flash

New Updated 20210810.doc

Status: finished
Submission Time: 10.08.2021 15:06:43
Malicious
Phishing
Trojan
Spyware
Exploiter
Evader
HawkEye MailPassView

Comments

Tags

  • doc

Details

  • Analysis ID:
    462616
  • API (Web) ID:
    830169
  • Analysis Started:
    10.08.2021 15:28:23
  • Analysis Finished:
    10.08.2021 15:41:57
  • MD5:
    e7228f0fdb6675e599fce2e7697e237f
  • SHA1:
    4ee29bd4a9e6756326728a6d3a2bcdb504d01e6a
  • SHA256:
    03e73adb2a943786db217feedb75a14e7ce7ce39b8fb9f91a0fec989d1ce9188
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
9/89

malicious
18/46

malicious

IPs

IP Country Detection
103.255.237.180
Viet Nam
45.141.152.18
Romania
142.250.185.196
United States

Domains

Name IP Detection
vecvietnam.com.vn
103.255.237.180
ftp.badonfashoin.com
45.141.152.18
64.89.4.0.in-addr.arpa
0.0.0.0
Click to see the 1 hidden entries
www.google.com
142.250.185.196

URLs

Name Detection
http://static.chartbeat.com/js/chartbeat.js
http://www.msn.com/de-de/?ocid=iehp
http://whatismyipaddress.com/-
Click to see the 55 hidden entries
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
http://www.%s.comPA
https://login.yahoo.com/config/login
http://www.site.com/logs.php
http://www.nirsoft.net/
http://ocsp.entrust.net0D
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
http://crl.entrust.net/server1.crl0
https://contextual.media.net/8/nrrV73987.js
http://n.f
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
http://ns.adobede
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
http://ftp.badonfashoin.com
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://ns.ao
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
http://cdn.at.atwola.com/_media/uac/msn.html
https://www.google.com/accounts/servicelogin
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
https://secure.comodo.com/CPS0
https://policies.yahoo.com/w3c/p3p.xml
https://www.google.com/
http://crl.entrust.net/2048ca.crl0
http://www.msn.com/advertisement.ad.js
http://ib.adnxs.com/async_usersync_file
http://b.scorecardresearch.com/beacon.js
http://ns.adobe.c/s
http://acdn.adnxs.com/ast/ast.js
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
http://crl.microsoft
http://ocsp.entrust.net03
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.diginotar.nl/cps/pkioverheid0
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
https://deff.nelreports.net/api/report?cat=msn
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
http://cache.btrll.com/default/Pix-1x1.gif
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
https://www.google.com
http://o.aolcdn.com/ads/adswrappermsni.js
http://cdn.taboola.com/libtrc/msn-home-network/loader.js
http://www.msn.com/?ocid=iehp
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\InstallUtil.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\name.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 11 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{23BF6A28-299E-4B99-A605-44EE5B79BCDD}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2185495-5638-43A1-A616-4B202C23444A}.tmp
data
#
C:\Users\user\AppData\Local\Temp\bhvC767.tmp
Extensible storage engine DataBase, version 0x620, checksum 0x63a10f1a, page size 32768, DirtyShutdown, Windows version 6.1
#
C:\Users\user\AppData\Local\Temp\holderwb.txt
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New Updated 20210810.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Aug 10 21:28:35 2021, length=31314, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Roaming\pid.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\pidloc.txt
ASCII text, with no line terminators
#
C:\Users\user\Desktop\~$w Updated 20210810.doc
data
#