N40-MR 311.doc

Status: finished

Submission Time: 2021-08-02 10:41:27 +02:00

Malicious

Phishing

Trojan

Spyware

Exploiter

Evader

AveMaria Nanocore

Comments

Details

Analysis ID:
457806
API (Web) ID:
825391
Analysis Started:

2021-08-02 10:44:41 +02:00
Analysis Finished:

2021-08-02 11:01:55 +02:00
MD5:
0284c94401a743d97b9cca52ac790864
SHA1:
fc3a473b80e9f717a68c54374aadc016cfe0d9ed
SHA256:
433fef750a44d6d44ebc9acf291ae3ad5812531d8aba3bdf543d44dcff943694
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

Open Full Report

malicious

Score: 25/58

Open Full Report

malicious

Score: 14/35

malicious

Score: 17/27

malicious

IPs

IP	Country	Detection
203.159.80.186	Netherlands
203.159.80.165	Netherlands

Domains

Name	IP	Detection
newhosteeeee.ydns.eu	203.159.80.186
sdafsdffssffs.ydns.eu	203.159.80.186
hutyrtit.ydns.eu	203.159.80.165
Click to see the 1 hidden entries
hhjhtggfr.duckdns.org	203.159.80.186

URLs

Name	Detection
http://newhosteeeee.ydns.eu/microA.exe
http://hutyrtit.ydns.eu/microC.exe
httP://newhosteeeee.ydns.eu/microA.exe
Click to see the 12 hidden entries
httP://newhosteeeee.ydns.eu/micr
httP://newhosteeeee.ydns.eu/microA.exePE
httP://newhosteeeee.ydn
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://newhosteeeee.ydns.eu
http://www.piriform.com/ccleaner
http://www.%s.comPA
https://github.com/syohex/java-simple-mine-sweeperC:
http://www.piriform.comJ
https://github.com/syohex/java-simple-mine-sweeper
http://www.piriform.com/ccleanerhttp://w

Dropped files

Name	File Type	Hashes
C:\Program Files\Microsoft DN1\sqlmap.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	#
C:\Users\user\AppData\Roaming\microA.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\JhwfHBtD..exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 26 hidden entries
C:\Users\user\AppData\Local\Temp\microA.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\images.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\ProgramData\images.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\N40-MR 311.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Mon Aug 2 16:45:36 2021, length=234758, window=hide	#
C:\Windows\System32\rfxvmt.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	#
C:\Users\user\Desktop\~$0-MR 311.doc	data	#
C:\Program Files\Microsoft DN1\rdpwrap.ini	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T04FZ82OXFDJU1HR5Q1R.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H5EJSFXE9ELAVWZXKJFX.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msge (copy)	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VEASXR02KDFZ3SNGYVE.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Little-endian UTF-16 Unicode text, with no line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\623BB84A.png	370 sysV pure executable	#
C:\Users\user\AppData\Local\Microsoft Vision\02-08-2021_10.46.55	data	#
C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\OICE_E3CA6E03-B995-4FF4-BE46-DA58B35F69D7.0\FLDE10.tmp	370 sysV pure executable	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B23AFD94-9DC7-4781-962F-A2FE031B5447}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5BF9671F-2E3A-44D5-BCB8-F09587EE439D}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16BDD4F7-5649-4CA3-B477-D1894D362AA0}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7AFD7C3.wmf	Targa image data - Map - RLE 65536 x 65536 x 0 "\005"	#

N40-MR 311.doc

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

N40-MR 311.doc Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

N40-MR 311.doc