We are hiring! Windows Kernel Developer (Remote), apply here!
flash

v4nkfHg4d9.doc

Status: finished
Submission Time: 2022-09-20 12:01:08 +02:00
Malicious
Exploiter
Evader
Trojan
CVE-2021-40444, Follina CVE-2022-30190

Comments

Tags

  • doc

Details

  • Analysis ID:
    706117
  • API (Web) ID:
    1073575
  • Analysis Started:
    2022-09-20 12:01:09 +02:00
  • Analysis Finished:
    2022-09-20 12:20:34 +02:00
  • MD5:
    cbc307d6059925e9abbdbdec4d9ec0c1
  • SHA1:
    8f0fc563f43cc1422b523a21f01858e031761e5f
  • SHA256:
    8d61ea9ef38b6e7b36f466299223ad43339080d3a9914059c88ca3dd6be5cd32
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
92/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Potential for more IOCs and behavior

malicious
100/100

malicious
22/58

malicious
9/37

malicious

IPs

IP Country Detection
185.27.134.11
United Kingdom
116.202.120.166
Germany
217.12.221.131
Ukraine
Click to see the 3 hidden entries
185.129.61.3
Denmark
38.229.82.25
United States
213.152.168.27
Netherlands

Domains

Name IP Detection
ftpupload.net
185.27.134.11
www.torproject.org
116.202.120.166
dist.torproject.org
38.229.82.25

URLs

Name Detection
http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/dist/torbrowser/11.5.2/tor-win
http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/download/tor/index.html
http://yfoj3s7ov6e3k7pboeumnj6rcq5h4kbdm5ogfc4tsv2eq2eed3rllrad.onion/register.php?data=qYA9qoLk9CB3
Click to see the 63 hidden entries
http://scpalcwstkydpa3y7dbpkjs2dtr7zvtvdbyj3dqwkucfrwyixcl5ptqd.onion/torbrowser/11.5.2/tor-win32-0.
https://dist.torproject.org/tor-0.4.7.10.tar.gz.sha256sum.asc
https://blog.torproject.org/v2-deprecation-timeline
https://twitter.com/torproject
https://support.torproject.org/faq/staying-anonymous/
https://bridges.torproject.org/status?id=%s
https://github.com/torproject
https://bugs.torproject.org/tpo/core/tor/21155.
https://www.torproject.org/static/images/favicon/favicon.png
https://www.linkedin.com/company/tor-project
https://www.torproject.org/about/trademark/
https://t.me/torproject
https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%sDANGEROU
https://blog.torproject.org
https://community.torproject.org/
https://dist.torproject.org/tor-.tar.gz.sha256sum.asc
https://www.torproject.org/privchat
https://www.torproject.org/docs/faq.html#BestOSForRelay
https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-
https://bugs.torproject.org/tpo/core/tor/8742.
https://dist.torproject.org/torbrowser/11.5.2/tor-win32-0.4.7.10.zipyQ
https://blog.torproject.org/lifecycle-of-a-new-relay
https://support.torproject.org/en/little-t-tor/verify-little-t-tor/
https://www.openssl.org/H
https://blog.torproject.org/lifecycle-of-a-new-relayCan
https://forum.torproject.net
https://go.micr
http://www.zlib.net/D
https://dist.torproject.org/tor-.tar.gz
http://mingw-w64.sourceforge.net/X
https://www.torproject.org/static/images/tor-project-logo-onions.png
https://www.torproject.org/about/jobs/
https://www.instagram.com/torproject
https://bridges.torproject.org/status?id=%sfingerprint-ed25519fingerprinthashed-fingerprinted25519
https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s
https://creativecommons.org/licenses/by-sa/4.0/
https://dist.torproject.org/torbrowser/11.5.2/tor-win32-0.4.7.10.zip
https://torproject.org
https://www.torproject.org/contact/
https://www.torproject.org/dist/torbrowser/11.5.2/tor-win32-0.4.7.10.zip
https://www.torproject.org/
https://www.torproject.org/download/tor/
https://bugs.torproject.org/tpo/core/tor/14917.
https://www.torproject.org/press/
https://newsletter.torproject.org/
http://dist.torproject.org:443/x
https://mastodon.social/
https://location.ipfire.org/.
https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.7.10
https://torproject.org/en/
https://dist.torproject.org/tor-0.4.7.10.tar.gz.sha256sum
https://dist.torproject.org/tor-0.4.7.10.tar.gz
https://www.torproject.org/static/images/favicon/favicon.ico
https://www.torproject.org/about/history/
https://donate.torproject.org
http://www.torproject.org:443/x
https://www.torproject.org/documentation.html
https://support.torproject.org/
https://dist.torproject.org/tor-.tar.gz.sha256sum
https://support.torproject.org/faq/staying-anonymous/p
https://freehaven.net/anonbib/#hs-attack06
https://location.ipfire.org/
https://support.torproject.org/faq/staying-anonymous/alphabetaThis

