top title background image
flash

ENQ-015August 2020 R1 Proj LOT.doc

Status: finished
Submission Time: 2020-09-22 15:22:38 +02:00
Malicious
Trojan
Spyware
Exploiter
Evader
FormBook

Comments

Tags

  • doc

Details

  • Analysis ID:
    288627
  • API (Web) ID:
    472363
  • Analysis Started:
    2020-09-22 15:25:25 +02:00
  • Analysis Finished:
    2020-09-22 15:38:23 +02:00
  • MD5:
    9c245d978c53949241e96b53f565a9a0
  • SHA1:
    3859c7450179c4d7ec7f7fc8f5d161f1674f886d
  • SHA256:
    d8dca1637184327ff59dfebda5b0cbc210a7f9c8d5c88c167a527a896003909d
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Score: 100
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

malicious
Score: 10/59

IPs

IP Country Detection
103.67.235.120
Philippines
54.67.87.110
United States
103.224.182.242
Australia
Click to see the 2 hidden entries
162.159.130.233
United States
162.159.129.233
United States

Domains

Name IP Detection
www.78500907.xyz
54.67.87.110
www.enlightenedleadersacademy.com
103.67.235.120
www.tiktkus.info
103.224.182.242
Click to see the 1 hidden entries
cdn.discordapp.com
162.159.129.233

URLs

Name Detection
http://www.78500907.xyz/pua/
http://www.78500907.xyz/pua/?nnI8w=WBBxsZ-pnZFthb5&0bwLaJ=pb9Vn6p0QKF0PrcHHVnyLUR5E5TgtNlPO4FPz3Mk8e1ZsC+s/Ab/ERO6s36dji6qKC4V/Q==&sql=1
http://www.tiktkus.info/pua/?0bwLaJ=DI4ZKeLJ+JROT0GJyKxCLbLBFhDYDJpWnDBCM766gcJPggggQfC7bYRs5cJZLi3aVysgqw==&nnI8w=WBBxsZ-pnZFthb5&sql=1
Click to see the 26 hidden entries
http://www.enlightenedleadersacademy.com/pua/?nnI8w=WBBxsZ-pnZFthb5&0bwLaJ=8SPtAIzhs1kJDjEus8qRsOCx/qtdFd8iRUK/VAsrgKs7MSM9s1X09hsE3iAkaCEODcoJhA==
http://www.tiktkus.info/pua/
http://www.icra.org/vocabulary/.
http://cdn.discordapp.com/attachments/722888184203051118/757862128198877274/Stub.jpg
http://servername/isapibackend.dll
http://www.msn.com/?ocid=iehps
http://%s.com
http://www.%s.comPA
http://computername/printers/printername/.printer
http://www.piriform.com/ccleaner
http://www.msn.com/de-de/?ocid=iehp
http://www.%s.com
http://www.msn.com/?ocid=iehp
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://wellformedweb.org/CommentAPI/
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://auto.search.msn.com/response.asp?MT=
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
http://treyresearch.net
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://www.msn.com/?ocid=iehpS
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
http://www.iis.fhg.de/audioPA
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1c.J

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\316A19SV\316logrv.ini
data
#
C:\Users\user\AppData\Roaming\316A19SV\316logri.ini
data
#
C:\Users\user\AppData\Roaming\316A19SV\316logrf.ini
data
#
Click to see the 51 hidden entries
C:\Users\user\AppData\Local\Temp\paul.vbs
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\b81c6a4f51b45b801401eebf5dcc32d1_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\cd2e187578f97289976939ee59e1b72f_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\a564c43cd87b61422340b405541ad0de_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\a334a80e0a633eae057be31d74a9fd19_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\a1e95587f4a56f97ab0275e8c5c59d01_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\97a54fb4c499902efceb111fd582f0a8_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\8ee93c8b86ff5fd837baeab109d4665f_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\8dac501a6f1c980a3c48740e3530f108_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\881a85de8587a3ee9b21eb2e97fb0390_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\85df7dc0e986e14d1e7145ca1e15b684_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\824808e7dbd65762752d228e4c33bbda_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\760cb67304b6d177ef6e446fe4bf3b04_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\6cf26178952c74dfba765f75a05a0cab_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\bd986d510dec27c06dfeefa6b975898a_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\c4204123e0d615471d67b24cbc6ad8ac_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\64d58b1ff3e30e44882ed50c62c6110f_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\d12715e9829585c1c5b7da26ae4a79e7_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\dbd434385c6c198e0347c1d5e7ccc702_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\e8700a25e98a249228c160706c193946_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f43969990e6dddfe034fc31d9d0081ee_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ENQ-015August 2020 R1 Proj LOT.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Sep 22 21:25:38 2020, length=2022723, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DTFN9JYO5ZXVZ9TQU1UE.temp
data
#
C:\Users\user\Desktop\~$Q-015August 2020 R1 Proj LOT.doc
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\20728d3bb64c251a9e6392df12116564_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58446 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{11DEB0C5-C3B5-4777-B8A0-8FBD94489CF9}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A8A4CE1A-920F-4984-A01A-83E80CBA7966}.tmp
data
#
C:\Users\user\AppData\Local\Temp\CabBE32.tmp
Microsoft Cabinet archive data, 58446 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\Fntqll8l\help2dxlg.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\TarBE33.tmp
data
#
C:\Users\user\AppData\Local\Temp\paul.vbs:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\316A19SV\316logim.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\0153f05ec22b54b21434ac462c4dd6f5_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\05aadc5a9892673e30d5e100d8cd4629_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\17d5c620708e6dcf3f04c9fc2ee85a07_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\6c19d7ed7086d8c47c32914f18298c52_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\2209e65114d9da3cb2c3b081105678d6_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\238679394cac79e9bc6ecd756499eca7_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\243b2e596f35192943a1fdce5f467a9c_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\287548cbf8816a54787d8cb90b2cd27a_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\49e3c8560a7d4076a6372633670ddd83_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\4b34e22149ee3f88a27b18ba3a24b162_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\53ad1798122e03a79f721abea5791ae1_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\57b5e706346428bf50a0ab6eba9217ad_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\5ba0627ff28333c48e78f1334a38c5d5_ea860e7a-a87f-4a88-92ef-38f744458171
data
#
C:\Program Files (x86)\Fntqll8l\help2dxlg.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\695ff396d8c8c8fc7377ad3754865208_ea860e7a-a87f-4a88-92ef-38f744458171
data
#