flash

document-1251000362.xlsm

Status: finished
Submission Time: 06.04.2021 19:34:41
Malicious
Trojan
Exploiter
Evader
Hidden Macro 4.0 IcedID

Comments

Tags

Details

  • Analysis ID:
    382870
  • API (Web) ID:
    667879
  • Analysis Started:
    06.04.2021 19:34:43
  • Analysis Finished:
    06.04.2021 19:45:01
  • MD5:
    09217c79f99bbfe977a80d83d62489c7
  • SHA1:
    da600d355dfb57190a5745342f3cfeb7d1e509f1
  • SHA256:
    7bf8049e4766a2985851a3d3bf01710c53c389fe1e54397fa332672b62b649d8
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
6/37

IPs

IP Country Detection
50.87.146.86
United States
199.79.62.99
United States
192.185.214.87
United States
Click to see the 2 hidden entries
143.204.3.74
United States
192.185.48.186
United States

Domains

Name IP Detection
agenbolatermurah.com
0.0.0.0
usaaforced.fun
0.0.0.0
tvorartificialnature.xyz
0.0.0.0
Click to see the 6 hidden entries
metaflip.io
192.185.48.186
tajushariya.com
199.79.62.99
columbia.aula-web.net
50.87.146.86
dr49lng3n1n2s.cloudfront.net
143.204.3.74
partsapp.com.br
192.185.214.87
aws.amazon.com
0.0.0.0

URLs

Name Detection
http://crl.entrust.net/2048ca.crl0
https://aws.amazon.com/marketplace?aws=hp
https://aws.amazon.com/
Click to see the 97 hidden entries
http://www.msnbc.com/news/ticker.txt
https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
https://aws.amazon.com/podcasts/aws-podcast/
http://ocsp.entrust.net03
https://aws.amazon.com/jp/
http://crt.rootg2.amazontrust.com/rootg2.cer0=
https://aws.amazon.com/pt/
https://aws.amazon.com/?nc1=h_ls
https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
http://crt.comod
https://aws.amazon.com/es/?nc1=h_ls
https://a0.awsstatic.com/libra-css/images/logoo
http://www.icra.org/vocabulary/.
https://d1.awsstatic.com
https://aws.amazon.com/de/
http://investor.msn.com/
https://phd.aws.amazon.com/?nc2=h_m_sc
https://a0.awsstatic.com/libra/1.0.376/librastandardlib
https://aws.amazon.com/id/?nc1=h_ls
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
http://www.%s.comPA
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
https://a0.awsstatic.com
http://ocsp.entrust.net0D
https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
https://twitter.com/awscloud
https://a0.awsstatic.com/libra-css/images/logo
https://aws.amazon.com/terms/?nc1=f_pr
https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
https://a0.awsstatic.com/plc/js/1.0.108/plc
https://aws.amazon.com/cn/
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.diginotar.nl/cps/pkioverheid0
https://a0.awsstatic.com/libra-css/images
https://a0.awsstatic.com/psf/null
https://aws.amazon.com/ar/
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
https://pages.awscloud.com/communication-preferences?trk=homepage
http://ocsp.rootg2.amazontrust.com08
https://aws.amazon.com/cn/?nc1=h_ls
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
http://usaaforced.fun/
https://aws.amazon.com/ru/
https://aws.amazon.com/tw/?nc1=h_ls
https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
https://aws.amazon.com/ko/
https://aws.amazon.com/ru/?nc1=h_ls
http://usaaforced.fun/Q
https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
https://aws.amazon.com/es/
http://crl.sca1b.amazontrust.com/sca1b.crl0
https://a0.awsstatic.com/target/1.0.113/aws-target-mediator.js
https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
http://tvorartificialnature.xyz/
https://aws.amazon.com/ar/?nc1=h_ls
https://aws.amazon.com/k
https://aws.amazon.com/th/
http://www.windows.com/pctv.
https://a0.awsstatic.com/pricing-calculator/js/1.0.2
https://aws.amazon.com/marketplace/?nc2=h_mo
http://ocsp.sca1b.amazontrust.com06
https://amazon.com/
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
http://crl.rootca1.amazontrust.com/rootca1.crl0
https://aws.amazon.com/search/
https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
https://aws.amazon.com/?nc2=h_lg
http://ocsp.rootca1.amazontrust.com0:
https://console.aws.amazon.com/support/home/?nc1=f_dr
https://a0.awsstatic.com/aws-blog/1.0.46/js
https://aws.amazon.com/fr/
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
https://aws.amazon.com/vi/
https://www.twitch.tv/aws
http://usaaforced.fun/k
https://aws.amazon.com/marketplace/?nc2=h_ql_mp
https://aws.amazon.com/search
http://crl.rootg2.amazontrust.com/rootg2.crl0
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
https://aws.amazon.com/tw/
https://aws.amazon.com/tr/?nc1=h_ls
https://console.aws.amazon.com/?nc2=h_m_mc
https://aws.amazon.com/fr/?nc1=h_ls
http://o.ss2.us/0
https://aws.amazon.com/search/?searchQuery=
https://a0.awsstatic.com/libra-search/1.0.13/js
http://crt.rootca1.am
https://aws.amazon.com/privacy/?nc1=f_pr
https://aws.amazon.com/pt/?nc1=h_ls
https://aws.amazon.com/jp/?nc1=h_ls

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif
PE32+ executable (DLL) (native) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Users\user\Desktop\~$document-1251000362.xlsm
data
#
Click to see the 17 hidden entries
C:\Users\user\ksjvoefv.skd
PE32+ executable (DLL) (native) x86-64, for MS Windows
#
C:\Users\user\ksjvoefv.skd3
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58596 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AE58898.png
PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77F73266.png
PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98EC7FB9.png
PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFB60433.png
PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Temp\C4DE0000
data
#
C:\Users\user\AppData\Local\Temp\CabDF39.tmp
Microsoft Cabinet archive data, 58596 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\TarDF3A.tmp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 01:35:39 2021, atime=Wed Apr 7 01:35:39 2021, length=16384, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1251000362.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Apr 7 01:35:39 2021, atime=Wed Apr 7 01:35:40 2021, length=108032, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\Desktop\A5DE0000
data
#