flash

Sales Order List.exe

Status: finished
Submission Time: 22.11.2021 19:23:17
Malicious
Trojan
Evader
Phishing
Spyware
GuLoader AveMaria

Comments

Tags

  • exe

Details

  • Analysis ID:
    526595
  • API (Web) ID:
    894118
  • Analysis Started:
    22.11.2021 19:29:31
  • Analysis Finished:
    22.11.2021 19:52:19
  • MD5:
    80bad0903ee7ec98805678673720cfd9
  • SHA1:
    35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
  • SHA256:
    260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
84/100

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

malicious
100/100

malicious
18/45

IPs

IP Country Detection
142.250.186.46
United States
142.250.185.161
United States
93.184.220.29
European Union

Domains

Name IP Detection
drive.google.com
142.250.186.46
googlehosted.l.googleusercontent.com
142.250.185.161
doc-0k-48-docs.googleusercontent.com
0.0.0.0

URLs

Name Detection
https://api.msn.com/v1/news/Feed/Windows?
https://word.office.com
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Click to see the 40 hidden entries
https://outlook.comows.CB
https://drive.google.com/4
https://api.msn.com:443/v1/news/Feed/Windows?
https://doc-0k-48-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5i
https://excel.office.comn
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppEM
https://doc-0k-48-docs.googleusercontent.com/
https://powerpoint.office.com8
http://upx.sf.net
https://excel.office.com
http://www.foreca.com
http://schemas.micro
https://doc-0k-48-docs.googleusercontent.com/%%doc-0k-48-docs.googleusercontent.com
https://www.msn.com/de-ch/?ocid=iehpU
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
https://doc-0k-48-docs.googleusercontent.com/7
https://doc-0k-48-docs.googleusercontent.com/w
https://www.msn.com/?ocid=iehp
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
http://www.topqualityfreeware.com/
https://drive.google.com/
https://android.notify.windows.com/iOS
https://doc-0k-48-docs.googleusercontent.com/S~
https://api.msn.com:443/v1/news/Feed/Windows?P
https://doc-0k-48-docs.googleusercontent.com/3
https://watson.telemet
https://www.msn.com/de-ch/?ocid=iehp
https://api.msn.com/
https://wns.windows.com/
http://topqualityfreeware.com
https://windows.msn.com:443/shell
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
https://github.com/syohex/java-simple-mine-sweeperC:
https://www.msn.com/?ocid=iehpA
https://www.msn.com:443/en-us/feed
https://doc-0k-48-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5irik8qdpdmfh83ttj403osrln/1637606400000/11605847516605788748/*/14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn?e=download
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
https://aka.ms/odirme
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq

Dropped files

Name File Type Hashes Detection
C:\ProgramData\images.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\ProgramData\images.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_images.exe_57d888b29fe7ab2cf088fdbce37499b180b0e399_39dd1f14_cce5b39a-312f-4d6a-a179-08e27df0d1ee\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 11 hidden entries
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_images.exe_f17d4a87747d76beb8eb6ec81cef537fcdde6d7_39dd1f14_613b4565-8822-4610-a680-fd57c1b886b3\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC437.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Nov 22 19:40:39 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7C2.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC959.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED6A.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Nov 22 19:40:49 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0F5.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF28C.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\~DF052E41D7F13B5154.TMP
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Local\Temp\~DF9DCB19D0128ED2C8.TMP
Composite Document File V2 Document, Cannot read section info
#
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
#
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
#