Windows Analysis Report order_07.21.doc
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: Regsvr32 Anomaly | Show sources |
Source: | Author: Florian Roth, oscd.community: |
Data Obfuscation: |
---|
Sigma detected: Register DLL with spoofed extension | Show sources |
Source: | Author: Joe Security: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | DNS traffic detected: |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Window created: | Jump to behavior |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: | OLE, VBA macro line: |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: | OLE, VBA macro line: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | OLE, VBA macro line: |
Source: | OLE indicator, VBA macros: |
Source: | OLE indicator has summary info: |
Source: | OLE indicator application name: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Data Obfuscation: |
---|
Source: | Code function: | 4_3_02BB126D | |
Source: | Code function: | 4_3_02BB1255 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Memory protected: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting22 | Path Interception | Process Injection11 | Masquerading1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution11 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Clipboard Data1 | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Disable or Modify Tools11 | Security Account Manager | Remote System Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection11 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting22 | LSA Secrets | System Information Discovery14 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information1 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
48% | Virustotal | Browse | ||
14% | Metadefender | Browse | ||
15% | ReversingLabs | Document-Office.Trojan.Sadoca |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
10% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
airloweryd.com | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
true |
| unknown | ||
false |
| low | ||
false | high |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 452438 |
Start date: | 22.07.2021 |
Start time: | 11:00:15 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 42s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | order_07.21.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.expl.evad.winDOC@8/11@3/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
11:00:34 | API Interceptor | |
11:00:35 | API Interceptor | |
11:00:42 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 3039 |
Entropy (8bit): | 5.8499136819223425 |
Encrypted: | false |
SSDEEP: | 48:yAmqAXYLXHqiJXzatwLgXa/1CTaToY/353YaMr8SSjAG75XltCuxa5tD8tlsHsuH:l6YTlhza+gXataeoY/J3YaMrAl7da5t9 |
MD5: | 111964AF02201E77AD219F7562BF19B2 |
SHA1: | 9A48E4281A89383FF5AF45EE2F2BF710704E5152 |
SHA-256: | FB2A3EB78EF18021BD6DA3398FB8D935FD3884F418DDA72FC123903501B5B503 |
SHA-512: | 141C2DAC7594678BC7DA7DE7E9DFC4E90A6A6B4E5EE5985B03F37E97827B59E0BBB6509D88AB6A3CF129DE2EB1660B90FB953F2ABCE441F5D37154D2F3C34784 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\mshta.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 3247 |
Entropy (8bit): | 5.459946526910292 |
Encrypted: | false |
SSDEEP: | 96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa |
MD5: | 16AA7C3BEBF9C1B84C9EE07666E3207F |
SHA1: | BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1 |
SHA-256: | 7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754 |
SHA-512: | 245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
IE Cache URL: | res://ieframe.dll/error.dlg |
Preview: |
|
Process: | C:\Windows\SysWOW64\mshta.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 1062 |
Entropy (8bit): | 4.517838839626174 |
Encrypted: | false |
SSDEEP: | 12:z4ENetWsdvCMtkEFk+t2cd3ikIbOViGZVsMLfE4DMWUcC/GFvyVEZd6vcmadxVtS:nA/ag/QSi6/LKZzqKVQgJOexQkYfG6E |
MD5: | 124A9E7B6976F7570134B7034EE28D2B |
SHA1: | E889BFC2A2E57491016B05DB966FC6297A174F55 |
SHA-256: | 5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9 |
SHA-512: | EA1B3CC56BD41FC534AAC00F186180345CB2C06705B57C88C8A6953E6CE8B9A2E3809DDB01DAAC66FA9C424D517D2D14FA45FBEF9D74FEF8A809B71550C7C145 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
IE Cache URL: | res://ieframe.dll/warning.gif |
