flash

COVID-19 report 09 24 2020.doc

Status: finished
Submission Time: 08.10.2020 07:37:25
Malicious
Evader

Comments

Tags

Details

  • Analysis ID:
    294916
  • API (Web) ID:
    484948
  • Analysis Started:
    08.10.2020 07:37:32
  • Analysis Finished:
    08.10.2020 08:15:19
  • MD5:
    41e0c7598e8ad0da1aa56dde0a2da422
  • SHA1:
    76ac2ce4f5cd3725de9e654484a3c7eb9a60d202
  • SHA256:
    84d837274cbcc7fea7d1806754185fecba6c90d352208ed2c444996864073135
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
96/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Potential for more IOCs and behavior

malicious
96/100

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run Condition: Without Instrumentation

malicious
100/100

malicious
44/62

malicious
20/38

malicious
21/29

malicious

malicious

IPs

IP Country Detection
205.144.171.138
United States
166.62.28.114
United States
23.229.220.67
United States
Click to see the 3 hidden entries
172.67.151.83
United States
107.180.43.18
United States
116.202.49.153
Germany

Domains

Name IP Detection
firhajshoes.com
166.62.28.114
blueskysol.com
205.144.171.138
crazyboxs.com
23.229.220.67
Click to see the 6 hidden entries
fakeread.com
172.67.151.83
www.paramedicaleducationguidelines.com
0.0.0.0
www.firhajshoes.com
0.0.0.0
www.rttutoring.com
0.0.0.0
rttutoring.com
107.180.43.18
nuhatoys.com
116.202.49.153

URLs

Name Detection
http://www.rttutoring.com/wp-includes/LlbY6o/
http://www.firhajshoes.com/wp-admin/RgaiT/
http://fakeread.com/OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/
Click to see the 4 hidden entries
http://nuhatoys.com/wp-admin/WWA4R/
http://crazyboxs.com/cgi-bin/IaJ/
http://www.firhajshoes.com/cgi-sys/suspendedpage.cgi
http://blueskysol.com/sys-cache/2Rk/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5ED8443-1A3F-4CA6-941D-F5C2CCA9C0AC}.tmp
data
#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\COVID-19 report 09 24 2020.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Thu Oct 8 14:04:34 2020, length=155852, window=hide
#
Click to see the 5 hidden entries
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7311INDCUBDPJ08MPJL3.temp
data
#
C:\Users\user\Desktop\~$VID-19 report 09 24 2020.doc
data
#
C:\Users\user\I2byDoI\ejo26QD\P_lulvp1.exe
HTML document, ASCII text, with very long lines
#