document-1370071295.xls

Status: finished

Submission Time: 2021-04-04 02:09:11 +02:00

Malicious

Trojan

Exploiter

Evader

Hidden Macro 4.0 Ursnif

Comments

Details

Analysis ID:
381642
API (Web) ID:
665427
Analysis Started:

2021-04-04 02:28:00 +02:00
Analysis Finished:

2021-04-04 02:38:04 +02:00
MD5:
09d41d14738707c2ce1e28b2313e1e5c
SHA1:
5714bc70d7d24c3db8c939c89fcea4b1d62736df
SHA256:
4844dc6311611acbba6d5afd762bcee79e3b4a5cc0d3d89b0ddc9c486f7b8d5e
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

Open Full Report

malicious

Score: 10/61

Open Full Report

malicious

Score: 8/37

malicious

Score: 14/29

IPs

IP	Country	Detection
185.243.114.196	Netherlands
192.185.129.4	United States
207.174.213.126	United States
Click to see the 3 hidden entries
162.241.62.4	United States
5.100.155.169	United Kingdom
198.50.218.68	Canada

Domains

Name	IP	Detection
accesslinksgroup.com	192.185.129.4
under17.com	185.243.114.196
mundotecnologiasolar.com	162.241.62.4
Click to see the 4 hidden entries
ponchokhana.com	5.100.155.169
vts.us.com	207.174.213.126
comosairdoburaco.com.br	198.50.218.68
login.microsoftonline.com	0.0.0.0

URLs

Name	Detection
0
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://www.windows.com/pctv.
Click to see the 8 hidden entries
http://investor.msn.com
http://www.msnbc.com/news/ticker.txt
http://www.icra.org/vocabulary/.
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://www.hotmail.com/oe
http://under17.com
http://under17.com/joomla/W8irzuIA03OC/DHBetYa3Vzl/hddQ_2FkuTZ0IV/Oq1yvMr7E_2Frfr6f90DE/Wv_2B_2Bqw4C
http://investor.msn.com/

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\fikftkm.thj2	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\fikftkm.thj	HTML document, ASCII text, with very long lines	#
Click to see the 56 hidden entries
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4EGO8ZMQ.txt	ASCII text	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\urlblockindex[1].bin	data	#
C:\Users\user\AppData\Local\Temp\88CE0000	data	#
C:\Users\user\AppData\Local\Temp\CabCFAF.tmp	Microsoft Cabinet archive data, 58596 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\TarCFB0.tmp	data	#
C:\Users\user\AppData\Local\Temp\~DF4926254C09A8051D.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF4B6B8A64AA9823FE.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF54F36C8B63E1382B.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF5F1FA308145CBA72.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF7FCBE7F3B2FEC721.TMP	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun Apr 4 08:28:36 2021, atime=Sun Apr 4 08:28:36 2021, length=8192, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1370071295.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sun Apr 4 08:28:36 2021, atime=Sun Apr 4 08:28:36 2021, length=185344, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\JDHEvZVDnqsG9UcxzgIdtGb6thw.gz[1].js	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\EM0AF430.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LHCYDYR3.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LOCDN06X.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\N0NSTJUS.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Q2XM1KA7.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QF6S0IOS.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\SEWV21QJ.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\UMFOMLUW.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\VZXEQH0B.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y9VF2UL4.txt	ASCII text	#
C:\Users\user\Desktop\19CE0000	Applesoft BASIC program data, first line number 16	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0J6V279N.htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	#
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{60425BEA-9528-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B4C373D-9528-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{60425BEC-9528-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7B4C373F-9528-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8AC52904-9528-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\HdepnBaFj-yarvouFUIlfV4Q9D8.gz[1].js	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\NGDGShwgz5vCvyjNFyZiaPlHGCE.gz[1].js	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz[1].js	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz[1].js	ASCII text, with no line terminators	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5rqGloMo94v3vwNVR5OsxDNd8d0[1].svg	SVG Scalable Vector Graphics image	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ULJCe4CXM2DCjZgELMGm2K4PcPo[1].png	PNG image data, 1642 x 116, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Xp-HPHGHOZznHBwdn7OWdva404Y.gz[1].js	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\eaMqCdNxIXjLc0ATep7tsFkfmSA.gz[1].js	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm	HTML document, ASCII text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\MstqcgNaYngCBavkktAoSE0--po.gz[1].js	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\bLULVERLX4vU6bjspboNMw9vl_0.gz[1].js	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\eRYlUYIMYsB_Pt8B7FTik-pl5cs.gz[1].js	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\favicon[1].ico	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hsq54HXv3E6bOWi_58PaE6vwTYM.gz[1].js	exported SGML document, ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6sxhavkE4_SZHA_K4rwWmg67vF0.gz[1].js	ASCII text, with very long lines	#

document-1370071295.xls

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

document-1370071295.xls Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

document-1370071295.xls