flash

Report Covid-19.doc

Status: finished
Submission Time: 07.10.2020 13:50:50
Malicious
Evader

Comments

Tags

Details

  • Analysis ID:
    294479
  • API (Web) ID:
    484072
  • Analysis Started:
    07.10.2020 13:50:54
  • Analysis Finished:
    07.10.2020 14:30:33
  • MD5:
    1feae5f3183009794c7287e2788f9dd7
  • SHA1:
    bcb1b7b93d568e75eff335cb132a965d30b39ae2
  • SHA256:
    0114ef28af9fcadd963f188229d69a89ee149dd188f58b1968c65b699a4e609a
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
96/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Potential for more IOCs and behavior

malicious
96/100

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run Condition: Without Instrumentation

malicious
96/100

malicious
36/52

malicious
20/29

malicious

malicious

IPs

IP Country Detection
172.67.165.88
United States
35.201.217.204
United States
72.52.161.43
United States
Click to see the 4 hidden entries
104.24.108.69
United States
91.212.13.21
Bulgaria
78.142.208.117
Turkey
67.227.154.13
United States

Domains

Name IP Detection
ragantechnical.com
72.52.161.43
jatoapp.com
172.67.165.88
amessageforinnergame.com
35.201.217.204
Click to see the 4 hidden entries
seeitbeitbulgaria.com
91.212.13.21
thejoyflower.com
104.24.108.69
nescoat.com
78.142.208.117
carolinaskylights.com
67.227.154.13

URLs

Name Detection
http://amessageforinnergame.com/newworld/oXJM3jA/
http://thejoyflower.com/wp-admin/f5/
http://nescoat.com/wp-includes/kMSx7EE/
Click to see the 2 hidden entries
http://nescoat.com/cgi-sys/suspendedpage.cgi
https://www.cloudflare.com/5xx-error-landing

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58918 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
Click to see the 11 hidden entries
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55454A84-8E09-401E-A760-1A1C7B299BE3}.tmp
data
#
C:\Users\user\AppData\Local\Temp\CabBE60.tmp
Microsoft Cabinet archive data, 58918 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\TarBE61.tmp
data
#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Report Covid-19.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Wed Oct 7 19:51:33 2020, length=223744, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NGRDVCRJJGGG8UGJ6C1V.temp
data
#
C:\Users\user\Desktop\~$port Covid-19.doc
data
#
C:\Users\user\cBUtO24\o8n2P17\Gl4y9ghg.exe
HTML document, ASCII text, with very long lines
#