Preview: |
|
Process: | C:\Windows\SysWOW64\mshta.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 1706 |
Entropy (8bit): | 5.274543201400288 |
Encrypted: | false |
SSDEEP: | 48:NIAbzyYh8rRLkRVNaktqavP61GJZoF+SMy:xWqxztqaHO |
MD5: | B9BEC45642FF7A2588DC6CB4131EA833 |
SHA1: | 4D150A53276C9B72457AE35320187A3C45F2F021 |
SHA-256: | B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D |
SHA-512: | C119F5625F1FC2BCDB20EE87E51FC73B31F130094947AC728636451C46DCED7B30954A059B24FEF99E1DB434581FD9E830ABCEB30D013404AAC4A7BB1186AD3A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
IE Cache URL: | res://ieframe.dll/error.js |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 25449 |
Entropy (8bit): | 7.717073073385733 |
Encrypted: | false |
SSDEEP: | 768:5Q0NLh5g3xayQTvC4JwSJHfVEhWlB6zLn:5Qig3xayQ7JwoHfVEhWlB6H |
MD5: | 8F21C647D253A3CE991C371D19437151 |
SHA1: | 6FCD455E7A040B387AA6F5A6737FFE06C5B9E39A |
SHA-256: | 7E7864C1563D7D1EDFE3FBDD2F9524F30EFC716716E84F25A1691DF7F628206F |
SHA-512: | 260AD36890A8947D351AA2FE73B76CCD7361950D3F564191E04FD540C62A89C55E65FB8C31024C18D21BD7B018CE44FB12CFD0B0268CF41DA56588B70FA1F7C4 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 9588 |
Entropy (8bit): | 3.36228779012647 |
Encrypted: | false |
SSDEEP: | 192:KJtOd6IW2Ju7gkWlqCqvcDFoIIHMSWjWHSHf:Ati6MJu7gkWovQKMS2 |
MD5: | B18AD56AEC351E4A3116AAE4BCFB1EEA |
SHA1: | 867CCD578E80F0A9BE76ED84D9102C43D3017B76 |
SHA-256: | D9FACCCA44F5328AE0D1BD28C0C0223C174D3272D832710DF7D257A753E030AA |
SHA-512: | FEBD24CF0E2F8E3510191D27D6D3A449F00E45710C964FFB47160B6C21DA11FFC216FAB5122E8C9FADD9D0733C806D8973263C0ACFC8B50B53311F0547BEE70B |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 71 |
Entropy (8bit): | 4.153101000769482 |
Encrypted: | false |
SSDEEP: | 3:M1MtaUd2SmuaUd2mX1MtaUd2v:MyZd2qdWZdI |
MD5: | 50718DAD15698A25C72EC2E62022DC0E |
SHA1: | 75B30EC623E66D04149B44D9C1D7931709741E26 |
SHA-256: | C8FCB6D1F3A340DBD6830E135E41231564BBF702D6BF94C715343744BD412514 |
SHA-512: | 1345294D60234FA9229AE7E3A24D3358A19740EC9D199000E8A8092796473D22A851787AED65F23BDE4F430EA4145F1E38F30B728D9AF5CBBF1BE112640D0562 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2038 |
Entropy (8bit): | 4.519446214646222 |
Encrypted: | false |
SSDEEP: | 24:83Xk/XTwz6Ikn+NeHXxZDv3q+dM7dD23Xk/XTwz6Ikn+NeHXxZDv3q+dM7dV:8nk/XT3Ik+Nsu+Qh2nk/XT3Ik+Nsu+Q/ |
MD5: | 037ED454C333186B84D3F7A64DC56ABA |
SHA1: | 17B4E2E34D22F3388540F461DB8D6D07BF61F07D |
SHA-256: | ABDEB150FAC2362C15E723E834020A747C1CA0B67816ADC163EA72FF32E367CC |
SHA-512: | 62648EFD5A9ABB79B8458CE5DDC178B92812B6A991E0BC07E5D1593CBE51AF497334B30E1D156CC02836DA291360D3E2204FA039E44E2E291BBE1067A3BE7D1B |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4311600611816426 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl |
MD5: | 390880DCFAA790037FA37F50A7080387 |
SHA1: | 760940B899B1DC961633242DB5FF170A0522B0A5 |
SHA-256: | BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391 |
SHA-512: | 47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4311600611816426 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl |
MD5: | 390880DCFAA790037FA37F50A7080387 |
SHA1: | 760940B899B1DC961633242DB5FF170A0522B0A5 |
SHA-256: | BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391 |
SHA-512: | 47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.976846319095004 |
TrID: |
|
File name: | order_07.21.doc |
File size: | 89257 |
MD5: | 401b19c454075d52bd832725f3c22cfe |
SHA1: | 088f76c184a0cba673abc41bd5582e4e21672fdd |
SHA256: | 6b94e6319e46f52058d5f0c1bc07d7e367152e3bb769f2fd1af097914fe64ce3 |
SHA512: | b83ddf0a5dc6174591e0c07a1b87f5ffb5a1efa731913707829195415bed70a5dff43d9669e948e509fd3e77d15986391e1e01b9344c2694dd1b0fba5b87f894 |
SSDEEP: | 1536:EVzJCsRRHr11AQYyqGJHQYCDEtU6dLTR97YVuL6:NKPxQYNtU6ZvYVuu |
File Content Preview: | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<?mso-application progid="Word.Document"?>..<w:wordDocument xmlns:aml="http://schemas.microsoft.com/aml/2001/core" xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmln |
File Icon |
---|
