=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

charge_12.01.2021.doc

Status: finished
Submission Time: 2021-12-02 04:19:14 +01:00
Malicious
Exploiter
Evader

Comments

Tags

  • Bokbot
  • doc
  • IcedID
  • macros
  • Shathak
  • TA551
  • Word

Details

  • Analysis ID:
    532355
  • API (Web) ID:
    899877
  • Analysis Started:
    2021-12-02 04:19:19 +01:00
  • Analysis Finished:
    2021-12-02 04:32:42 +01:00
  • MD5:
    18499830201cddade8183b8e24fdf30a
  • SHA1:
    55c498cf7273cab567f49a00c15ca3316c001215
  • SHA256:
    0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
64/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Potential for more IOCs and behavior

malicious
100/100

malicious
13/44

IPs

IP Country Detection
194.62.42.207
Russian Federation

Domains

Name IP Detection
winrentals2017b.com
194.62.42.207

URLs

Name Detection
https://api.powerbi.com/v1.0/myorg/groups
https://web.microsoftstream.com/video/
https://api.addins.store.officeppe.com/addinstemplate
Click to see the 97 hidden entries
https://cortana.ai:$
https://graph.windows.net
https://analysis.windows.net/powerbi/apidI
https://login.windows.net/common/oauth2/authorizeA3V
https://login.windows.net/common/oauth2/authorizecom7HQ
https://api.onedrive.comcent
https://login.windows.net/common/oauth2/authorize/a
https://login.windows.net/common/oauth2/authorize5FW
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://devnull.onenote.comedOw
https://substrate.office.comc
https://ncus.contentsync.
https://substrate.office.comL
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
http://weather.service.msn.com/data.aspx
https://login.windows.net/common/oauth2/authorizeaE
https://substrate.office.comP
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://login.windows.net/common/oauth2/authorizea
https://login.windows.net/common/oauth2/authorizec
https://wus2.contentsync.
https://login.windows.net/common/oauth2/authorizee
https://clients.config.office.net/user/v1.0/ios
https://login.windows.net/common/oauth2/authorizeg
https://api.cortana.aiD#
https://login.windows.net/common/oauth2/authorizeY
https://login.windows.net/common/oauth2/authorizeZ
https://o365auditrealtimeingestion.manage.office.com
https://outlook.office365.com/api/v1.0/me/Activities
https://api.addins.omex.office.net/appstate/queryr
https://www.odwebp.svc.msom
https://clients.config.office.net/user/v1.0/android/policies
https://outlook.office.com7
https://login.windows.net/common/oauth2/authorizeT
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonT
https://asgsmsproxyapi.azurewebsites.net/6
https://login.windows.net/common/oauth2/authorizeU
https://entitlement.diagnostics.office.com
https://login.windows.net/common/oauth2/authorizeH
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksz
https://login.windows.net/common/oauth2/authorizeJ
https://outlook.office.com/
https://login.windows.net/common/oauth2/authorizeK
https://storage.live.com/clientlogs/uploadlocation
https://login.windows.net/common/oauth2/authorizeO
https://substrate.office.com/search/api/v1/SearchHistory
https://login.windows.net/common/oauth2/authorizeE
https://login.windows.net/common/oauth2/authorizeF
https://login.windows.net/common/oauth2/authorizepE
https://login.windows.net/common/oauth2/authorize8
https://outlook.office.com1769
https://login.windows.net/common/oauth2/authorize9
https://login.windows.net/common/oauth2/authorize;
https://login.windows.net/common/oauth2/authorize=
https://login.windows.net/common/oauth2/authorize?
https://substrate.office.com/search/api/v1/SearchHistory~j
https://dataservice.o365filtering.com:7P
https://login.windows.net/common/oauth2/authorize3
https://graph.windows.net/
https://login.windows.net/common/oauth2/authorize4
https://devnull.onenote.com
https://shell.suite.office.com:1443
https://autodiscover-s.outlook.com/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://cdn.entity.
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://rpsticket.partnerservices.getmicrosoftkey.com
https://lookup.onenote.com/lookup/geolocation/v1
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://settings.outlook.comS
http://winrentals2017b.com/
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://api.aadrm.com/
https://substrate.office.comgz
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickrb
https://api.microsoftstream.com/api/
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://cr.office.com
https://api.office.nets?
https://login.windows.net/common/oauth2/authorizecG
https://res.getmicrosoftkey.com/api/redemptionevents
https://tasks.office.com
https://officeci.azurewebsites.net/api/
https://login.windows.net/common/oauth2/authorize4EV
https://login.windows.net/common/oauth2/authorizeN~
https://login.windows.net/common/oauth2/authorize$
https://login.windows.net/common/oauth2/authorize%
https://store.office.cn/addinstemplate
https://login.windows.net/common/oauth2/authorizeqF
https://store.office.de/addinstemplateZ;p
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://substrate.office.comm
https://www.odwebp.svc.ms

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\charge_12.01.2021.doc.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 23 14:11:40 2021, mtime=Thu Dec 2 11:26:56 2021, atime=Thu Dec 2 11:26:52 2021, length=33465, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\youTube.hta.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 2 11:26:58 2021, mtime=Thu Dec 2 11:26:58 2021, atime=Thu Dec 2 11:26:58 2021, length=3342, window=hide
#
C:\Users\Public\dowNext.jpg
HTML document, ASCII text
#
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7CC1B43E-0D2C-47F4-8AD2-E8873A50A321
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E8CFCDF.gif
GIF image data, version 89a, 774 x 198
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{72E38456-4F34-4E52-A3A7-A6E417760002}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D7038A18-F087-45E8-BEBC-452C84E30D87}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\cab3[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Thu Dec 2 11:26:58 2021, atime=Thu Sep 23 14:11:48 2021, length=12288, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\Desktop\~$arge_12.01.2021.doc
data
#
C:\Users\user\Documents\youTube.hta (copy)
HTML document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\~$ouTube.hta
data
#
C:\Users\user\Documents\~WRD0000.tmp
HTML document, ASCII text, with very long lines, with CRLF line terminators
#