top title background image
flash

COVID-19.doc

Status: finished
Submission Time: 2021-01-20 10:24:13 +01:00
Malicious
Trojan
Exploiter
Evader
Meterpreter

Comments

Tags

Details

  • Analysis ID:
    341993
  • API (Web) ID:
    585925
  • Analysis Started:
    2021-01-20 10:24:15 +01:00
  • Analysis Finished:
    2021-01-20 10:38:48 +01:00
  • MD5:
    9f9f50f3c32ee660a8bbe6616dda8b34
  • SHA1:
    6c338a10e894bcad8c67e5da332a6cd7f75f35e0
  • SHA256:
    9d063fd60d7d0fb2d4d92f0f348bb2397cf80dd8a4fec5680647469b570f2afe
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 80
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Potential for more IOCs and behavior

IPs

IP Country Detection
78.141.194.181
France
45.67.229.125
Moldova Republic of
216.239.32.21
United States

Domains

Name IP Detection
ifconfig.me
216.239.32.21

URLs

Name Detection
http://78.141.194.181/s34987435987.txt
http://45.67.229.125/c7mnnlrmfut6g1erfewlxlxniyo.php
http://78.141.194.181/d569872345345.txt
Click to see the 18 hidden entries
https://nuget.org/nuget.exe
https://github.com/Pester/Pester
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://78.141.194.181/s34987435987.txt7C:
http://78.141.194.181/d569872345345.txt$$
http://78.141.194.181/d5698723
http://78.141.194.181/s34987435987.txtx
http://ifconfig.me//
https://contoso.com/Icon
http://78.141.194.181/s34987435987.txt757AE1B
https://contoso.com/License
http://78.141.194.181/
https://contoso.com/
http://78.141.194.181:80/s34987435987.txt
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://nuget.org/NuGet.exe

Dropped files

Name File Type Hashes Detection
C:\Users\user\Desktop\COVID-19.tmp
ASCII text, with CRLF line terminators
#
C:\Users\user\Desktop\COVID-19.ps1
Little-endian UTF-16 Unicode text, with CR, LF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
Click to see the 23 hidden entries
C:\Windows\Temp\__PSScriptPolicyTest_ydow2vrz.d3l.psm1
very short file (no magic)
#
C:\Windows\Temp\__PSScriptPolicyTest_jtn2f3ar.yfz.ps1
very short file (no magic)
#
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\BIT36CF.tmp
ASCII text
#
C:\Windows\SysWOW64\20210120\PowerShell_transcript.648351.s_LwcT35.20210120103152.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210120\PowerShell_transcript.648351.wAzWoynL.20210120103050.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210120\PowerShell_transcript.648351.BCz0DRM3.20210120103110.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Desktop\~$VID-19.doc
data
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\COVID-19.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:50 2020, mtime=Wed Jan 20 08:30:44 2021, atime=Wed Jan 20 08:30:41 2021, length=411136, window=hide
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjrgunro.pw2.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmgpy3a4.cbw.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhkzhmez.maj.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2b2zdnjw.tgz.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\d569872345345[1].txt
ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DB96EF63-FF50-4F07-B9F6-FD0B9439C462}.tmp
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x0a413005, page size 16384, DirtyShutdown, Windows version 10.0
#