Loading ...

Play interactive tourEdit tour

Analysis Report Apple Invoice.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:203498
Start date:26.01.2020
Start time:23:15:47
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 16s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Apple Invoice.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winDOC@6/27@3/2
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Browse link: https://t.umblr.com/redirect?z=https%3A%2F%2Fmembership-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYTJjNDRkNzAzMzkyMTY3ODNmMmQzODQzOTUyZDUzNzNkOSxtUGNnb3ZFUQ%3D%3D&b=t%3A86EixzE49DWseK7VEF3cIQ&p=https%3A%2F%2Fksdahfsollmfsd.tumblr.com%2Fpost%2F190476608701&m=1
  • Scroll down
  • Close Viewer
  • Browsing link: https://membership-data.servehttp.com/?payment
  • Browsing link: res://ieframe.dll/invalidcert.htm?SSLError=16777216#
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • TCP Packets have been reduced to 100
  • Excluded IPs from analysis (whitelisted): 13.107.5.80, 204.79.197.200, 13.107.21.200, 23.0.174.185, 23.0.174.184, 93.184.221.240, 8.253.207.120, 8.241.78.126, 8.241.79.254, 67.27.158.254, 67.27.158.126, 152.199.19.161, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): www.bing.com, au.download.windowsupdate.com.edgesuite.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, api.bing.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net, wu.azureedge.net, iecvlist.microsoft.com, e-0001.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, api-bing-com.e-0001.e-msedge.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Remote File Copy1Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy1SIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: t.umblr.com
Urls found in memory or binary dataShow sources
Source: ~DF8FE12DAB3175D991.TMP.1.dr, redirect[1].htm.2.drString found in binary or memory: https://membership-data.servehttp.com/?payment
Source: ~DF8FE12DAB3175D991.TMP.1.dr, {CDAB0843-4089-11EA-B7AC-B2C276BF9C88}.dat.1.drString found in binary or memory: https://membership-data.servehttp.com/?paymentJCertificate
Source: ~DF8FE12DAB3175D991.TMP.1.dr, {CDAB0843-4089-11EA-B7AC-B2C276BF9C88}.dat.1.drString found in binary or memory: https://membership-data.servehttp.com/?paymenthip-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYTJjNDRk
Source: ~DF8FE12DAB3175D991.TMP.1.drString found in binary or memory: https://t.umblr.com/
Source: {CDAB0843-4089-11EA-B7AC-B2C276BF9C88}.dat.1.drString found in binary or memory: https://t.umblr.com/redirect?z=https%3A%2F%2Fmembership-data.servehttp.com%2F%3Fp
Source: {CDAB0843-4089-11EA-B7AC-B2C276BF9C88}.dat.1.drString found in binary or memory: https://t.umblr.com/redirect?z=https%3A%2F%2Fmembership-data.servehttp.com%2F%3FpRoot
Source: {CDAB0843-4089-11EA-B7AC-B2C276BF9C88}.dat.1.drString found in binary or memory: https://t.umblr.com/redirect?z=https%3A%2F%2Fmembership-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYT
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49227
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49227 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443

System Summary:

barindex
Unable to load, office file is protected or invalidShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow title found: res://ieframe.dll/invalidcert.htm?sslerror=16777216# - internet explorer navigation baraddress barres://ieframe.dll/invalidcert.htm?sslerror=16777216#address combo controlpage controlfavorites and tools barres://ieframe.dll/invalidcert.htm?sslerror=16777216# - internet explorer
Classification labelShow sources
Source: classification engineClassification label: clean1.winDOC@6/27@3/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ple Invoice.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVRB5E1.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: Apple Invoice.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: Apple Invoice.docOLE document summary: title field not present or empty
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1228 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1228 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Document has a 'lastprinted' value indicative of goodwareShow sources
Source: Apple Invoice.docInitial sample: OLE summary lastprinted = 2018-12-22 14:01:00
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: Apple Invoice.docInitial sample: OLE indicators vbamacros = False

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 203498 Sample: Apple Invoice.doc Startdate: 26/01/2020 Architecture: WINDOWS Score: 1 16 membership-data.servehttp.com 2->16 7 iexplore.exe 25 48 2->7         started        9 WINWORD.EXE 11 25 2->9         started        process3 process4 11 iexplore.exe 1 34 7->11         started        dnsIp5 18 membership-data.servehttp.com 167.172.246.65, 443, 49222, 49223 unknown United States 11->18 20 t.umblr.com 66.6.33.159, 443, 49220, 49221 unknown United States 11->20 14 ssvagent.exe 6 11->14         started        process6

