flash

notif-5544.xls

Status: finished
Submission Time: 24.09.2020 14:48:01
Malicious
Spreader
Exploiter
Evader
Hidden Macro 4.0

Comments

Tags

Details

  • Analysis ID:
    289557
  • API (Web) ID:
    474223
  • Analysis Started:
    24.09.2020 14:48:02
  • Analysis Finished:
    24.09.2020 15:01:59
  • MD5:
    ae2a14caa5595ef02ec0ac2632940117
  • SHA1:
    f80b96e39c2ba53619156e24d1b3bee531869b97
  • SHA256:
    40a49d9211f7ea4b78bbfb8864967fbfa64231af26e0e4d572afa29c3b9fcbd2
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
96/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Potential for more IOCs and behavior

malicious
96/100

IPs

IP Country Detection
172.67.156.10
United States

Domains

Name IP Detection
beautifulday.site
172.67.156.10

URLs

Name Detection
http://www.windows.com/pctv.
https://www.google.co.uk/intl/en/about/products?tab=wh
https://lh3.googleusercontent.com/ogw/default-user=s96
Click to see the 36 hidden entries
http://crl.entrust.net/server1.crl0
https://gomag.site/wp-index.phpE
http://ocsp.entrust.net03
https://beautifulday.site/wp-index.phpk
https://beautifulday.site/wp-index.php
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://pki.goog/gsr2/GTS1O1.crt0
http://www.diginotar.nl/cps/pkioverheid0
http://www.google.co.uk/history/optout?hl=en
https://www.google.co.uk/finance?tab=we
https://beautifulday.site/wp-index.phpl
http://ocsp.pki.goog/gsr202
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
https://pki.goog/repository/0
https://beautifulday.site/wp-index.phpy
http://schema.org/WebPage
https://gomag.site/wp-index.php
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://www.icra.org/vocabulary/.
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
https://beautifulday.site/wp-index.php~
https://gomag.site/wp-index.phplW2.vbs5
https://lh3.googleusercontent.com/ogw/default-user=s24
http://ocsp.pki.goog/gts1o1core0
http://crl.pki.goog/GTS1O1core.crl0
https://beautifulday.site/wp-index.phpR
http://www.%s.comPA
https://beautifulday.site/
http://crl.pki.goog/gsr2/gsr2.crl0?
http://ocsp.entrust.net0D
https://secure.comodo.com/CPS0
http://servername/isapibackend.dll
http://www.google.co.uk/preferences?hl=en
http://crl.entrust.net/2048ca.crl0
http://video.google.co.uk/?hl=en&tab=wv

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\wclW2.vbs
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\BF68mQO.vbs
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\IEODW20q.vbs
ASCII text, with CRLF, CR line terminators
#
Click to see the 7 hidden entries
C:\Users\user\AppData\Local\Temp\WF2jvZZl.html
HTML document, ISO-8859 text, with very long lines
#
C:\Users\user\AppData\Local\Temp\cmVjTK.txt
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Sep 24 20:48:41 2020, atime=Thu Sep 24 20:48:41 2020, length=8192, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\notif-5544.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Thu Sep 24 20:48:41 2020, atime=Thu Sep 24 20:48:41 2020, length=144384, window=hide
#
C:\Users\user\Desktop\4ADE0000
Applesoft BASIC program data, first line number 16
#
C:\Users\user\AppData\Local\Temp\B9DE0000
data
#