Windows Analysis Report PO-0814.doc
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | File opened: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | Static file information: |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Exploitation for Client Execution3 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | Virtualization/Sandbox Evasion1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Ingress Tool Transfer1 | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
35% | ReversingLabs | Document-Office.Exploit.CVE-2017-11882 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse |
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
femto.pw | 188.165.215.31 | true | true |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
188.165.215.31 | femto.pw | France | 16276 | OVHFR | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 435316 |
Start date: | 16.06.2021 |
Start time: | 12:07:17 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 18s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | PO-0814.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.winDOC@3/6@2/1 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:07:34 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.8014421130618178 |
Encrypted: | false |
SSDEEP: | 3:gl2lfgREqAWlglqlg7tlNl7lY2l/Dlll8v0lglwZlDZt3UlglwZel8gl7vlI8:zNgREqAWlgFJMSDlll8vlwLf3FwQFrB |
MD5: | EB0751D3AFEABB0642BCE1B447B56873 |
SHA1: | 185B5B1DE228A51B29E026673C6A09B5B02D4B3A |
SHA-256: | 053868F5B2500C65687C650D6A028B267ADA27D44BF0243D8A61A42147002FF5 |
SHA-512: | BC423BD78BBC6E4DD3B284C25616D8952E8285B7719A470175A2356AFEA0837B0079602A9FC0513044ACCD6051A01A3C3A86F020D38EFC1D149855C4015577BF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1994 |
Entropy (8bit): | 4.5282245969604675 |
Encrypted: | false |
SSDEEP: | 48:8O/XT0jFTH4ysHWsQhQh2O/XT0jFTH4ysHWsQhQ/:8O/XojFzTs2sQhQh2O/XojFzTs2sQhQ/ |
MD5: | A62E239B31671BD354E7092F5AD93AD0 |
SHA1: | E59BDFF4F89D80CD8ED4DCC5091B6BF5890FCF8C |
SHA-256: | 6D237667C00BCAE14F95BCDF278F6A75B0B241F35B5B0B45A1847479F6E2CFE0 |
SHA-512: | 8CD51EDBC6D79611F5E2718D96CEBC5248630C9126771C132841E19ACAEB7C8E9337E73947C34A2ECD90E167BC02DD05829D9343B5BA9325836FB6332970E9F6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 59 |
Entropy (8bit): | 4.1702223972093195 |
Encrypted: | false |
SSDEEP: | 3:M1gAOru4otDOru4omX1gAOru4ov:MiAO5mDO5IAO5y |
MD5: | 7658D96DC6F1BF1C4B8E7587B63785BF |
SHA1: | 9EA85D1D15BEC75AB16A6F14A8074B15006E4821 |
SHA-256: | 96787D74AC1F603009D6AF517C2100C4FF79E947097BE74A818B876FEA1FE61D |
SHA-512: | 195D14A0ED4D61CA6ABDA1302FC75A684E57B760486EAB5D7B60D0A2B3F1B0AA2BDFE2DDCF2726A1B9118B4B322322E919E922C34E702888C307E3D82A4677B6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4070851566761475 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVy/KbSjgzGwzFF24ilH/ln:vdsCkWtZbXPFridl |
MD5: | 40DB84241CC0B8BC853E1806AADC46A5 |
SHA1: | CFC905CEB89AC86F6CC7D21FB5F0359AFF5A8464 |
SHA-256: | 9973DA893D7F11A27803AC08DCE92F17793C8DC96FB51A6B1174BDD367976FA5 |
SHA-512: | 77D71BC60A3C6FBE38D56DE49DC139C2F10644584399AAFC49C429359EB5FD301BC6E02A43456F838826A30D2A6EAB0D4D0B4D5761C60D3410A5FD1CC0C5E0D4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4070851566761475 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVy/KbSjgzGwzFF24ilH/ln:vdsCkWtZbXPFridl |
MD5: | 40DB84241CC0B8BC853E1806AADC46A5 |
SHA1: | CFC905CEB89AC86F6CC7D21FB5F0359AFF5A8464 |
SHA-256: | 9973DA893D7F11A27803AC08DCE92F17793C8DC96FB51A6B1174BDD367976FA5 |
SHA-512: | 77D71BC60A3C6FBE38D56DE49DC139C2F10644584399AAFC49C429359EB5FD301BC6E02A43456F838826A30D2A6EAB0D4D0B4D5761C60D3410A5FD1CC0C5E0D4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.5422390551490244 |
TrID: |
|
File name: | PO-0814.doc |
File size: | 1710047 |
MD5: | c811bfeba8f5ecd3fa4fe6e65dcc46af |
SHA1: | 32bd41b37872d0bd3d6376abbb29b8d0da47f1ac |
SHA256: | fe5b31f0bf9c8a120cd21da9a474ca1b083af0e23ee0e29ca42939009aa4e149 |
SHA512: | 9b79c8edee042ed6746c9c9e7a6693c9bced573c11c0550aaddea0459b480e6e97a3900e132687b33604e91ba9efaf99df4fc3406092578f67d6d48b021946f0 |
SSDEEP: | 12288:2NpPfQ5Q48Fr8jzOpbXW84abtMCF2XdO/hTtGL6oRkrG2X4:2NpPfQe4ZmpbGs32XdO3GL7+G2X4 |
