flash

sample20210111-01.xlsm

Status: finished
Submission Time: 11.01.2021 18:25:09
Malicious
Exploiter
Evader
E-Banking Trojan
Hidden Macro 4.0 Dridex

Comments

Tags

  • Dridex
  • xlsm

Details

  • Analysis ID:
    338158
  • API (Web) ID:
    578209
  • Analysis Started:
    11.01.2021 18:27:00
  • Analysis Finished:
    11.01.2021 18:43:21
  • MD5:
    fa5350d4304c4c2ceafa435244b5a5fc
  • SHA1:
    fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
  • SHA256:
    0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
88/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Potential for more IOCs and behavior

malicious
100/100

malicious
17/63

malicious
9/28

IPs

IP Country Detection
5.100.228.233
Netherlands
80.86.91.27
Germany
46.105.131.65
France
Click to see the 4 hidden entries
77.220.64.37
Italy
192.185.41.153
United States
74.220.219.210
United States
184.171.244.207
United States

Domains

Name IP Detection
osmosisecuador.com
192.185.41.153
bulksms.interweblimited.com
74.220.219.210
sistacweb.com
184.171.244.207

URLs

Name Detection
https://5.100.228.233:3389/N
https://5.100.228.233:3389/
https://80.86.91.27:3308/P
Click to see the 97 hidden entries
https://shell.suite.office.com:1443
https://77.220.64.37/105.131.65/pe
https://autodiscover-s.outlook.com/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://cdn.entity.
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://5.100.228.233:3389/(
https://rpsticket.partnerservices.getmicrosoftkey.com
https://lookup.onenote.com/lookup/geolocation/v1
https://80.86.91.27:3308/D
https://80.86.91.27:3308/H
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://46.105.131.65:1512/
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://77.220.64.37/si(
https://api.aadrm.com/
https://5.100.228.233:3389/8
https://5.100.228.233:3389/soft
https://77.220.64.37/si3
https://80.86.91.27:3308/0
https://80.86.91.27:3308//
https://80.86.91.27:3308/rX
https://80.86.91.27:3308/3
https://77.220.64.37/si=
https://5.100.228.233:3389/0
https://77.220.64.37/.(
https://80.86.91.27:3308/8
https://80.86.91.27:3308//x
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://api.microsoftstream.com/api/
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://cr.office.com
https://5.100.228.233:3389/H
https://5.100.228.233:3389/D
https://80.86.91.27:3308/rh
https://80.86.91.27:3308/(
https://res.getmicrosoftkey.com/api/redemptionevents
https://80.86.91.27:3308/-
https://tasks.office.com
https://officeci.azurewebsites.net/api/
https://store.office.cn/addinstemplate
https://wus2-000.pagecontentsync.
https://80.86.91.27/
https://77.220.64.37/nd-point:
https://80.86.91.27:3308/220.64.37
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://www.odwebp.svc.ms
https://api.powerbi.com/v1.0/myorg/groups
https://web.microsoftstream.com/video/
https://5.100.228.233:3389/ES
https://graph.windows.net
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://80.86.91.27:3308/crosoft
https://80.86.91.27:3308/raphy
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
http://weather.service.msn.com/data.aspx
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://77.220.64.37/3321935-2125563209-4053062332-1002
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://77.220.64.37/B
https://77.220.64.37/F
https://clients.config.office.net/user/v1.0/ios
https://77.220.64.37/;
https://77.220.64.37/?
https://o365auditrealtimeingestion.manage.office.com
https://outlook.office365.com/api/v1.0/me/Activities
https://77.220.64.37/S
https://clients.config.office.net/user/v1.0/android/policies
https://77.220.64.37/W
https://entitlement.diagnostics.office.com
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://outlook.office.com/
https://77.220.64.37/H
https://77.220.64.37/O
https://storage.live.com/clientlogs/uploadlocation
https://5.100.228.233:3389/la
https://77.220.64.37/c
https://77.220.64.37/b
https://77.220.64.37/e
https://5.100.228.233:3389/ll
https://77.220.64.37/X
https://77.220.64.37/53321935-2125563209-4053062332-1002
https://46.105.131.65:1512/la
https://graph.windows.net/
https://devnull.onenote.com
https://5.100.228.233:3389/oft
https://messaging.office.com/
https://77.220.64.37/l
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
https://skyapi.live.net/Activity/
https://5.100.228.233:3389/X
https://5.100.228.233:3389/Z
https://api.cortana.ai
https://5.100.228.233:3389/P
https://visio.uservoice.com/forums/368202-visio-on-devices
https://staging.cortana.ai
https://onedrive.live.com/embed?

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\dunjzsby.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
Click to see the 16 hidden entries
C:\Users\user\AppData\Local\Temp\mkmanoo.dll
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\xnaitann.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Desktop\~$sample20210111-01.xlsm
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58936 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6EC7F2B2-66F2-402E-AC2F-EE48EA399479
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\613468AF.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A760AE4.png
PNG image data, 363 x 234, 8-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\bvw04lh5c[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\AAD40000
data
#
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Mon Jan 11 16:34:36 2021, atime=Mon Jan 11 16:34:36 2021, length=16384, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample20210111-01.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Mon Jan 11 16:34:44 2021, atime=Mon Jan 11 16:34:44 2021, length=52604, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
#
C:\Users\user\Desktop\CAF40000
data
#