flash

PO No -77ATK210-437-0820.rtf

Status: finished
Submission Time: 30.01.2020 11:23:36
Malicious
Exploiter
Evader
Phishing
Trojan
Spyware
HawkEye

Comments

Tags

Details

  • Analysis ID:
    204544
  • API (Web) ID:
    306643
  • Analysis Started:
    30.01.2020 11:23:36
  • Analysis Finished:
    30.01.2020 11:48:04
  • MD5:
    620d1fdf020def3e06ce43d9a70f1ece
  • SHA1:
    65f67d9f35b8413a1dcb1bfbdf38b065d3197f96
  • SHA256:
    a3f8601a19e180550e161357ece3f0d7c18ed4aed96ebc71051686a87fe9774e
  • Technologies:
Full Report Engine Info Verdict Score Reports

System: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)

malicious
92/100

System: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run Condition: Potential for more IOCs and behavior

malicious
100/100

malicious
24/57

malicious

malicious

IPs

IP Country Detection
67.222.158.172
United States

Domains

Name IP Detection
pivotpower24.com
67.222.158.172

URLs

Name Detection
http://pomf.cat/upload.php
https://pivotpower24.com/mytbay/chima/ccc.exe
http://pomf.cat/upload.phpCContent-Disposition:
Click to see the 6 hidden entries
https://a.pomf.cat/
https://login.yahoo.com/config/login
http://pomf.cat/upload.php&https://a.pomf.cat/
http://www.nirsoft.net
http://www.nirsoft.net/
http://bot.whatismyipaddress.com/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\newfile.Exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db
SQLite 3.x database, last written using SQLite version 3019003
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-journal
data
#
Click to see the 54 hidden entries
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
empty
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session
empty
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journal
empty
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db
SQLite 3.x database, last written using SQLite version 3019003
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journal
data
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
SQLite Write-Ahead Log, version 3007000
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session
SQLite 3.x database, last written using SQLite version 3019003
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session-journal
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B70B685C.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{14B1F13E-AED8-40C8-A48E-01718E7D1C23}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
empty
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
empty
#
C:\Users\user\AppData\Local\Temp\2329a587-f970-08c3-9564-467f454a0946
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0chkkxdp.zzn.psm1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tqmg20e.2zi.ps1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5u22abcd.fo0.psm1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdx4rkpa.hen.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh0q3iwl.4vz.psm1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmglmqsy.j5t.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iee3x4ti.e5h.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j10iormq.qz1.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mr0yo2fq.ifd.psm1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpxwvyuk.loo.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skpxafqs.cz0.ps1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swsfubcz.v01.ps1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufgn5rwo.lgv.ps1
empty
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv231ip2.phd.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5sve1tk.wjq.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv2m40xl.0bx.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\tmp666E.tmp
empty
#
C:\Users\user\AppData\Local\Temp\tmp8810.tmp
empty
#
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO No -77ATK210-437-0820.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jan 27 22:16:10 2020, mtime=Thu Jan 30 09:32:00 2020, atime=Thu Jan 30 09:32:00 2020, length=282552, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5IE3X8FXCSRN0EO5T4WH.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DZA8LTG544U46IRDPVNX.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NY746UNDYTYK7MFWLHX0.temp
empty
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O6QIW84G5YL1ON4UR7RX.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OT2A32OZFQ61I5RCWVJH.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QCLZFLPQ9KXAVP5VSMNW.temp
empty
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SZ1XTBZZ9ASAM63BBALH.temp
empty
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z5YM6RWODQ3SPOXJSG5M.temp
empty
#
C:\Users\user\AuthFWGP\AuthFWGP.vbs
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AuthFWGP\TCPSVCS.exe
empty
#
C:\Users\user\Desktop\~$ No -77ATK210-437-0820.rtf
data
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.SSaVUht+.20200130113222.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.U0mvHbw1.20200130113433.txt
empty
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.Ut3LI9Qm.20200130113453.txt
empty
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.X8WEYBqV.20200130113352.txt
empty
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.adrCG7Yx.20200130113233.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.m_yoZFNA.20200130113228.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.q7tJZ7iI.20200130113214.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20200130\PowerShell_transcript.818225.yoMWbvYh.20200130113404.txt
empty
#