top title background image
flash

File 072020.doc

Status: finished
Submission Time: 2020-07-31 13:52:56 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Emotet

Comments

Tags

Details

  • Analysis ID:
    255348
  • API (Web) ID:
    406001
  • Analysis Started:
    2020-07-31 22:23:17 +02:00
  • Analysis Finished:
    2020-07-31 22:34:45 +02:00
  • MD5:
    a87e38f2d470c5c9862660e3fc3cf81f
  • SHA1:
    775910375d34e8536bde0d9128cc6103d5049d6a
  • SHA256:
    fdc27f3312f4db0ce7b05834067f880340583938a7143f7b3a8ee442255bc19a
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

IPs

IP Country Detection
104.236.161.64
United States
114.109.179.60
Thailand
185.94.252.13
Germany
Click to see the 9 hidden entries
77.90.136.129
Germany
149.62.173.247
Spain
73.116.193.136
United States
89.32.150.160
Romania
83.169.21.32
Germany
35.209.238.78
United States
189.2.177.210
Brazil
64.90.40.69
United States
185.94.252.12
Germany

Domains

Name IP Detection
www.leframe.com
64.90.40.69
irvingstudios.com
35.209.238.78
g.msn.com
0.0.0.0

URLs

Name Detection
https://store.officeppe.com/addinstemplate
https://prod-global-autodetect.acompli.net/autodetect
https://analysis.windows.net/powerbi/api
Click to see the 97 hidden entries
https://officesetup.getmicrosoftkey.com
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dataservice.o365filtering.com/
https://graph.windows.net
https://profile.xboxlive.com/users/batch/profile/settings
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://web.microsoftstream.com/video/
https://api.powerbi.com/v1.0/myorg/groups
https://www.odwebp.svc.ms
https://dev0-api.acompli.net/autodetect
http://www.hulu.com/privacy
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://globaldisco.crm.dynamics.com
https://dev.virtualearth.net/REST/v1/Routes/
https://outlook.office.com/autosuggest/api/v1/init?cvid=
https://wus2-000.pagecontentsync.
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
https://store.office.cn/addinstemplate
https://www.hulu.com/do-not-sell-my-info
http://kyleriffic.com/blogs/RQ24ETH6SM/
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
https://login.windows.net/common
https://apis.live.net/v5.0/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
http://irvingstudios.com/photos/jH40783/
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://clients.config.office.net/user/v1.0/ios
http://leannewaller.com/wwvvv/w11WKn/
https://incidents.diagnostics.office.com
https://management.azure.com
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
http://185.94.252.12/kV76MG/k0eQr3GFjLfR1G/5fvh7/&
http://weather.service.msn.com/data.aspx
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://dynamic.t
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
https://outlook.office365.com/autodiscover/autodiscover.json
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://entitlement.diagnosticssdf.office.com
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://cloudfiles.onenote.com/upload.aspx
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
http://www.wpdate.Internal.InstallControlFWdtP
https://cortana.ai
https://lookup.onenote.com/lookup/geolocation/v1
http://89.32.150.160:8080/euHNOkFn/52D
https://rpsticket.partnerservices.getmicrosoftkey.com
https://powerlift.acompli.net
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://api.aadrm.com/
https://clients.config.office.net/user/v1.0/tenantassociationkey
https://wus2-000.contentsync.
http://185.94.252.12/kV76MG/k0eQr3GFjLfR1G/5fvh7/
https://cdn.entity.
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://t0.tiles.ditu.live.com/tiles/gen
https://dev.ditu.live.com/REST/v1/Routes/
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
https://shell.suite.office.com:1443
https://login.microsoftonline.com/
https://api.diagnosticssdf.office.com
https://api.microsoftstream.com/api/
https://officeci.azurewebsites.net/api/
http://185.94.252.13/gpZ9zRh3Pjabg/VvYnUqF7/i7Ga/g6qbqZhQggth70/BIU2nc0EGCwBHCGddEC/BjaRNxQcLiGsSWIZ
https://tasks.office.com
https://powerlift-user.acompli.net
https://res.getmicrosoftkey.com/api/redemptionevents
https://graph.ppe.windows.net
https://ecs.office.com/config/v2/Office
http://www.bingmapsportal.com
https://portal.office.com/account/?ref=ClientMeControl
https://appexmapsappupdate.blob.core.windows.net
https://cr.office.com
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
http://185.94.252.13:443/gpZ9zRh3Pjabg/VvYnUqF7/i7Ga/g6qbqZhQggth70/BIU2nc0EGCwBHCGddEC/BjaRNxQcLiGs
http://189.2.177.210:443/6BWAzRG6l/FKicTAw4/QIdJYqkq43ASWUd7d/ncpAn2ojRYQZ1I/hA$
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
http://189.2.177.210:443/6BWAzRG6l/FKicTAw4/QIdJYqkq43ASWUd7d/ncpAn2ojRYQZ1I/
http://www.hulu.com/terms
http://89.32.150.160:8080/euHNOkFn/A3
https://storeedgefd.dsx.mp.microsoft.c
http://89.32.150.160:8080/euHNOkFn/
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://ofcrecsvcapi-int.azurewebsites.net/
http://www.xbox.com/
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/

Dropped files

Name File Type Hashes Detection
C:\Users\user\427.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Documents\20200731\PowerShell_transcript.813848.3Bj+ssq2.20200731222421.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
Click to see the 29 hidden entries
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\File 072020.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 27 13:56:56 2020, mtime=Sat Aug 1 04:24:16 2020, atime=Sat Aug 1 04:24:12 2020, length=177152, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Directory, ctime=Sat Aug 1 04:24:14 2020, mtime=Sat Aug 1 04:25:20 2020, atime=Sat Aug 1 04:25:20 2020, length=0, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
data
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
#
C:\Users\user\Desktop\~$le 072020.doc
data
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
data
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl
XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl
XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL
XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL
XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL
XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hesv1szd.0x5.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0cs44t2.55a.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\76570F3C-F132-4121-AE64-6F95A6D7EBC0
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x5fa80937, page size 16384, DirtyShutdown, Windows version 10.0
#