Loading ...

Play interactive tourEdit tour

Analysis Report fileabc.docx

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218160
Start date:26.03.2020
Start time:10:41:03
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:fileabc.docx
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:UNKNOWN
Classification:unknown1.winDOCX@1/7@0/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .docx
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 67.27.233.254, 67.27.158.254, 67.27.159.254, 67.27.234.126, 67.27.157.254, 93.184.221.240, 23.210.248.85, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, wu.ec.azureedge.net, s-0001.s-msedge.net, mobile.pipe.aria.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, e-0009.e-msedge.net, cds.d2s7q6s2.hwcdn.net, config-edge-skype-com.s-0001.s-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, mobile.events.data.trafficmanager.net
  • Report size getting too big, too many NtQueryAttributesFile calls found.
Errors:
  • Corrupt sample or wrongly selected analyzer.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseunknown

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold20 - 5true
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat
Sample is a picture (JPEG, PNG, GIF etc), nothing to analyze
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLPort MonitorsMasquerading1Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution2Port MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49938 -> 52.114.132.73:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49938 -> 52.114.132.73:443

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 52.114.132.73 52.114.132.73
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: unknown1.winDOCX@1/7@0/1
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\FloodgateJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{CF73D415-D023-4BA9-8A4E-D57637CC21C3} - OProcSessId.datJump to behavior
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: fileabc.docxStatic file information: File size 2716470 > 1048576

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fileabc.docx0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
skypedataprdcoleus04.cloudapp.net0%VirustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
52.114.132.73Allegato_06_2020_03_29127.xlsGet hashmaliciousBrowse
    01362374.xlsmGet hashmaliciousBrowse
      f211298392653.docGet hashmaliciousBrowse
        file_68918_132A.docGet hashmaliciousBrowse
          https://sway.office.com/mubT8XUYOXgrgcdS?Get hashmaliciousBrowse
            INV878237.docGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              skypedataprdcoleus04.cloudapp.netAllegato_06_2020_03_29127.xlsGet hashmaliciousBrowse
              • 52.114.132.73
              01362374.xlsmGet hashmaliciousBrowse
              • 52.114.132.73
              f211298392653.docGet hashmaliciousBrowse
              • 52.114.132.73
              file_68918_132A.docGet hashmaliciousBrowse
              • 52.114.132.73
              INV878237.docGet hashmaliciousBrowse
              • 52.114.132.73

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              unknowndokument11900326.htaGet hashmaliciousBrowse
              • 203.124.113.131
              SpLW6lfIV3Get hashmaliciousBrowse
              • 172.217.168.14
              http://www.tucows.com/thankyou.html?swid=1597673Get hashmaliciousBrowse
              • 64.99.128.15
              Scanned-file452071.pdf.lnkGet hashmaliciousBrowse
              • 216.58.215.225
              86soq_01[1].exeGet hashmaliciousBrowse
              • 45.79.188.67
              Document needed.docGet hashmaliciousBrowse
              • 185.42.104.172
              look_attach_s0r.jsGet hashmaliciousBrowse
              • 5.101.51.91
              https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
              • 104.16.251.5
              https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
              • 162.216.250.35
              #Ud83d#Udcde Portvanusa.com Voice-message_4.htmGet hashmaliciousBrowse
              • 13.224.96.127
              0.884289.jsGet hashmaliciousBrowse
              • 89.107.186.3
              Mark Shared Message.htmlGet hashmaliciousBrowse
              • 148.72.248.46
              dokument9034432.htaGet hashmaliciousBrowse
              • 203.124.113.131
              http://www.hs24st.culbco.com/aHR0cHM6Ly9ib3VjaGVmZXp0ZXIuY29tL3ZvaWNlZT9zMjRwJmVtYWlsPW1ob2hpbWVyQGZhbWlseS1pbnN0aXR1dGUub3JnJm4yNHQ=Get hashmaliciousBrowse
              • 47.91.107.110
              zaMTU7CMVg.exeGet hashmaliciousBrowse
              • 104.18.88.101
              https://polykaura.com/staple/8095423/8095423.zipGet hashmaliciousBrowse
              • 127.0.0.1
              job_presentation_w5i.jsGet hashmaliciousBrowse
              • 5.101.51.91
              pw11-pro-demo.exeGet hashmaliciousBrowse
              • 151.101.12.134
              https://u15378345.ct.sendgrid.net/ls/click?upn=LnRBZ0nlWE6aikWcMGzbxSndG29F1nfrc3pRL4WE6n5D96fp4WIRaLWjD2mYFsWx-2FvC3z4u6LcWfb5gedruMlC9n7T6yCeg-2BF4wruqUdOwMewU-2FnkROAGyPf-2B-2FvnpD2Zfszo_Plxpf-2FwIng3KxtCnd5dGO72CsxCEs4aYImay408PZTz7bWiDnyl3pbjPf3GfZTjBGZCyn1MtGvxgcVELOYwV9GDDDEcMAaUJGvrgvH32fWwrHFOhatvN4UQeOsjonQztmgto4c6Un1sK9DDuj8NndB1gk7yRf2BtSW-2Bvo82sqow9y4N3arjbuysXVhUySz7QdoxBdwd81xncE9Qgd-2FKFIhQoqECyewc7Gm-2B9r-2BBfM46nIYRYKydtdqjeP8jmXWtrGet hashmaliciousBrowse
              • 167.89.118.35
              TableOfColors.exeGet hashmaliciousBrowse
              • 127.0.0.1

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.