top title background image
flash

1711.doc

Status: finished
Submission Time: 2021-11-22 10:51:32 +01:00
Malicious
Exploiter
Trojan
Evader
Emotet

Comments

Tags

Details

  • Analysis ID:
    526179
  • API (Web) ID:
    893701
  • Analysis Started:
    2021-11-22 10:54:26 +01:00
  • Analysis Finished:
    2021-11-22 11:11:49 +01:00
  • MD5:
    85ab297345c97bca1a5004dc537f6c1c
  • SHA1:
    0b609d0b86f1b29410451306c173c7fac013d5a7
  • SHA256:
    31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Score: 84
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Potential for more IOCs and behavior

Third Party Analysis Engines

malicious
Score: 25/63
malicious
Score: 12/35
malicious
Score: 22/27
malicious

IPs

IP Country Detection
195.154.146.35
France
51.210.242.234
France
37.44.244.177
Germany
Click to see the 19 hidden entries
66.42.57.149
United States
177.72.80.14
Brazil
51.178.61.60
France
168.197.250.14
Argentina
72.167.40.83
United States
78.47.204.80
Germany
50.62.141.15
United States
195.77.239.39
Spain
207.148.81.119
United States
54.38.242.185
France
142.4.219.173
Canada
185.148.169.10
Germany
54.37.228.122
France
45.79.33.48
United States
191.252.103.16
Brazil
85.214.67.203
Germany
37.59.209.141
France
78.46.73.125
Germany
196.44.98.190
Ghana

Domains

Name IP Detection
thepilatesstudionj.com
72.167.40.83
alfaofarms.com
50.62.141.15

URLs

Name Detection
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/
http://thepilatesstudionj.co
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/
Click to see the 97 hidden entries
http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split
https://staviancjs.com/wp-forum/QOm4n2/
https://outlook.office.com/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
https://168.197.250.14/563209-4053062332-1002
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
http://crl.micr
https://messaging.office.com/
https://devnull.onenote.com
https://graph.windows.net/
https://substrate.office.com/search/api/v1/SearchHistory
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://storage.live.com/clientlogs/uploadlocation
http://pesterbdd.com/images/Pester.pngp
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://entitlement.diagnostics.office.com
https://clients.config.office.net/user/v1.0/android/policies
https://45.79.33.48:8080/2
https://outlook.office365.com/api/v1.0/me/Activities
https://o365auditrealtimeingestion.manage.office.com
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://clients.config.office.net/user/v1.0/ios
https://wus2.contentsync.
https://45.79.33.48:8080/0
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://api.diagnosticssdf.office.com
https://45.79.33.48:8080/a
https://activity.windows.com
https://168.197.250.14/h
https://cortana.ai/api
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL
https://51.178.61.60/E
https://api.powerbi.com/v1.0/myorg/datasets
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q
https://wus2.pagecontentsync.
https://store.office.de/addinstemplate
https://skyapi.live.net/Activity/
https://api.diagnostics.office.com
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://augloop.office.com
https://onedrive.live.com/embed?
https://staging.cortana.ai
https://visio.uservoice.com/forums/368202-visio-on-devices
https://api.cortana.ai
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://168.197.250.14/W
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz
http://pesterbdd.com/images/Pester.png
https://store.office.cn/addinstemplate
https://officeci.azurewebsites.net/api/
https://tasks.office.com
https://res.getmicrosoftkey.com/api/redemptionevents
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3
https://cr.office.com
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://api.microsoftstream.com/api/
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
http://www.apache.org/licenses/LICENSE-2.0.html
https://api.aadrm.com/
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://lookup.onenote.com/lookup/geolocation/v1
https://rpsticket.partnerservices.getmicrosoftkey.com
https://45.79.33.48:8080/uDpHLeAeeItaVoryptography
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://cdn.entity.
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://autodiscover-s.outlook.com/
https://dynamic.t
https://shell.suite.office.com:1443
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh
http://weather.service.msn.com/data.aspx
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
https://ncus.contentsync.
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://45.79.33.48/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://github.com/Pester/Pesterp
https://github.com/Pester/Pester
https://graph.windows.net
https://dev.virtualearth.net/REST/v1/Locations
https://api.addins.store.officeppe.com/addinstemplate
https://web.microsoftstream.com/video/
https://api.powerbi.com/v1.0/myorg/groups
https://www.odwebp.svc.ms
http://crl.ver)
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa

Dropped files

Name File Type Hashes Detection
C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Desktop\~$1711.doc
data
#
C:\ProgramData\13791789.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
Click to see the 23 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivljvnov.dnx.ps1
very short file (no magic)
#
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211122_190130_406.etl
data
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
#
C:\Users\user\Documents\20211122\PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1711.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:09 2020, mtime=Mon Nov 22 18:01:14 2021, atime=Mon Nov 22 18:01:11 2021, length=135948, window=hide
#
C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjtsltui.gs0.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C4306DA8-3134-42DC-857A-E2C8FA5CD236}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9EE2F9D3-844A-448C-93FB-84314B295DC1}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{521AB53C-1F2D-413C-8011-B893289A85E3}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5EEF27A6.png
PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\228B70BA-96BF-49A2-BAE9-6D7972869BA5
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x985cf3fb, page size 16384, DirtyShutdown, Windows version 10.0
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log
MPEG-4 LOAS
#