We are hiring! Windows Kernel Developer (Remote), apply here!
flash

Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Status: finished
Submission Time: 2022-09-23 08:12:08 +02:00
Malicious
Phishing
Trojan
Exploiter
Evader
AveMaria, UACMe

Comments

Tags

  • doc

Details

  • Analysis ID:
    708250
  • API (Web) ID:
    1075708
  • Analysis Started:
    2022-09-23 08:12:10 +02:00
  • Analysis Finished:
    2022-09-23 08:24:10 +02:00
  • MD5:
    9bc102ffb0930f5dee65bde8e0ba6d89
  • SHA1:
    37cac7507a6ad02a75d947a9bdfe115f2da8b71b
  • SHA256:
    959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
31/61

malicious
13/40

IPs

IP Country Detection
20.126.95.155
United States
159.223.2.212
United States

Domains

Name IP Detection
login.929389.ankura.us
159.223.2.212

URLs

Name Detection
httP://login.929
httP://login.929389.ank
20.126.95.155
Click to see the 6 hidden entries
httP://login.929389.ankura.us/Aw
http://login.929389.ankura.us
http://www.piriform.com/ccleaner
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
https://github.com/syohex/java-simple-mine-sweeperC:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\explorer.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 28 hidden entries
C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT
data
#
C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T23CVE88X1M7GW0B4GPE.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF4e3064.TMP (copy)
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5F3QBZVQ9RFEIWMV6CQN.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\66P2GWKWYVB9UJIL9LXB.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CQYZNWTS7YT610P4ZIUZ.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DGJNWFN59TABKE06N13V.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QFNUDIY2A3J44VPMGKOZ.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4e4412.TMP (copy)
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4e978f.TMP (copy)
data
#
C:\Users\user\Desktop\~$em Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF4e04a3.TMP (copy)
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Fri Sep 23 14:13:10 2022, length=221545, window=hide
#
C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Local\Temp\tmp6336.tmp
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CD169163-57D1-49B2-967A-20BA2BE15787}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CEE7D2D-9EE4-4FEB-932A-E7FDD2AB9079}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{146C24E6-EE9A-4BF4-BC74-016BA7AD9293}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA1522E6.png
370 sysV pure executable
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\177069AF.wmf
Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
#