Icon Hash: | e4eea2aaa4b4b4a4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | Word2003_XML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/452438/sample/order_07.21.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 1309 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 1309 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . % . r u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . z . . . N . . M . . . . . . . . . . . j . . . N . S " i . j . h . . . . . . . . . . . . . . . . . . . . ; . . % . . . C . . . . . t . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ; . . % . . . C . . . . . t . 2 z . . . N . . M . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 06 00 01 00 00 8c 03 00 00 e4 00 00 00 ea 01 00 00 ba 03 00 00 c8 03 00 00 58 04 00 00 01 00 00 00 01 00 00 00 25 82 72 75 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 7a b8 8a b8 4e cb 83 4d ae 0a a9 05 c5 c8 fc 85 fc 04 93 6a d4 ee dc 4e 9f 53 22 69 1f 6a fb 68 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Creatable |
VB_Name |
document_open() |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
"ThisDocument" |
VBA Code |
---|
|
VBA File Name: boxPasteNext.bas, Stream Size: 1668 |
---|
General | |
---|---|
Stream Path: | VBA/boxPasteNext |
VBA File Name: | boxPasteNext.bas |
Stream Size: | 1668 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Y . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 82 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 89 03 00 00 59 05 00 00 00 00 00 00 01 00 00 00 25 82 8f aa 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
VB_Name |
main() |
captionDeleteCur() |
Public |
"boxPasteNext" |
Function |
windowLst |
Mid(ActiveDocument.Range.Text, |
Output |
arrayObjectButt |
screenIndVal |
screenIndVal() |
Attribute |
"c:\programdata\captionEx.hta" |
Close |
captionDeleteCur |
windowLst() |
VBA Code |
---|
|
VBA File Name: buttSwap.bas, Stream Size: 945 |
---|
General | |
---|---|
Stream Path: | VBA/buttSwap |
VBA File Name: | buttSwap.bas |
Stream Size: | 945 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . % . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 35 03 00 00 00 00 00 00 01 00 00 00 25 82 5a bb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Function |
Shell("cmd |
Attribute |
VB_Name |
"buttSwap" |
windowLst) |
arrayObjectButt |
arrayObjectButt() |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 459 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 459 |
Entropy: | 5.38200596711 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 4 E 6 C 1 6 6 D - 1 C 7 B - 4 2 6 B - 9 C C C - 3 0 C 0 6 8 5 F 4 1 D F } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = b o x P a s t e N e x t . . M o d u l e = b u t t S w a p . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 F 9 D 6 5 9 C 7 B A C 8 2 B 0 8 2 B 0 8 2 B 0 8 2 B 0 " . . D P B = " A A A 8 5 0 A 9 5 A A A 5 A A A 5 A " . . G C = " B 5 B 7 4 |
Data Raw: | 49 44 3d 22 7b 34 45 36 43 31 36 36 44 2d 31 43 37 42 2d 34 32 36 42 2d 39 43 43 43 2d 33 30 43 30 36 38 35 46 34 31 44 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 62 6f 78 50 61 73 74 65 4e 65 78 74 0d 0a 4d 6f 64 75 6c 65 3d 62 75 74 74 53 77 61 70 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 107 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 107 |
Entropy: | 3.43250959943 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . b o x P a s t e N e x t . b . o . x . P . a . s . t . e . N . e . x . t . . . b u t t S w a p . b . u . t . t . S . w . a . p . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 62 6f 78 50 61 73 74 65 4e 65 78 74 00 62 00 6f 00 78 00 50 00 61 00 73 00 74 00 65 00 4e 00 65 00 78 00 74 00 00 00 62 75 74 74 53 77 61 70 00 62 00 75 00 74 00 74 00 53 00 77 00 61 00 70 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2785 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 2785 |
Entropy: | 4.16324625344 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . |
Data Raw: | cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1699 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_0 |
File Type: | data |
Stream Size: | 1699 |
Entropy: | 3.60340858827 |
Base64 Encoded: | False |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . ] . I > . ] % O . L . . . f . ! . . . . . . . . . . . |
Data Raw: | 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 |
Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 190 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_1 |
