flash

1711.doc

Status: finished
Submission Time: 22.11.2021 10:51:32
Malicious
Exploiter
Trojan
Evader
Emotet

Comments

Tags

Details

  • Analysis ID:
    526179
  • API (Web) ID:
    893701
  • Analysis Started:
    22.11.2021 10:54:26
  • Analysis Finished:
    22.11.2021 11:11:49
  • MD5:
    85ab297345c97bca1a5004dc537f6c1c
  • SHA1:
    0b609d0b86f1b29410451306c173c7fac013d5a7
  • SHA256:
    31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
84/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Potential for more IOCs and behavior

malicious
100/100

malicious
25/63

malicious
12/35

malicious
22/27

malicious

IPs

IP Country Detection
207.148.81.119
United States
196.44.98.190
Ghana
78.46.73.125
Germany
Click to see the 19 hidden entries
37.59.209.141
France
85.214.67.203
Germany
191.252.103.16
Brazil
45.79.33.48
United States
54.37.228.122
France
185.148.169.10
Germany
142.4.219.173
Canada
54.38.242.185
France
195.154.146.35
France
195.77.239.39
Spain
50.62.141.15
United States
78.47.204.80
Germany
72.167.40.83
United States
168.197.250.14
Argentina
51.178.61.60
France
177.72.80.14
Brazil
66.42.57.149
United States
37.44.244.177
Germany
51.210.242.234
France

Domains

Name IP Detection
thepilatesstudionj.com
72.167.40.83
alfaofarms.com
50.62.141.15

URLs

Name Detection
https://staviancjs.com/wp-forum/QOm4n2/
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split
http://thepilatesstudionj.co
Click to see the 97 hidden entries
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/
http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/
https://shell.suite.office.com:1443
https://autodiscover-s.outlook.com/
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://cdn.entity.
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://45.79.33.48:8080/uDpHLeAeeItaVoryptography
https://rpsticket.partnerservices.getmicrosoftkey.com
https://lookup.onenote.com/lookup/geolocation/v1
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://api.aadrm.com/
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://api.microsoftstream.com/api/
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://cr.office.com
https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://res.getmicrosoftkey.com/api/redemptionevents
https://tasks.office.com
https://officeci.azurewebsites.net/api/
https://store.office.cn/addinstemplate
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
http://crl.ver)
https://www.odwebp.svc.ms
https://api.powerbi.com/v1.0/myorg/groups
https://web.microsoftstream.com/video/
https://api.addins.store.officeppe.com/addinstemplate
https://dev.virtualearth.net/REST/v1/Locations
https://graph.windows.net
https://github.com/Pester/Pester
https://github.com/Pester/Pesterp
https://dynamic.t
https://45.79.33.48/
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://ncus.contentsync.
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
http://weather.service.msn.com/data.aspx
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://45.79.33.48:8080/0
https://wus2.contentsync.
https://clients.config.office.net/user/v1.0/ios
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://o365auditrealtimeingestion.manage.office.com
https://outlook.office365.com/api/v1.0/me/Activities
https://45.79.33.48:8080/2
https://clients.config.office.net/user/v1.0/android/policies
https://entitlement.diagnostics.office.com
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://outlook.office.com/
https://storage.live.com/clientlogs/uploadlocation
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://substrate.office.com/search/api/v1/SearchHistory
https://graph.windows.net/
https://devnull.onenote.com
https://messaging.office.com/
http://crl.micr
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://168.197.250.14/563209-4053062332-1002
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
https://skyapi.live.net/Activity/
https://168.197.250.14/W
http://pesterbdd.com/images/Pester.pngp
https://api.cortana.ai
https://visio.uservoice.com/forums/368202-visio-on-devices
https://staging.cortana.ai
https://onedrive.live.com/embed?
https://augloop.office.com
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://api.diagnostics.office.com
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://store.office.de/addinstemplate
https://wus2.pagecontentsync.
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q
https://api.powerbi.com/v1.0/myorg/datasets
https://51.178.61.60/E
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL
https://cortana.ai/api
https://168.197.250.14/h
https://activity.windows.com
https://45.79.33.48:8080/a
https://api.diagnosticssdf.office.com

Dropped files

Name File Type Hashes Detection
C:\Users\user\Desktop\~$1711.doc
data
#
C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\ProgramData\13791789.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
Click to see the 23 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5EEF27A6.png
PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{521AB53C-1F2D-413C-8011-B893289A85E3}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9EE2F9D3-844A-448C-93FB-84314B295DC1}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C4306DA8-3134-42DC-857A-E2C8FA5CD236}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivljvnov.dnx.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjtsltui.gs0.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1711.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:09 2020, mtime=Mon Nov 22 18:01:14 2021, atime=Mon Nov 22 18:01:11 2021, length=135948, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
#
C:\Users\user\Documents\20211122\PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
#
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211122_190130_406.etl
data
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log
MPEG-4 LOAS
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x985cf3fb, page size 16384, DirtyShutdown, Windows version 10.0
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\228B70BA-96BF-49A2-BAE9-6D7972869BA5
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#