Loading ...

Analysis Report Business Financial Proposal.docx

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123516
Start date:15.04.2019
Start time:22:51:49
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Business Financial Proposal.docx (renamed file extension from docx to doc)
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.phis.winDOC@6/26@2/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Browse link: https://virgilp.ml/Proposal/webnet.php?code=2018900
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution3Winlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Information Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900RootAvira URL Cloud: Label: phishing
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900Avira URL Cloud: Label: phishing

Phishing:

barindex
Phishing site detected (based on logo template match)Show sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900Matcher: Template: outlook matched
Found iframesShow sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900HTTP Parser: Iframe src: javascript:false;
HTML body contains low number of good linksShow sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900HTTP Parser: Number of links: 0
HTML title does not match URLShow sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900HTTP Parser: Title: ESO Symantec VIP does not match URL
Suspicious form URL foundShow sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900HTTP Parser: Form action: ./ver.php
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900HTTP Parser: Form action: ./ver.php
META author tag missingShow sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900HTTP Parser: No <meta name="author".. found
META copyright tag missingShow sources
Source: https://virgilp.ml/Proposal/webnet.php?code=2018900HTTP Parser: No <meta name="copyright".. found

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: virgilp.ml
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 104.27.145.167:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 104.27.145.167:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: virgilp.ml
Urls found in memory or binary dataShow sources
Source: ~WRS{1A4F35FA-79AA-4A2C-A772-334629D62897}.tmp.0.drString found in binary or memory: https://kemberydrive.cf/1driveb/run-point/new/ww/
Source: ~DF2BDF860A1E259999.TMP.1.dr, ~WRS{1A4F35FA-79AA-4A2C-A772-334629D62897}.tmp.0.drString found in binary or memory: https://virgilp.ml/Proposal/webnet.php?code=2018900
Source: {7E3B02A3-5FC0-11E9-B7AC-B2C276BF9C88}.dat.1.drString found in binary or memory: https://virgilp.ml/Proposal/webnet.php?code=2018900Root
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49227
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49227 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49228 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49228

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal52.phis.winDOC@6/26@2/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$siness Financial Proposal.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR72F4.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3332 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3332 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Document is a ZIP file with path names indicative of goodwareShow sources
Source: Business Financial Proposal.docInitial sample: OLE zip file path = word/media/image1.jpg
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 123516 Sample: Business Financial Proposal.docx Startdate: 15/04/2019 Architecture: WINDOWS Score: 52 17 virgilp.ml 2->17 21 Antivirus detection for URL or domain 2->21 23 Phishing site detected (based on logo template match) 2->23 8 iexplore.exe 25 47 2->8         started        10 WINWORD.EXE 22 32 2->10         started        signatures3 process4 process5 12 iexplore.exe 2 25 8->12         started        dnsIp6 19 virgilp.ml 104.27.145.167, 443, 49220, 49221 unknown United States 12->19 15 ssvagent.exe 6 12->15         started        process7

Simulations

Behavior and APIs

TimeTypeDescription
22:53:18API Interceptor142x Sleep call for process: WINWORD.EXE modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Business Financial Proposal.doc0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
virgilp.ml3%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://virgilp.ml/Proposal/webnet.php?code=2018900Root100%Avira URL Cloudphishing
https://virgilp.ml/Proposal/webnet.php?code=20189000%virustotalBrowse
https://virgilp.ml/Proposal/webnet.php?code=2018900100%Avira URL Cloudphishing
https://kemberydrive.cf/1driveb/run-point/new/ww/0%virustotalBrowse
https://kemberydrive.cf/1driveb/run-point/new/ww/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownrequest.docGet hashmaliciousBrowse
  • 192.168.0.44
FERK444259.docGet hashmaliciousBrowse
  • 192.168.0.44
b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
  • 192.168.0.40
Setup.exeGet hashmaliciousBrowse
  • 192.168.0.40
base64.pdfGet hashmaliciousBrowse
  • 192.168.0.40
file.pdfGet hashmaliciousBrowse
  • 192.168.0.40
Spread sheet 2.pdfGet hashmaliciousBrowse
  • 192.168.0.40
request_08.30.docGet hashmaliciousBrowse
  • 192.168.0.44
P_2038402.xlsxGet hashmaliciousBrowse
  • 192.168.0.44
48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
  • 192.168.0.22
seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
  • 192.168.0.40
Adm_Boleto.via2.comGet hashmaliciousBrowse
  • 192.168.0.40
QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
  • 192.168.0.40
pptxb.pdfGet hashmaliciousBrowse
  • 192.168.0.40

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
7dcce5b76c8b17472d024758970a406bAgreement.docGet hashmaliciousBrowse
  • 104.27.145.167
AWB1776367522_DHLReceipt25012018.xlsGet hashmaliciousBrowse
  • 104.27.145.167
957043_6ZK2400309.xmlGet hashmaliciousBrowse
  • 104.27.145.167
45760808.docGet hashmaliciousBrowse
  • 104.27.145.167
PotentialAPT.docGet hashmaliciousBrowse
  • 104.27.145.167
INV_APPS_IDX398177238_11022019.docxGet hashmaliciousBrowse
  • 104.27.145.167
SAM Doc 2.docxGet hashmaliciousBrowse
  • 104.27.145.167
ItemList.xlsxGet hashmaliciousBrowse
  • 104.27.145.167
Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
  • 104.27.145.167
#U260e New VM Tuesday, March 12, 2019 004115.wav.rtfGet hashmaliciousBrowse
  • 104.27.145.167
New voice on Wednesday, Mar 13 2019.rtfGet hashmaliciousBrowse
  • 104.27.145.167
Voice message mai.docGet hashmaliciousBrowse
  • 104.27.145.167
Invoice for PO# 1021874_02.pdfGet hashmaliciousBrowse
  • 104.27.145.167
Quote _ Drawin.docGet hashmaliciousBrowse
  • 104.27.145.167
SKIDZ LTD Invoic.docGet hashmaliciousBrowse
  • 104.27.145.167
New Seccure File 7.24.05 PM.xlsxGet hashmaliciousBrowse
  • 104.27.145.167
freeformatter-decode.docGet hashmaliciousBrowse
  • 104.27.145.167
TTRequest01.docGet hashmaliciousBrowse
  • 104.27.145.167
X-Apple-BillingVerify85123.docxGet hashmaliciousBrowse
  • 104.27.145.167
KmxujJbqA.rtfGet hashmaliciousBrowse
  • 104.27.145.167

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.