File Type: | data |
Stream Size: | 190 |
Entropy: | 1.69732927545 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 532 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_2 |
File Type: | data |
Stream Size: | 532 |
Entropy: | 2.02890248311 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` i . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07 |
Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 156 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_3 |
File Type: | data |
Stream Size: | 156 |
Entropy: | 1.78206636307 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 e1 0d 38 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 619 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 619 |
Entropy: | 6.4433751069 |
Base64 Encoded: | True |
Data ASCII: | . g . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . . . m . . |
Data Raw: | 01 67 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 80 87 e6 62 0c 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
07/22/21-11:01:07.680252 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.22 | 8.8.8.8 | ||
07/22/21-11:01:08.693819 | ICMP | 402 | ICMP Destination Unreachable Port Unreachable | 192.168.2.22 | 8.8.8.8 |
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 22, 2021 11:01:04.599126101 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 11:01:05.609379053 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 11:01:06.623332024 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 11:01:06.670084000 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 11:01:07.680150032 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 11:01:08.693541050 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Jul 22, 2021 11:01:07.680252075 CEST | 192.168.2.22 | 8.8.8.8 | d004 | (Port unreachable) | Destination Unreachable |
Jul 22, 2021 11:01:08.693819046 CEST | 192.168.2.22 | 8.8.8.8 | d004 | (Port unreachable) | Destination Unreachable |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jul 22, 2021 11:01:04.599126101 CEST | 192.168.2.22 | 8.8.8.8 | 0xa163 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 11:01:05.609379053 CEST | 192.168.2.22 | 8.8.8.8 | 0xa163 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 11:01:06.623332024 CEST | 192.168.2.22 | 8.8.8.8 | 0xa163 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jul 22, 2021 11:01:06.670084000 CEST | 8.8.8.8 | 192.168.2.22 | 0xa163 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | |
Jul 22, 2021 11:01:07.680150032 CEST | 8.8.8.8 | 192.168.2.22 | 0xa163 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | |
Jul 22, 2021 11:01:08.693541050 CEST | 8.8.8.8 | 192.168.2.22 | 0xa163 | Server failure (2) | none | none | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 11:00:32 |
Start date: | 22/07/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fff0000 |
File size: | 1424032 bytes |
MD5 hash: | 95C38D04597050285A18F66039EDB456 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 11:00:33 |
Start date: | 22/07/2021 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a150000 |
File size: | 345088 bytes |
MD5 hash: | 5746BD7E255DD6A8AFA06F7C42C1BA41 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 11:00:34 |
Start date: | 22/07/2021 |
Path: | C:\Windows\SysWOW64\mshta.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x12a0000 |
File size: | 13312 bytes |
MD5 hash: | ABDFC692D9FE43E2BA8FE6CB5A8CB95A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 11:00:41 |
Start date: | 22/07/2021 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb20000 |
File size: | 14848 bytes |
MD5 hash: | 432BE6CF7311062633459EEF6B242FB5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 02BB0200, Relevance: .1, Instructions: 119COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029F0F9F, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029F0F97, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029F0F8F, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029F0FAF, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029F0FDF, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029F0FD7, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029F0FE7, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|