Analysis Report documenti 12.01.20.doc

Overview

General Information

Sample Name: documenti 12.01.20.doc
Analysis ID: 326338
MD5: f530de77053a5c25a94f930bb954bcf8
SHA1: 46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256: 1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Office process drops PE file
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA macro which reads document properties (may be used for disguise)
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: documenti 12.01.20.doc Virustotal: Detection: 29% Perma Link
Machine Learning detection for sample
Source: documenti 12.01.20.doc Joe Sandbox ML: detected

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: ms.com.0.dr Jump to dropped file
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: nfj254aim.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.28.7.227:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.28.7.227:80

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nfj254aim.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C07723-97C0-4A14-814E-1968BCE52029}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nfj254aim.comConnection: Keep-Alive
Source: ms.com, 00000002.00000002.2342871603.0000000005417000.00000004.00000001.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com) equals www.linkedin.com (Linkedin)
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: ms.com, 00000002.00000002.2342871603.0000000005417000.00000004.00000001.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: unknown DNS traffic detected: queries for: nfj254aim.com
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: ms.com, 00000002.00000003.2087841762.0000000002CD8000.00000004.00000001.sdmp String found in binary or memory: http://nfj254aim.com/analytics/0
Source: ms.com, 00000002.00000002.2339235890.000000000057E000.00000004.00000020.sdmp, ms.com, 00000002.00000002.2342286251.00000000042E0000.00000004.00000040.sdmp String found in binary or memory: http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw
Source: ms.com, 00000002.00000002.2341187332.0000000003A90000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ms.com, 00000002.00000002.2341187332.0000000003A90000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: ms.com, 00000002.00000002.2340764812.00000000032E7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\Public\ms.com Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\Public\ms.com Jump to dropped file
Detected potential crypto function
Source: C:\Users\Public\ms.com Code function: 2_2_000000013FEA1238 2_2_000000013FEA1238
Source: C:\Users\Public\ms.com Code function: 2_2_02F40216 2_2_02F40216
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: documenti 12.01.20.doc OLE, VBA macro line: Sub AutoOpen()
Document contains an embedded VBA macro which reads document properties (may be used for disguise)
Source: documenti 12.01.20.doc OLE, VBA macro line: a8qpd = activedocument.builtindocumentproperties(afav8)
Document contains embedded VBA macros
Source: documenti 12.01.20.doc OLE indicator, VBA macros: true
Document contains no OLE stream with summary information
Source: documenti 12.01.20.doc OLE indicator has summary info: false
Document has an unknown application name
Source: documenti 12.01.20.doc OLE indicator application name: unknown
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\ms.com 8C10AE4BE93834A4C744F27CA79736D9123ED9B0D180DB28556D2D002545BAF2
Searches for the Microsoft Outlook file path
Source: C:\Users\Public\ms.com Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: ms.com, 00000002.00000002.2340538366.0000000003100000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal76.expl.winDOC@2/13@2/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$cumenti 12.01.20.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC254.tmp Jump to behavior
Source: documenti 12.01.20.doc OLE document summary: title field not present or empty
Source: documenti 12.01.20.doc OLE document summary: author field not present or empty
Source: documenti 12.01.20.doc OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\ms.com Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\ms.com File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\ms.com File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: documenti 12.01.20.doc Virustotal: Detection: 29%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Users\Public\ms.com C:\users\public\ms.com C:\users\public\ms.html
Source: C:\Users\Public\ms.com Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Users\Public\ms.com Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mshta.pdbH source: ms.com, 00000002.00000002.2351291450.000000013FEA1000.00000020.00020000.sdmp, ms.com.0.dr
Source: Binary string: wshom.pdb source: ms.com, 00000002.00000002.2339981194.0000000002A50000.00000002.00000001.sdmp
Source: Binary string: mshta.pdb source: ms.com, ms.com.0.dr

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Drops PE files with a suspicious file extension
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\Public\ms.com Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\Public\ms.com Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\Public\ms.com Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\Public\ms.com Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\ms.com Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\Public\ms.com Memory allocated: 2370000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2550000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2590000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2920000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2A70000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2AE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2B20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2CC0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\ms.com Memory allocated: 2F60000 memory commit | memory reserve | memory write watch Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\ms.com TID: 2492 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\Public\ms.com Code function: 2_2_000000013FEA1944 SetUnhandledExceptionFilter, 2_2_000000013FEA1944
Source: C:\Users\Public\ms.com Code function: 2_2_000000013FEA1C04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess, 2_2_000000013FEA1C04
Source: C:\Users\Public\ms.com Code function: 2_2_000000013FEA40A0 SetUnhandledExceptionFilter, 2_2_000000013FEA40A0
Source: ms.com, 00000002.00000002.2339281198.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: ms.com, 00000002.00000002.2339281198.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ms.com, 00000002.00000002.2339281198.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: C:\Users\Public\ms.com Code function: 2_2_000000013FEA1B14 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 2_2_000000013FEA1B14
Source: C:\Users\Public\ms.com Code function: 2_2_000000013FEA1238 rand_s,VirtualAlloc,GetVersion,GetModuleHandleW,GetProcAddress,??2@YAPEAX_K@Z,??2@YAPEAX_K@Z,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,??3@YAXPEAX@Z,??3@YAXPEAX@Z,RegCloseKey,GetModuleHandleW,GetProcAddress,??2@YAPEAX_K@Z,MultiByteToWideChar,UnregisterApplicationRestart,??3@YAXPEAX@Z,GetProcAddress,FreeLibrary,??3@YAXPEAX@Z,??3@YAXPEAX@Z,RegCloseKey, 2_2_000000013FEA1238
Source: C:\Users\Public\ms.com Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326338 Sample: documenti 12.01.20.doc Startdate: 03/12/2020 Architecture: WINDOWS Score: 76 15 Multi AV Scanner detection for submitted file 2->15 17 Document exploit detected (drops PE files) 2->17 19 Machine Learning detection for sample 2->19 21 4 other signatures 2->21 5 WINWORD.EXE 303 32 2->5         started        8 ms.com 1 13 2->8         started        process3 dnsIp4 11 C:\Users\Public\ms.com, PE32+ 5->11 dropped 13 nfj254aim.com 104.28.7.227, 49165, 80 CLOUDFLARENETUS United States 8->13 file5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.28.7.227
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
nfj254aim.com 104.28.7.227 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz false
  • Avira URL Cloud: safe
 unknown