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Apple Invoice.doc0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://membership-data.servehttp.com/?payment0%Avira URL Cloudsafe
https://membership-data.servehttp.com/?paymenthip-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYTJjNDRk0%Avira URL Cloudsafe
https://membership-data.servehttp.com/?paymentJCertificate0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
66.6.33.159ReceiptDOC#KXJAISF21.docxGet hashmaliciousBrowse
    Service Manage Account.docxGet hashmaliciousBrowse
      Service Manage Account.docxGet hashmaliciousBrowse
        https://t.umblr.com/redirect?z=http%3A%2F%2Ftop.nov.ru%2FwqcyN9&t=MzBjZGRjYzM3YjFjYzNhZmMyY2MzMjcwM2FhMzcwM2QwNjI5ZWJlOSxKdzJ0WnNrbQ%3D%3D&rand=555120030006Get hashmaliciousBrowse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          t.umblr.comReceiptDOC#KXJAISF21.docxGet hashmaliciousBrowse
          • 66.6.32.31
          ReceiptDOC#KXJAISF21.docxGet hashmaliciousBrowse
          • 66.6.33.159
          ReceiptDOC#KXJAISF2154915.docxGet hashmaliciousBrowse
          • 66.6.33.31
          ReceiptDOC#KXJAISF2154915.docxGet hashmaliciousBrowse
          • 66.6.32.31
          DOC-ID#SMGBSX2ABLIMBL.docxGet hashmaliciousBrowse
          • 66.6.33.31
          DOC-ID#SMGBSX2ABLIMBL.docxGet hashmaliciousBrowse
          • 66.6.32.31
          Service Manage Account.docxGet hashmaliciousBrowse
          • 66.6.33.159
          Service Manage Account.docxGet hashmaliciousBrowse
          • 66.6.33.31
          Information-Account#138446.docxGet hashmaliciousBrowse
          • 66.6.32.31
          Information-Account#138446.docxGet hashmaliciousBrowse
          • 66.6.33.31
          https://t.umblr.com/redirect?z=http%3A%2F%2Fito.mx%2FDERisky&t=YjAxYmE1ZjJhZmQ3ZGVlODM3M2VmNDE1YjRiYTMzMWY5MzJkMDE2ZSxaTk01UTNhZw%3D%3D&b=t%3ATuqrLBAhVuwa0ZLMPTk29g&p=https%3A%2F%2Ffaldio.tumblr.tumblr.com%2Fpost%2F#104;ttpitomxgermany&m=1?trackID=FUCFCYAGET54168138Get hashmaliciousBrowse
          • 66.6.32.31
          https://t.umblr.com/redirect?z=https%3A%2F%2Flnkd.in%2FgXaNBXM&t=ZjNiZWY1MTQ4NzJlYjllMGEwNmQwZGQ5ZWNiNTllNDExYTA0ZDU1NCxqbDBoY2k4Sw%3D%3D&b=t%3Aumb0dLBh9U5Y24zQlWjBBQ&p=https%3A%2F%2Fapiskontol.tumblr.com%2Fpost%2F187014066685%2Fhttpslnkdingxanbxm&m=1Get hashmaliciousBrowse
          • 66.6.33.31
          https://t.umblr.com/redirect?z=http%3A%2F%2Ftop.nov.ru%2FwqcyN9&t=MzBjZGRjYzM3YjFjYzNhZmMyY2MzMjcwM2FhMzcwM2QwNjI5ZWJlOSxKdzJ0WnNrbQ%3D%3D&rand=555120030006Get hashmaliciousBrowse
          • 66.6.33.159

