PO No -77ATK210-437-0820.rtf

Status: finished

Submission Time: 2020-01-30 11:23:36 +01:00

Malicious

Exploiter

Evader

Phishing

Trojan

Spyware

HawkEye

Comments

Details

Analysis ID:
204544
API (Web) ID:
306643
Analysis Started:

2020-01-30 11:23:36 +01:00
Analysis Finished:

2020-01-30 11:48:04 +01:00
MD5:
620d1fdf020def3e06ce43d9a70f1ece
SHA1:
65f67d9f35b8413a1dcb1bfbdf38b065d3197f96
SHA256:
a3f8601a19e180550e161357ece3f0d7c18ed4aed96ebc71051686a87fe9774e
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 92	System: unknown
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Potential for more IOCs and behavior

Third Party Analysis Engines

Open Full Report

malicious

Score: 24/57

malicious

IPs

IP	Country	Detection
67.222.158.172	United States

Domains

Name	IP	Detection
pivotpower24.com	67.222.158.172

URLs

Name	Detection
http://pomf.cat/upload.php
https://pivotpower24.com/mytbay/chima/ccc.exe
http://pomf.cat/upload.phpCContent-Disposition:
Click to see the 6 hidden entries
https://a.pomf.cat/
https://login.yahoo.com/config/login
http://pomf.cat/upload.php&https://a.pomf.cat/
http://www.nirsoft.net
http://www.nirsoft.net/
http://bot.whatismyipaddress.com/

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\newfile.Exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QCLZFLPQ9KXAVP5VSMNW.temp	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5sve1tk.wjq.ps1	ASCII text, with no line terminators	#
Click to see the 54 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv2m40xl.0bx.psm1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\tmp666E.tmp	empty	#
C:\Users\user\AppData\Local\Temp\tmp8810.tmp	empty	#
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO No -77ATK210-437-0820.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jan 27 22:16:10 2020, mtime=Thu Jan 30 09:32:00 2020, atime=Thu Jan 30 09:32:00 2020, length=282552, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5IE3X8FXCSRN0EO5T4WH.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DZA8LTG544U46IRDPVNX.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NY746UNDYTYK7MFWLHX0.temp	empty	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O6QIW84G5YL1ON4UR7RX.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OT2A32OZFQ61I5RCWVJH.temp	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv231ip2.phd.ps1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SZ1XTBZZ9ASAM63BBALH.temp	empty	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z5YM6RWODQ3SPOXJSG5M.temp	empty	#
C:\Users\user\AuthFWGP\AuthFWGP.vbs	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AuthFWGP\TCPSVCS.exe	empty	#
C:\Users\user\Desktop\~$ No -77ATK210-437-0820.rtf	data	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.SSaVUht+.20200130113222.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.U0mvHbw1.20200130113433.txt	empty	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.Ut3LI9Qm.20200130113453.txt	empty	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.X8WEYBqV.20200130113352.txt	empty	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.adrCG7Yx.20200130113233.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.m_yoZFNA.20200130113228.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.q7tJZ7iI.20200130113214.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.yoMWbvYh.20200130113404.txt	empty	#
C:\Users\user\AppData\Local\Temp\2329a587-f970-08c3-9564-467f454a0946	empty	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-journal	data	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal	empty	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session	empty	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journal	empty	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db	SQLite 3.x database, last written using SQLite version 3019003	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journal	data	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal	SQLite Write-Ahead Log, version 3007000	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session	SQLite 3.x database, last written using SQLite version 3019003	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session-journal	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B70B685C.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{14B1F13E-AED8-40C8-A48E-01718E7D1C23}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	empty	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	empty	#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db	SQLite 3.x database, last written using SQLite version 3019003	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0chkkxdp.zzn.psm1	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tqmg20e.2zi.ps1	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5u22abcd.fo0.psm1	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdx4rkpa.hen.psm1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh0q3iwl.4vz.psm1	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmglmqsy.j5t.ps1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iee3x4ti.e5h.ps1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j10iormq.qz1.psm1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mr0yo2fq.ifd.psm1	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpxwvyuk.loo.psm1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skpxafqs.cz0.ps1	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swsfubcz.v01.ps1	empty	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufgn5rwo.lgv.ps1	empty	#

PO No -77ATK210-437-0820.rtf

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

PO No -77ATK210-437-0820.rtf Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

Yara Super Rule creation started

PO No -77ATK210-437-0820.rtf