flash

ARCHIVOFile-20-012021.doc

Status: finished
Submission Time: 27.01.2021 12:16:39
Malicious
Trojan
Evader
Emotet

Comments

Tags

Details

  • Analysis ID:
    344894
  • API (Web) ID:
    591708
  • Analysis Started:
    27.01.2021 12:16:43
  • Analysis Finished:
    27.01.2021 12:26:08
  • MD5:
    d4829a31da294d0ee8f9f67bc1352bd2
  • SHA1:
    70601272023fd5285194c68da776708508524d50
  • SHA256:
    4fc909106f65c1ca7c9073743cbc8a7513a4ce7ae3d04e38bd01847e96aaf9f5
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
29/60

malicious
17/37

malicious
24/28

malicious

IPs

IP Country Detection
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
Click to see the 97 hidden entries
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
35.209.96.32
United States
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
104.168.154.203
United States
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
191.6.196.95
Brazil
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
75.103.81.81
United States
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
51.255.203.164
France
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
84.232.229.24
Romania
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
35.163.191.195
United States
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
177.12.170.95
Brazil
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown
0.0.0.0
unknown

Domains

Name IP Detection
hbprivileged.com
35.209.96.32
mrveggy.com
177.12.170.95
ummahstars.com
35.163.191.195
Click to see the 3 hidden entries
riandutra.com
191.6.196.95
calledtochange.org
75.103.81.81
norailya.com
104.168.154.203

URLs

Name Detection
https://norailya.com/drupal/retAl/
https://ummahstars.com
https://hbprivileged.comh
Click to see the 51 hidden entries
https://hbprivileged.com
https://norailya.com
https://mrveggy.com/wp-admin/n/
https://www.teelekded.com/cgi-bin/LPo/
http://riandutra.com/email/AfhE8z0/
http://calledtochange.org/CalledtoChange/8huSOd/
https://ummahstars.com/app_old_may_2018/assets/wDL8x/
http://riandutra.com
https://mrveggy.com
https://hbprivileged.com/cgi-bin/Qg/
https://www.teelekded.com/cgi-bin/LPo/P
http://calledtochange.org
http://www.msnbc.com/news/ticker.txt
http://ocsp.sectigo.com0
http://ocsp.entrust.net03
http://certificates.godaddy.com/repository/0
http://crl.use
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.diginotar.nl/cps/pkioverheid0
http://www.litespeedtech.com
http://www.icra.org/vocabulary/.
http://investor.msn.com/
https://sectigo.com/CPS0D
http://r3.o.lencr.org0
http://www.%s.comPA
http://certificates.godaddy.com/repository/gdig2.crt0
http://ocsp.entrust.net0D
http://servername/isapibackend.dll
http://cps.root-x1.letsencrypt.org0
http://r3.i.lencr.org/0%
http://www.windows.com/pctv.
http://investor.msn.com
http://crl.entrust.net/server1.crl0
http://cps.letsencrypt.org0
http://certs.godaddy.com/repository/1301
https://certs.godaddy.com/repository/0
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://www.hotmail.com/oe
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://crl.godaddy.com/gdroot-g2.crl0F
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://r3.o.lencr.o
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://crl.godaddy.com/gdig2s1-1814.crl0
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://crl.godaddy.com/gdroot.crl0F
http://www.piriform.com/ccleaner
https://secure.comodo.com/CPS0
http://crl.entrust.net/2048ca.crl0

Dropped files

Name File Type Hashes Detection
C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 59134 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
Click to see the 11 hidden entries
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5D6EDBE-EB6B-4CC4-8C38-663EBE143117}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E76E1ED2-1DC6-41B5-9D5C-624688043260}.tmp
data
#
C:\Users\user\AppData\Local\Temp\Cab479B.tmp
Microsoft Cabinet archive data, 59134 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\Tar479C.tmp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ARCHIVOFile-20-012021.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Wed Jan 27 19:17:33 2021, length=163328, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1JTN6F3VHEJQWGEUZSLB.temp
data
#
C:\Users\user\Desktop\~$CHIVOFile-20-012021.doc
data
#