File Content Preview: | {\rtf6965{\object\objautlink70169935\objw9723\objh6132{\*\objdata.9c9bd81a020000000b0000004571756174496f4e2e330000000000000000009d0b0d00037e01eb470a0105d76448ec00000000000000000000000000000000000000000000000000500645000000000000000000000000000000000000000 |
File Icon |
---|
Icon Hash: | e4eea2aaa4b4b4a4 |
Static RTF Info |
---|
Objects |
---|
Id | Start | Format ID | Format | Classname | Datasize | Filename | Sourcepath | Temppath | Exploit |
---|---|---|---|---|---|---|---|---|---|
0 | 0000003Dh | 2 | embedded | EquatIoN.3 | 854941 | no |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 16, 2021 12:08:08.412549019 CEST | 49165 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.463843107 CEST | 443 | 49165 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.464056015 CEST | 49165 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.478431940 CEST | 49165 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.529619932 CEST | 443 | 49165 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.529757977 CEST | 443 | 49165 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.529781103 CEST | 443 | 49165 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.529882908 CEST | 49165 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.529932022 CEST | 49165 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.530211926 CEST | 49165 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.531225920 CEST | 49166 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.581377029 CEST | 443 | 49165 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.581990957 CEST | 443 | 49166 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.582043886 CEST | 49166 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.582565069 CEST | 49166 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.633313894 CEST | 443 | 49166 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.633371115 CEST | 443 | 49166 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.633407116 CEST | 443 | 49166 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.633421898 CEST | 49166 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.633451939 CEST | 49166 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.633651018 CEST | 49166 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.634315968 CEST | 49167 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.684495926 CEST | 443 | 49166 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.685365915 CEST | 443 | 49167 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.685489893 CEST | 49167 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.685564041 CEST | 49167 | 443 | 192.168.2.22 | 188.165.215.31 |
Jun 16, 2021 12:08:08.736938953 CEST | 443 | 49167 | 188.165.215.31 | 192.168.2.22 |
Jun 16, 2021 12:08:08.737047911 CEST | 49167 | 443 | 192.168.2.22 | 188.165.215.31 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 16, 2021 12:08:08.262192965 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jun 16, 2021 12:08:08.324176073 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jun 16, 2021 12:08:08.324449062 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jun 16, 2021 12:08:08.386293888 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 16, 2021 12:08:08.262192965 CEST | 192.168.2.22 | 8.8.8.8 | 0xfc39 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jun 16, 2021 12:08:08.324449062 CEST | 192.168.2.22 | 8.8.8.8 | 0xfc39 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 16, 2021 12:08:08.324176073 CEST | 8.8.8.8 | 192.168.2.22 | 0xfc39 | No error (0) | 188.165.215.31 | A (IP address) | IN (0x0001) | ||
Jun 16, 2021 12:08:08.386293888 CEST | 8.8.8.8 | 192.168.2.22 | 0xfc39 | No error (0) | 188.165.215.31 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 12:07:32 |
Start date: | 16/06/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f1e0000 |
File size: | 1424032 bytes |
MD5 hash: | 95C38D04597050285A18F66039EDB456 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:07:33 |
Start date: | 16/06/2021 |
Path: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 543304 bytes |
MD5 hash: | A87236E214F6D42A65F5DEDAC816AEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:07:52 |
Start date: | 16/06/2021 |
Path: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 543304 bytes |
MD5 hash: | A87236E214F6D42A65F5DEDAC816AEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|