flash

SecuriteInfo.com.Exploit.Siggen2.13449.28674.doc

Status: finished
Submission Time: 01.08.2020 21:40:25
Malicious
Phishing
E-Banking Trojan
Trojan
Spyware
Evader
Emotet MailPassView

Comments

Tags

Details

  • Analysis ID:
    255748
  • API (Web) ID:
    407036
  • Analysis Started:
    02.08.2020 00:56:07
  • Analysis Finished:
    02.08.2020 01:11:03
  • MD5:
    a218719fd104a4c006280fed89268170
  • SHA1:
    4a14ff4ab8445b69e5ad1960236a0c4c4b583d6e
  • SHA256:
    dc875f711c036d142c516a749754c9752e410f28c3a2223de920488093754e0b
  • Technologies:
Full Report Engine Info Verdict Score Reports

System: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
185.94.252.13
Germany
73.116.193.136
United States
217.76.132.179
Spain
Click to see the 1 hidden entries
88.217.172.65
Germany

Domains

Name IP Detection
rectificadoscarrion.com
217.76.132.179

URLs

Name Detection
https://185.94.252.13:443/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/
https://185.94.252.13:443/XxXEdON5aVYXFRQitMj/oWmuuNtyx0q6einR/L2HdFwm6Bbbyl8/HG6zDRBX6Fqg1c/
https://185.94.252.13:443/pxUyBndrkFQg9MbC/BNGA/7r3Jr4QC8l8byshfZ/GE38Mqblnsqox/FGlnTj12jUpGlPKrKS/
Click to see the 63 hidden entries
https://185.94.252.13:443/V1bfVNXmGf/
https://185.94.252.13:443/l9mxCPCRzvrdJqd7gDg/8NeBfb/UP3O0TnX/bFLb7raYZ3UvCr/PYNusX3ERpHpdqNnga3/DDoS0Ahi/
https://185.94.252.13:443/nwkpxZwyjrCeZbfcf/fAnIZcRwnf99IuspZD/VFvg1jezY7LUpm/EiahSxVLNzl8Cwm9/fvlm/j3oA7SgmOJ3RXLHzKx/
https://88.217.172.65:443/HUU9YW2A/
http://185.94.252.13:443/V1bfVNXmGf/
https://dev.ditu.live.com/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://t0.tiles.ditu.live.com/tiles/gen
http://88.217.172.65:443/HUU9YW2A/r
https://dev.virtualearth.net/REST/v1/Routes/Walking
http://www.nirsoft.net
http://rectificadoscarrion.com/wp-includes/EiQ/
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
http://185.94.252.13:443/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/v
http://185.94.252.13/l9mxCPCRzvrdJqd7gDg/8NeBfb/UP3O0TnX/bFLb7raYZ3UvCr/PYNusX3ERpHpdqNnga3/DDoS0Ahi
http://185.94.252.13/nwkpxZwyjrCeZbfcf/fAnIZcRwnf99IuspZD/VFvg1jezY7LUpm/EiahSxVLNzl8Cwm9/fvlm/j3oA7
https://dev.ditu.live.com/mapcontrol/logging.ashx
http://73.116.193.136/Fovb6wRbsEl0OBz2sIZ/NzqDzD4SZx/nQZlEmTUbvZmXJyA/DhlB12Ns70NcwOtMshF/
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
http://185.94.252.13:443/pxUyBndrkFQg9MbC/BNGA/7r3Jr4QC8l8byshfZ/GE38Mqblnsqox/FGlnTj12jUpGlPKrKS/O
http://schemas.xmlsoap.org/ws/2004/09/enumeration
http://qatifsport.net/t/NbQq254/
https://login.yahoo.com/config/login
https://appexmapsappupdate.blob.core.windows.net
http://www.nirsoft.net/
http://www.onlinemediadesigns.com/bin/nObh/
http://88.217.172.65:443/HUU9YW2A/ys
http://www.bingmapsportal.com
http://185.94.252.13:443/XxXEdON5aVYXFRQitMj/oWmuuNtyx0q6einR/L2HdFwm6Bbbyl8/HG6zDRBX6Fqg1c/
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
http://185.94.25w
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
http://renegaderadio.net/haunted/cA5zuC5/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
https://dev.virtualearth.net/REST/v1/Routes/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
http://renekok.com/QbWyat/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations
http://185.94.252.13:443/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/mapcontrol/logging.ashx
http://88.217.172.65:443/HUU9YW2A/
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://schemas.xmlsoap.org/ws/2004/08/addressing
https://dynamic.t
http://185.94.252.13:443/pxUyBndrkFQg9MbC/BNGA/7r3Jr4QC8l8byshfZ/GE38Mqblnsqox/FGlnTj12jUpGlPKrKS/
http://73.116.193.136/Fovb6wRbsEl0OBz2sIZ/NzqDzD4SZx/nQZlEmTUbvZmXJyA/DhlB12Ns70NcwOtMshF/G
http://88.217.172.65/HUU9YW2A/
https://dev.virtualearth.net/REST/v1/Routes/Transit
http://185.94.252.13:443/nwkpxZwyjrCeZbfcf/fAnIZcRwnf99IuspZD/VFvg1jezY7LUpm/EiahSxVLNzl8Cwm9/fvlm/j
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
http://185.94.252.13:443/V1bfVNXmGf/6
https://dev.ditu.live.com/REST/v1/Locations
http://ctldl.windowsup43/OU3ZX52m5/nmqAIrkIJI1bik/zs7HrPUm7ELzb/NnwOyp/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=

Dropped files

Name File Type Hashes Detection
C:\Users\user\285.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\4AED.tmp
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Siggen2.13449.28674.doc.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Aug 2 06:57:00 2020, mtime=Sun Aug 2 06:57:08 2020, atime=Sun Aug 2 06:57:05 2020, length=174080, window=hide
#
Click to see the 15 hidden entries
C:\Users\user\Documents\20200802\PowerShell_transcript.610930.dI+g4eiZ.20200802005712.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Windows\SysWOW64\polstore\hnetcfgoe.exe
PE32+ executable (console) x86-64, for MS Windows
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x600105d8, page size 16384, DirtyShutdown, Windows version 10.0
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3A13E332-9D7D-401C-9A7E-382AFC49D56A}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5r315eau.y1l.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fd1tzdhk.ac1.psm1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Siggen2.13449.28674.doc
data
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
data
#