Register Login

sloganpng

top title background image

COVID-19 report 09 24 2020.doc

Status: finished

Submission Time: 2020-10-08 07:37:25 +02:00

Malicious

Evader

Comments

Tags

Details

Analysis ID:
294916
API (Web) ID:
484948
Analysis Started:

2020-10-08 07:37:32 +02:00
Analysis Finished:

2020-10-08 08:15:19 +02:00
MD5:
41e0c7598e8ad0da1aa56dde0a2da422
SHA1:
76ac2ce4f5cd3725de9e654484a3c7eb9a60d202
SHA256:
84d837274cbcc7fea7d1806754185fecba6c90d352208ed2c444996864073135
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 96	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
	Full Report Management Report IOC Report	malicious Score: 96	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Potential for more IOCs and behavior
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) Run Condition: Without Instrumentation

Third Party Analysis Engines

Open Full Report

malicious

Score: 44/62

Open Full Report

malicious

Score: 20/38

malicious

Score: 21/29

malicious

malicious

IPs

IP	Country	Detection
205.144.171.138	United States
166.62.28.114	United States
23.229.220.67	United States
Click to see the 3 hidden entries
172.67.151.83	United States
107.180.43.18	United States
116.202.49.153	Germany

Domains

Name	IP	Detection
firhajshoes.com	166.62.28.114
blueskysol.com	205.144.171.138
crazyboxs.com	23.229.220.67
Click to see the 6 hidden entries
fakeread.com	172.67.151.83
www.paramedicaleducationguidelines.com	0.0.0.0
www.firhajshoes.com	0.0.0.0
www.rttutoring.com	0.0.0.0
rttutoring.com	107.180.43.18
nuhatoys.com	116.202.49.153

URLs

Name	Detection
http://www.rttutoring.com/wp-includes/LlbY6o/
http://www.firhajshoes.com/wp-admin/RgaiT/
http://fakeread.com/OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/
Click to see the 4 hidden entries
http://nuhatoys.com/wp-admin/WWA4R/
http://crazyboxs.com/cgi-bin/IaJ/
http://www.firhajshoes.com/cgi-sys/suspendedpage.cgi
http://blueskysol.com/sys-cache/2Rk/

Dropped files

Name	File Type	Hashes	Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5ED8443-1A3F-4CA6-941D-F5C2CCA9C0AC}.tmp	data	#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\COVID-19 report 09 24 2020.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Thu Oct 8 14:04:34 2020, length=155852, window=hide	#
Click to see the 5 hidden entries
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7311INDCUBDPJ08MPJL3.temp	data	#
C:\Users\user\Desktop\~$VID-19 report 09 24 2020.doc	data	#
C:\Users\user\I2byDoI\ejo26QD\P_lulvp1.exe	HTML document, ASCII text, with very long lines	#