564a38504f 7af206d26e5e800eed7cab38bab599b92e4705b418c23000bb6ff8dc459ca1ed SSDEEP hashes: 24:YUIPhbGl2svsGiZ2FX87DFRD1+qFaHjHEJ:Q62sA2FIDzD1vV 6144:qjr2f8SaxdwqjoYyCBgV2T3B6D4/1VthocE+WEiOlT9+vzoAuDq2:L1axdndBgV2bmc1fhRWkwzoDj