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A8E05CE4.html
HTML document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AAB8F95.html
HTML document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\a[1].html
HTML document, ASCII text, with very long lines, with CRLF line terminators
#
Click to see the 88 hidden entries
C:\Users\user\AppData\Local\Temp\RES8678.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
#
C:\Users\user\AppData\Roaming\Tor\libcrypto-1_1.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v4nkfHg4d9.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 21:23:03 2022, mtime=Tue Sep 20 18:08:36 2022, atime=Tue Sep 20 18:08:13 2022, length=77319, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Data\Tor\geoip6
ASCII text
#
C:\Users\user\AppData\Roaming\Data\Tor\geoip
ASCII text
#
C:\Users\user\AppData\Local\Temp\vniik5rq\vniik5rq.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\vniik5rq\CSCFD2BA8049D364133B9FE5D3896759AE.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxw3el1z.0aw.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jg5bteof.tz5.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\RESA72F.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
#
C:\Users\user\AppData\Roaming\Tor\libevent_extra-2-1-7.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\RES1F9B.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
#
C:\Users\user\AppData\Local\Temp\3diak4dk\CSC56B0CC0123154593BDAD723DDD27D88.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\3diak4dk\3diak4dk.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2ez4s4sm\CSCC4857CBF94FC43E4BEE19B9FB307AC3.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\2ez4s4sm\2ez4s4sm.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\WimProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\VhdProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\UnattendProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\torZipped.zip
Zip archive data, at least v1.0 to extract
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\result\results.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\en-US\DiagPackage.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\en-US\CL_LocalizationData.psd1
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\VF_ProgramCompatibilityWizard.ps1
ISO-8859 text, with CRLF line terminators
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\TS_ProgramCompatibilityWizard.ps1
UTF-8 Unicode text, with CRLF line terminators
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\RS_ProgramCompatibilityWizard.ps1
ISO-8859 text, with CRLF line terminators
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\DiagPackage.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\DiagPackage.diagpkg
HTML document, ASCII text, with CRLF line terminators
#
C:\Users\user\Desktop\~$nkfHg4d9.doc
data
#
C:\Users\user\AppData\Roaming\tor\state (copy)
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Tor\libevent-2-1-7.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\zlib1.dll
PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\tor.exe
PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\tor-gencert.exe
PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\state.tmp
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Tor\libwinpthread-1.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\libssp-0.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\libssl-1_1.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\libgcc_s_dw2-1.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\SmiProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Tor\libevent_core-2-1-7.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\AssocProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\GenericProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\FolderProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\FfuProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DmiProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismProv.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismHost.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismCorePS.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismCore.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\CompatProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\CbsProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\IBSProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\AppxProvider.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\a[1].html
HTML document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5D79F234-F401-4DF1-BE07-0751AE8EEE89}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{16FBC318-43B8-4401-9A87-AC5D871EA28A}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\953582AF.png
PNG image data, 724 x 1024, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5EFD149C-BD41-43EE-BC2A-E0545656E37A
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
data
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini
data
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\IBSProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\SysprepProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
Microsoft Access Database
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\SetupPlatformProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\ProvProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\OfflineSetupProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\OSProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\MsiProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\LogProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\IntlProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\ImagingProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\TransmogProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\GenericProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\FolderProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\FfuProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\DmiProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\DismProv.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\DismCore.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\CompatProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\CbsProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\AssocProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\AppxProvider.dll.mui
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#