v4nkfHg4d9.doc

Status: finished

Submission Time: 2022-09-20 12:01:08 +02:00

Malicious

Exploiter

Evader

Trojan

CVE-2021-40444, Follina CVE-2022-30190

Comments

Details

Analysis ID:
706117
API (Web) ID:
1073575
Analysis Started:

2022-09-20 12:01:09 +02:00
Analysis Finished:

2022-09-20 12:20:34 +02:00
MD5:
cbc307d6059925e9abbdbdec4d9ec0c1
SHA1:
8f0fc563f43cc1422b523a21f01858e031761e5f
SHA256:
8d61ea9ef38b6e7b36f466299223ad43339080d3a9914059c88ca3dd6be5cd32
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 92	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Potential for more IOCs and behavior

Third Party Analysis Engines

Open Full Report

malicious

Score: 22/58

malicious

Score: 9/37

malicious

IPs

IP	Country	Detection
185.27.134.11	United Kingdom
116.202.120.166	Germany
217.12.221.131	Ukraine
Click to see the 3 hidden entries
185.129.61.3	Denmark
38.229.82.25	United States
213.152.168.27	Netherlands

Domains

Name	IP	Detection
ftpupload.net	185.27.134.11
www.torproject.org	116.202.120.166
dist.torproject.org	38.229.82.25

URLs

Name	Detection
http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/dist/torbrowser/11.5.2/tor-win
http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/download/tor/index.html
http://yfoj3s7ov6e3k7pboeumnj6rcq5h4kbdm5ogfc4tsv2eq2eed3rllrad.onion/register.php?data=qYA9qoLk9CB3
Click to see the 63 hidden entries
http://scpalcwstkydpa3y7dbpkjs2dtr7zvtvdbyj3dqwkucfrwyixcl5ptqd.onion/torbrowser/11.5.2/tor-win32-0.
https://dist.torproject.org/tor-0.4.7.10.tar.gz.sha256sum.asc
https://blog.torproject.org/v2-deprecation-timeline
https://twitter.com/torproject
https://support.torproject.org/faq/staying-anonymous/
https://bridges.torproject.org/status?id=%s
https://github.com/torproject
https://bugs.torproject.org/tpo/core/tor/21155.
https://www.torproject.org/static/images/favicon/favicon.png
https://www.linkedin.com/company/tor-project
https://www.torproject.org/about/trademark/
https://t.me/torproject
https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%sDANGEROU
https://blog.torproject.org
https://community.torproject.org/
https://dist.torproject.org/tor-.tar.gz.sha256sum.asc
https://www.torproject.org/privchat
https://www.torproject.org/docs/faq.html#BestOSForRelay
https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-
https://bugs.torproject.org/tpo/core/tor/8742.
https://dist.torproject.org/torbrowser/11.5.2/tor-win32-0.4.7.10.zipyQ
https://blog.torproject.org/lifecycle-of-a-new-relay
https://support.torproject.org/en/little-t-tor/verify-little-t-tor/
https://www.openssl.org/H
https://blog.torproject.org/lifecycle-of-a-new-relayCan
https://forum.torproject.net
https://go.micr
http://www.zlib.net/D
https://dist.torproject.org/tor-.tar.gz
http://mingw-w64.sourceforge.net/X
https://www.torproject.org/static/images/tor-project-logo-onions.png
https://www.torproject.org/about/jobs/
https://www.instagram.com/torproject
https://bridges.torproject.org/status?id=%sfingerprint-ed25519fingerprinthashed-fingerprinted25519
https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s
https://creativecommons.org/licenses/by-sa/4.0/
https://dist.torproject.org/torbrowser/11.5.2/tor-win32-0.4.7.10.zip
https://torproject.org
https://www.torproject.org/contact/
https://www.torproject.org/dist/torbrowser/11.5.2/tor-win32-0.4.7.10.zip
https://www.torproject.org/
https://www.torproject.org/download/tor/
https://bugs.torproject.org/tpo/core/tor/14917.
https://www.torproject.org/press/
https://newsletter.torproject.org/
http://dist.torproject.org:443/x
https://mastodon.social/
https://location.ipfire.org/.
https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.7.10
https://torproject.org/en/
https://dist.torproject.org/tor-0.4.7.10.tar.gz.sha256sum
https://dist.torproject.org/tor-0.4.7.10.tar.gz
https://www.torproject.org/static/images/favicon/favicon.ico
https://www.torproject.org/about/history/
https://donate.torproject.org
http://www.torproject.org:443/x
https://www.torproject.org/documentation.html
https://support.torproject.org/
https://dist.torproject.org/tor-.tar.gz.sha256sum
https://support.torproject.org/faq/staying-anonymous/p
https://freehaven.net/anonbib/#hs-attack06
https://location.ipfire.org/
https://support.torproject.org/faq/staying-anonymous/alphabetaThis

