flash

68254_2001.doc

Status: finished
Submission Time: 27.01.2021 20:55:43
Malicious
Trojan
Evader
Emotet

Comments

Tags

Details

  • Analysis ID:
    345226
  • API (Web) ID:
    592366
  • Analysis Started:
    27.01.2021 20:57:45
  • Analysis Finished:
    27.01.2021 21:06:14
  • MD5:
    72a3bbd36a5aa4c5249d1ec4766369b8
  • SHA1:
    68e23b96d389bd088e3c377555e5e88e239b536d
  • SHA256:
    8c425fd958630a27d8ad158e21c4fc627c6b594931da974faf655707d6e06ea2
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
28/60

malicious
19/37

malicious
24/28

malicious

IPs

IP Country Detection
217.160.169.110
Germany
51.255.203.164
France
70.32.23.58
United States
Click to see the 7 hidden entries
35.209.174.246
United States
35.163.191.195
United States
192.124.249.8
United States
51.15.7.145
France
177.12.170.95
Brazil
35.209.96.32
United States
84.232.229.24
Romania

Domains

Name IP Detection
theo.digital
35.209.174.246
ummahstars.com
35.163.191.195
intellisavvy.com
192.124.249.8
Click to see the 3 hidden entries
ketoresetme.com
70.32.23.58
hbprivileged.com
35.209.96.32
mrveggy.com
177.12.170.95

URLs

Name Detection
https://ummahstars.com
https://hbprivileged.com
https://mrveggy.com/wp-admin/n/
Click to see the 52 hidden entries
https://www.teelekded.com/cgi-bin/LPo/
https://ummahstars.com/app_old_may_2018/assets/wDL8x/
http://ketoresetme.com/wp-content/Rk4rz/
https://theo.digital
http://intellisavvy.com
http://intellisavvy.com/wp-admin/dRaG2H/
https://mrveggy.com
https://hbprivileged.com/cgi-bin/Qg/
http://51.15.7.145/mcbf10vnnn8hf/qv9l36h26wgbq5tqf/
https://www.teelekded.com/cgi-bin/LPo/P
https://theo.digital/wp-admin/Zyl2/
http://ketoresetme.com
http://www.msnbc.com/news/ticker.txt
http://ocsp.sectigo.com0
https://hbprivileged.comhB
http://ocsp.entrust.net03
http://certificates.godaddy.com/repository/0
http://www.piriform.com/ccleaneN
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
https://intellisavvy.com
http://www.diginotar.nl/cps/pkioverheid0
https://intellisavvy.comh
http://www.icra.org/vocabulary/.
https://intellisavvy.com/wp-admin/dRaG2H/
http://investor.msn.com/
https://sectigo.com/CPS0D
http://r3.o.lencr.org0
http://www.%s.comPA
http://certificates.godaddy.com/repository/gdig2.crt0
http://ocsp.entrust.net0D
http://servername/isapibackend.dll
http://cps.root-x1.letsencrypt.org0
http://r3.i.lencr.org/0%
http://www.windows.com/pctv.
http://investor.msn.com
http://crl.entrust.net/server1.crl0
http://cps.letsencrypt.org0
http://certs.godaddy.com/repository/1301
https://certs.godaddy.com/repository/0
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://www.hotmail.com/oe
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://crl.godaddy.com/gdroot-g2.crl0F
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://crl.godaddy.com/gdig2s1-1814.crl0
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://crl.godaddy.com/gdroot.crl0F
https://secure.comodo.com/CPS0
http://crl.entrust.net/2048ca.crl0

Dropped files

Name File Type Hashes Detection
C:\Users\user\Ocmd_ke\Qqw8nbh\A30F.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 59134 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
Click to see the 11 hidden entries
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5D0E98E-EB6B-4CC4-8C38-663EBE143117}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E76C12E2-1DC6-41B5-9D5C-624688043260}.tmp
data
#
C:\Users\user\AppData\Local\Temp\Cab6327.tmp
Microsoft Cabinet archive data, 59134 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\Tar6328.tmp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\68254_2001.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Thu Jan 28 03:58:37 2021, length=161792, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VX1BP06RV53T455RIFFL.temp
data
#
C:\Users\user\Desktop\~$254_2001.doc
data
#