flash

PO0000001552.xls

Status: finished
Submission Time: 2022-11-13 19:26:12 +01:00
Malicious
Trojan
Exploiter
Evader
Emotet

Comments

Tags

Details

  • Analysis ID:
    745091
  • API (Web) ID:
    1112395
  • Analysis Started:
    2022-11-13 19:26:12 +01:00
  • Analysis Finished:
    2022-11-13 19:32:27 +01:00
  • MD5:
    ecdc3f1e9afd2ce212a12ba3a844f521
  • SHA1:
    0121ba555dfe0b42834759d201cce505bd619f86
  • SHA256:
    1e494fd9ec670e351dd80258489770ffa43ee6f4be3e14c797f7ce64ae8e9d43
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 91, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)

malicious
100/100

malicious
41/62

malicious

IPs

IP Country Detection
103.43.75.120
Japan
110.232.117.186
Australia
213.239.212.5
Germany
Click to see the 55 hidden entries
5.135.159.50
France
173.255.211.88
United States
212.24.98.99
Lithuania
186.194.240.217
Brazil
91.187.140.35
Serbia
119.59.103.152
Thailand
159.89.202.34
United States
201.94.166.162
Brazil
160.16.142.56
Japan
103.75.201.2
Thailand
91.207.28.33
Kyrgyzstan
164.90.222.65
United States
188.44.20.25
Macedonia
45.235.8.30
Brazil
153.126.146.25
Japan
72.15.201.15
United States
82.223.21.224
Spain
173.212.193.249
Germany
95.217.221.146
Germany
149.56.131.28
Canada
209.97.163.214
United States
182.162.143.56
Korea Republic of
1.234.2.232
Korea Republic of
129.232.188.93
South Africa
94.23.45.86
France
185.4.135.165
Greece
103.132.242.26
India
104.168.155.143
United States
79.137.35.198
France
45.118.115.99
Indonesia
172.104.251.154
United States
115.68.227.76
Korea Republic of
163.44.196.120
Singapore
206.189.28.199
United States
45.63.99.23
United States
107.170.39.149
United States
197.242.150.244
South Africa
172.105.226.75
United States
183.111.227.137
Korea Republic of
45.176.232.124
Colombia
139.59.56.73
Singapore
169.57.156.166
United States
164.68.99.3
Germany
139.59.126.41
Singapore
167.172.253.162
United States
147.139.166.154
United States
202.129.205.3
Thailand
167.172.199.165
United States
153.92.5.27
Germany
159.65.140.115
United States
159.65.88.10
United States
175.98.167.165
Taiwan; Republic of China (ROC)
47.92.35.35
China
81.68.152.197
China
41.63.0.22
Zambia

Domains

Name IP Detection
sbm.xinmoshiwang.com
47.92.35.35
datie-tw.com
175.98.167.165
copunupo.ac.zm
41.63.0.22
Click to see the 1 hidden entries
ly.yjlianyi.top
81.68.152.197

URLs

Name Detection
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/
https://182.162.143.56/tkafmhcgcid/
http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/
Click to see the 97 hidden entries
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
https://apis.live.net/v5.0/
http://weather.service.msn.com/data.aspx
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
https://45.63.99.23:7080/tkafmhcgcid/8eM
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
https://ncus.contentsync.
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://consent.config.office.com/consentcheckin/v1.0/consents
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://outlook.office365.com/autodiscover/autodiscover.json
https://prod-global-autodetect.acompli.net/autodetect
https://analysis.windows.net/powerbi/api
https://officesetup.getmicrosoftkey.com
https://dataservice.o365filtering.com/
https://graph.windows.net
https://45.63.99.23:7080/b
https://api.addins.store.officeppe.com/addinstemplate
https://web.microsoftstream.com/video/
https://api.powerbi.com/v1.0/myorg/groups
https://outlook.office365.com/api/v1.0/me/Activities
https://webshell.suite.office.com
https://outlook.office365.com/
https://storage.live.com/clientlogs/uploadlocation
https://outlook.office.com/
https://substrate.office.com/search/api/v2/init
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://entitlement.diagnostics.office.com
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%
https://clients.config.office.net/user/v1.0/android/policies
https://asgsmsproxyapi.azurewebsites.net/
https://incidents.diagnosticssdf.office.com
https://api.office.net
https://www.odwebp.svc.ms
https://o365auditrealtimeingestion.manage.office.com
https://insertmedia.bing.office.net/odc/insertmedia
https://45.63.99.23:7080/2
https://182.162.143.56/
https://clients.config.office.net/user/v1.0/ios
https://incidents.diagnostics.office.com
https://wus2.contentsync.
https://outlook.office365.com
https://management.azure.com
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://messaging.lifecycle.office.com/
https://powerlift.acompli.net
https://ofcrecsvcapi-int.azurewebsites.net/
https://api.aadrm.com/
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://entitlement.diagnosticssdf.office.com
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://cloudfiles.onenote.com/upload.aspx
https://api.powerbi.com/v1.0/myorg/imports
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://cortana.ai
https://lookup.onenote.com/lookup/geolocation/v1
https://rpsticket.partnerservices.getmicrosoftkey.com
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://clients.config.office.net/user/v1.0/tenantassociationkey
https://api.addins.omex.office.net/appinfo/query
https://cdn.entity.
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://roaming.edog.
https://autodiscover-s.outlook.com/
http://ly.yjlianyi.top/wp-admin/4cChao/
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
https://shell.suite.office.com:1443
https://login.microsoftonline.com/
https://45.63.99.23:7080/tkafmhcgcid/
https://api.diagnosticssdf.office.com
https://dev0-api.acompli.net/autodetect
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://messaging.engagement.office.com/
https://globaldisco.crm.dynamics.com
https://outlook.office.com/autosuggest/api/v1/init?cvid=
https://api.aadrm.com
https://store.office.cn/addinstemplate
https://my.microsoftpersonalcontent.com
https://api.scheduler.
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
https://api.diagnosticssdf.office.com/v2/feedback
https://officeci.azurewebsites.net/api/
https://tasks.office.com
https://powerlift-frontdesk.acompli.net
https://res.getmicrosoftkey.com/api/redemptionevents
https://graph.ppe.windows.net
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/
https://portal.office.com/account/?ref=ClientMeControl
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
https://cr.office.com
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://api.microsoftstream.com/api/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Users\user\elv2.ooocccxxx
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
Click to see the 12 hidden entries
C:\Users\user\elv3.ooocccxxx
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
JSON data
#
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview.ttf
TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_17RegularVersion 4.17;O365
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E9097BEB-F41B-41FA-A529-2854DCDBD67E
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
data
#
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres
data
#
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO0000001552.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 30 12:46:13 2022, mtime=Sun Nov 13 17:26:48 2022, atime=Sun Nov 13 17:26:48 2022, length=93184, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Generic INItialization configuration [xls]
#
C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy)
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#