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          unknownhttp://71.6.147.254Get hashmaliciousBrowse
          • 71.6.147.254
          3uIMrGNzkkGet hashmaliciousBrowse
          • 104.216.101.37
          FA00-4677929.docGet hashmaliciousBrowse
          • 141.98.214.26
          PostFinance SecureBrowser.exeGet hashmaliciousBrowse
          • 194.41.226.22
          FA00-2632571.docGet hashmaliciousBrowse
          • 141.98.214.26
          FA00-8748880.docGet hashmaliciousBrowse
          • 141.98.214.26
          revised document.xlsxGet hashmaliciousBrowse
          • 108.62.12.134
          revised document.xlsxGet hashmaliciousBrowse
          • 108.62.12.134
          Legacy.exeGet hashmaliciousBrowse
          • 158.69.225.220
          old.htmlGet hashmaliciousBrowse
          • 52.218.109.122
          old.htmlGet hashmaliciousBrowse
          • 87.236.16.197
          35#U0441.exeGet hashmaliciousBrowse
          • 5.2.78.43
          http://199.21.76.78/search?q=1Get hashmaliciousBrowse
          • 199.21.76.78
          71v7AJlVF6Get hashmaliciousBrowse
          • 37.120.140.211
          xorEBlUBQjGet hashmaliciousBrowse
          • 172.217.168.66
          http://www.vasi-snovi.com/highslide/graphics/index.htmlGet hashmaliciousBrowse
          • 185.119.88.235
          FA-8874 Medical report p2.docGet hashmaliciousBrowse
          • 104.27.157.5
          -#U2709-Employee-Benefits-Pol#U03b9cy-9493556283243-33383838558-857585.htmGet hashmaliciousBrowse
          • 68.66.216.23
          https://protect-us.mimecast.com/s/z9PfC9rYmEuzL735soaia7?domain=microsoftonlinedocuments.onlyoffice.euGet hashmaliciousBrowse
          • 216.239.32.21
          https://e5.onthehub.com/d.ashx?s=2cigogpdpy&data=02|01|pearceke@wwu.edu|53504869a4954233dc0a08d7a109426d|dc46140ce26f43efb0ae00f257f478ff|0|1|637154933458118240&sdata=YMiRe79OGD6ddy28bFb1Hw16ozg+rScH9r70tgmnqeY=&reserved=0Get hashmaliciousBrowse
          • 157.240.27.27
          unknownhttp://71.6.147.254Get hashmaliciousBrowse
          • 71.6.147.254
          3uIMrGNzkkGet hashmaliciousBrowse
          • 104.216.101.37
          FA00-4677929.docGet hashmaliciousBrowse
          • 141.98.214.26
          PostFinance SecureBrowser.exeGet hashmaliciousBrowse
          • 194.41.226.22
          FA00-2632571.docGet hashmaliciousBrowse
          • 141.98.214.26
          FA00-8748880.docGet hashmaliciousBrowse
          • 141.98.214.26
          revised document.xlsxGet hashmaliciousBrowse
          • 108.62.12.134
          revised document.xlsxGet hashmaliciousBrowse
          • 108.62.12.134
          Legacy.exeGet hashmaliciousBrowse
          • 158.69.225.220
          old.htmlGet hashmaliciousBrowse
          • 52.218.109.122
          old.htmlGet hashmaliciousBrowse
          • 87.236.16.197
          35#U0441.exeGet hashmaliciousBrowse
          • 5.2.78.43
          http://199.21.76.78/search?q=1Get hashmaliciousBrowse
          • 199.21.76.78
          71v7AJlVF6Get hashmaliciousBrowse
          • 37.120.140.211
          xorEBlUBQjGet hashmaliciousBrowse
          • 172.217.168.66
          http://www.vasi-snovi.com/highslide/graphics/index.htmlGet hashmaliciousBrowse
          • 185.119.88.235
          FA-8874 Medical report p2.docGet hashmaliciousBrowse
          • 104.27.157.5
          -#U2709-Employee-Benefits-Pol#U03b9cy-9493556283243-33383838558-857585.htmGet hashmaliciousBrowse
          • 68.66.216.23
          https://protect-us.mimecast.com/s/z9PfC9rYmEuzL735soaia7?domain=microsoftonlinedocuments.onlyoffice.euGet hashmaliciousBrowse
          • 216.239.32.21
          https://e5.onthehub.com/d.ashx?s=2cigogpdpy&data=02|01|pearceke@wwu.edu|53504869a4954233dc0a08d7a109426d|dc46140ce26f43efb0ae00f257f478ff|0|1|637154933458118240&sdata=YMiRe79OGD6ddy28bFb1Hw16ozg+rScH9r70tgmnqeY=&reserved=0Get hashmaliciousBrowse
          • 157.240.27.27

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          7dcce5b76c8b17472d024758970a406brech_190822556.htmlGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          ReceiptDOC#KXJAISF21.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          ReceiptDOC#KXJAISF2154915.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          YagY6WoNBa.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          T0uNqHZydq.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          Legal_.docGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          purchase_order.xlsGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          IT Announcement.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          m69rY7tcnX.docGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          Reports from Strawberry Hills Pharmacy#U00a0.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          2dB3CpLQfb.xlmGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          Unsigned_document_5466367.docGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          AccountDescription.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          Document Review.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          Payment INV-December 31, 2019.docxGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          E-Statement_Accounts.docGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          takehome.exeGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          AccountInvoice8472.xlsmGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          AccountInvoice8472.xlsmGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65
          https://jaygill.000webhostapp.com/wp-content/uploads/2019/12/news/537877/537877.zipGet hashmaliciousBrowse
          • 66.6.33.159
          • 167.172.246.65

          Dropped Files

          No context

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.