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A8E05CE4.html	HTML document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AAB8F95.html	HTML document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\a[1].html	HTML document, ASCII text, with very long lines, with CRLF line terminators	#
Click to see the 88 hidden entries
C:\Users\user\AppData\Local\Temp\RES8678.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols	#
C:\Users\user\AppData\Roaming\Tor\libcrypto-1_1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v4nkfHg4d9.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 21:23:03 2022, mtime=Tue Sep 20 18:08:36 2022, atime=Tue Sep 20 18:08:13 2022, length=77319, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Data\Tor\geoip6	ASCII text	#
C:\Users\user\AppData\Roaming\Data\Tor\geoip	ASCII text	#
C:\Users\user\AppData\Local\Temp\vniik5rq\vniik5rq.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\vniik5rq\CSCFD2BA8049D364133B9FE5D3896759AE.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxw3el1z.0aw.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jg5bteof.tz5.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\RESA72F.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols	#
C:\Users\user\AppData\Roaming\Tor\libevent_extra-2-1-7.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\RES1F9B.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols	#
C:\Users\user\AppData\Local\Temp\3diak4dk\CSC56B0CC0123154593BDAD723DDD27D88.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\3diak4dk\3diak4dk.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2ez4s4sm\CSCC4857CBF94FC43E4BEE19B9FB307AC3.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\2ez4s4sm\2ez4s4sm.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\WimProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\VhdProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\UnattendProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\torZipped.zip	Zip archive data, at least v1.0 to extract	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\result\results.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\en-US\DiagPackage.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\en-US\CL_LocalizationData.psd1	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\VF_ProgramCompatibilityWizard.ps1	ISO-8859 text, with CRLF line terminators	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\TS_ProgramCompatibilityWizard.ps1	UTF-8 Unicode text, with CRLF line terminators	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\RS_ProgramCompatibilityWizard.ps1	ISO-8859 text, with CRLF line terminators	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\DiagPackage.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Windows\Temp\SDIAG_ddb55b0c-cd91-4e41-8c7d-9e294f93993f\DiagPackage.diagpkg	HTML document, ASCII text, with CRLF line terminators	#
C:\Users\user\Desktop\~$nkfHg4d9.doc	data	#
C:\Users\user\AppData\Roaming\tor\state (copy)	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Tor\libevent-2-1-7.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\zlib1.dll	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\tor.exe	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\tor-gencert.exe	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\state.tmp	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Tor\libwinpthread-1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\libssp-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\libssl-1_1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\libgcc_s_dw2-1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\SmiProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Tor\libevent_core-2-1-7.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\AssocProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\GenericProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\FolderProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\FfuProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DmiProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismProv.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismHost.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismCorePS.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\DismCore.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\CompatProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\CbsProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\IBSProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\AppxProvider.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\a[1].html	HTML document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5D79F234-F401-4DF1-BE07-0751AE8EEE89}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{16FBC318-43B8-4401-9A87-AC5D871EA28A}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\953582AF.png	PNG image data, 724 x 1024, 8-bit/color RGB, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5EFD149C-BD41-43EE-BC2A-E0545656E37A	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb	data	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini	data	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\IBSProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\SysprepProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb	Microsoft Access Database	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\SetupPlatformProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\ProvProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\OfflineSetupProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\OSProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\MsiProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\LogProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\IntlProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\ImagingProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\TransmogProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\GenericProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\FolderProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\FfuProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\DmiProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\DismProv.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\DismCore.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\CompatProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\CbsProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\AssocProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2C080D93-A43D-48E9-B35B-3CDCFF964B60\en-US\AppxProvider.dll.mui	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#

v4nkfHg4d9.doc

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

v4nkfHg4d9.doc Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

v4nkfHg4d9.doc