flash

spetsifikatsiya.xls

Status: finished
Submission Time: 06.01.2021 09:56:47
Malicious
Trojan
Spyware
Exploiter
Evader
Hidden Macro 4.0 Quasar

Comments

Tags

  • SilentBuilder
  • xls

Details

  • Analysis ID:
    336545
  • API (Web) ID:
    574974
  • Analysis Started:
    06.01.2021 09:56:48
  • Analysis Finished:
    06.01.2021 10:09:56
  • MD5:
    2e0819723d50d0b6a2e6ffdb33778e40
  • SHA1:
    329d002fc53f93e92b99dfbc5937412b40fccf93
  • SHA256:
    04ee61f1184be78db3fd78821306e0b81e6dfaff17f6019d76e69237d6133b6a
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
8/59

malicious
7/36

malicious
13/44

IPs

IP Country Detection
172.67.8.238
United States
195.191.149.103
Bulgaria
185.157.162.81
Sweden
Click to see the 2 hidden entries
208.95.112.1
United States
37.46.150.139
Moldova Republic of

Domains

Name IP Detection
cutt.ly
172.67.8.238
yz.videomarket.eu
185.157.162.81
gtp.bg
195.191.149.103
Click to see the 1 hidden entries
ip-api.com
208.95.112.1

URLs

Name Detection
http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe
http://www.piriform.com/ccleaner
http://37.46.150.139/bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat
Click to see the 7 hidden entries
http://www.%s.comPA
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://www.piriform.com/ccleanerhttp://www.piri
http://gtp.bg/opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe
http://ip-api.com/json/
https://curl.haxx.se/docs/http-cookies.html

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\tmpCF32.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\JrekdQ.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\sp.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\Documents\pd.bat
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58936 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\Temp\1CDE0000
data
#
C:\Users\user\AppData\Local\Temp\Cab9A5D.tmp
Microsoft Cabinet archive data, 58936 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\Tar9A5E.tmp
data
#
C:\Users\user\AppData\Local\Temp\tmp4F59.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\tmpC70.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Logs\01-06-2021
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 6 16:57:41 2021, atime=Wed Jan 6 16:57:41 2021, length=8192, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\spetsifikatsiya.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Jan 6 16:57:41 2021, atime=Wed Jan 6 16:57:41 2021, length=242176, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\71YY0ZNRPQ4IRKSGGQ82.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C46FS22UMOIQN8SC5D58.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DFLQU3YDWIS0DDTFQO4S.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OY5PTG0JO5WWBCHCBZ8W.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UF448UGC9HH8NS13TMAN.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y0IWL9PP10MD7U9YNNWP.temp
data
#
C:\Users\user\AppData\Roaming\gUuYfpYBjYgU.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\Desktop\CCDE0000
Applesoft BASIC program data, first line number 16
#