Loading ...

Play interactive tourEdit tour

Analysis Report salvation.docx

Overview

General Information

Sample Name:salvation.docx
Analysis ID:289646
MD5:34927f58d0dd1eee5690e9c2d589aece
SHA1:36d9a81d1ed83115bd21a39494b43f1ad38745e5
SHA256:d7d827e370737c5962435d75009475b78ec21c14c1bdc8167baa9d7645679f1a

Most interesting Screenshot:

Errors
  • URL in Office document is not reachable.

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contains capabilities to detect virtual machines
JA3 SSL client fingerprint seen in connection with other malware

Classification

Analysis Advice

Joe Sandbox was unable to browse the URL (domain or webserver down or HTTPS issue), try to browse the URL again later
No malicious behavior found, analyze the document also on other version of Office / Acrobat
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1296 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • iexplore.exe (PID: 2536 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 4EB098135821348270F27157F7A84E65)
    • iexplore.exe (PID: 2416 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2536 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABA8187-B28F-4AE5-86AD-026C320EA73C}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /bloger/ HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateDNT: 1Connection: Keep-AliveHost: folcenesi.club
Source: unknownDNS traffic detected: queries for: folcenesi.club
Source: ~DF7273F04BE9DB52B3.TMP.2.drString found in binary or memory: http://ocsp.msocsp.com0
Source: EAE82ED4.jpg.0.drString found in binary or memory: http://prismstandard.org/namespaces/prismusagerights/2.1/
Source: ~DFD81D001EB7635ED7.TMP.2.dr, ~WRS{3E742551-7EEA-4C35-8799-54095299238F}.tmp.0.drString found in binary or memory: https://folcenesi.club/bloger
Source: bloger[1].htm.3.drString found in binary or memory: https://folcenesi.club/bloger/
Source: {7B33336E-FEC8-11EA-ADCF-ECF4BBB5915B}.dat.2.drString found in binary or memory: https://folcenesi.club/blogerRoot
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: classification engineClassification label: unknown1.winDOCX@4/24@3/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$lvation.docxJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB6C0.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2536 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2536 CREDAT:275457 /prefetch:2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\