68254_2001.doc

Status: finished

Submission Time: 2021-01-27 20:55:43 +01:00

Malicious

Trojan

Evader

Emotet

Comments

Details

Analysis ID:
345226
API (Web) ID:
592366
Analysis Started:

2021-01-27 20:57:45 +01:00
Analysis Finished:

2021-01-27 21:06:14 +01:00
MD5:
72a3bbd36a5aa4c5249d1ec4766369b8
SHA1:
68e23b96d389bd088e3c377555e5e88e239b536d
SHA256:
8c425fd958630a27d8ad158e21c4fc627c6b594931da974faf655707d6e06ea2
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

Open Full Report

malicious

Score: 28/60

Open Full Report

malicious

Score: 19/37

malicious

Score: 24/28

malicious

IPs

IP	Country	Detection
217.160.169.110	Germany
51.255.203.164	France
70.32.23.58	United States
Click to see the 7 hidden entries
35.209.174.246	United States
35.163.191.195	United States
192.124.249.8	United States
51.15.7.145	France
177.12.170.95	Brazil
35.209.96.32	United States
84.232.229.24	Romania

Domains

Name	IP	Detection
hbprivileged.com	35.209.96.32
mrveggy.com	177.12.170.95
theo.digital	35.209.174.246
Click to see the 3 hidden entries
ummahstars.com	35.163.191.195
intellisavvy.com	192.124.249.8
ketoresetme.com	70.32.23.58

URLs

Name	Detection
https://hbprivileged.com/cgi-bin/Qg/
http://ketoresetme.com/wp-content/Rk4rz/
https://theo.digital
Click to see the 52 hidden entries
https://ummahstars.com/app_old_may_2018/assets/wDL8x/
http://intellisavvy.com
http://intellisavvy.com/wp-admin/dRaG2H/
https://mrveggy.com
https://www.teelekded.com/cgi-bin/LPo/
https://mrveggy.com/wp-admin/n/
http://51.15.7.145/mcbf10vnnn8hf/qv9l36h26wgbq5tqf/
http://ketoresetme.com
https://www.teelekded.com/cgi-bin/LPo/P
https://hbprivileged.com
https://ummahstars.com
https://theo.digital/wp-admin/Zyl2/
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://crl.entrust.net/2048ca.crl0
https://secure.comodo.com/CPS0
http://crl.godaddy.com/gdroot.crl0F
http://certs.godaddy.com/repository/1301
https://certs.godaddy.com/repository/0
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://www.hotmail.com/oe
http://crl.godaddy.com/gdroot-g2.crl0F
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://crl.entrust.net/server1.crl0
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://crl.godaddy.com/gdig2s1-1814.crl0
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://investor.msn.com/
http://ocsp.sectigo.com0
https://hbprivileged.comhB
http://ocsp.entrust.net03
http://certificates.godaddy.com/repository/0
http://www.piriform.com/ccleaneN
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
https://intellisavvy.com
http://www.diginotar.nl/cps/pkioverheid0
https://intellisavvy.comh
http://www.icra.org/vocabulary/.
https://intellisavvy.com/wp-admin/dRaG2H/
http://cps.letsencrypt.org0
https://sectigo.com/CPS0D
http://r3.o.lencr.org0
http://www.%s.comPA
http://certificates.godaddy.com/repository/gdig2.crt0
http://ocsp.entrust.net0D
http://servername/isapibackend.dll
http://cps.root-x1.letsencrypt.org0
http://r3.i.lencr.org/0%
http://www.windows.com/pctv.
http://investor.msn.com
http://www.msnbc.com/news/ticker.txt

Dropped files

Name	File Type	Hashes
C:\Users\user\Ocmd_ke\Qqw8nbh\A30F.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59134 bytes, 1 file	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
Click to see the 11 hidden entries
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5D0E98E-EB6B-4CC4-8C38-663EBE143117}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E76C12E2-1DC6-41B5-9D5C-624688043260}.tmp	data	#
C:\Users\user\AppData\Local\Temp\Cab6327.tmp	Microsoft Cabinet archive data, 59134 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\Tar6328.tmp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\68254_2001.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Thu Jan 28 03:58:37 2021, length=161792, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VX1BP06RV53T455RIFFL.temp	data	#
C:\Users\user\Desktop\~$254_2001.doc	data	#

68254_2001.doc

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

68254_2001.doc Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

68254_2001.doc