Windows Analysis Report charge_12.01.2021.doc

Overview

General Information

Sample Name:	charge_12.01.2021.doc
Analysis ID:	532355
MD5:	18499830201cddade8183b8e24fdf30a
SHA1:	55c498cf7273cab567f49a00c15ca3316c001215
SHA256:	0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
Tags:	BokbotdocIcedIDmacrosShathakTA551Word
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document contains an embedded VBA macro which may execute processes

Sigma detected: Suspicious MSHTA Process Patterns

Document exploit detected (process start blacklist hit)

Machine Learning detection for sample

Document contains no OLE stream with summary information

Queries the volume information (name, serial number etc) of a device

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Document has an unknown application name

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Creates a window with clipboard capturing capabilities

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Potential document exploit detected (performs DNS queries)

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Searches for user specific document files

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: charge_12.01.2021.doc

Virustotal: Detection: 20%

Perma Link

Machine Learning detection for sample

Source: charge_12.01.2021.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\explorer.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.207:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: winrentals2017b.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.207:80

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBaQuem65smQXYvyd/64063/g6fJYLGHRVWp7s1tvHnZdv/XcjcYCjBX8tPaALshiDAx85PEq/cab3?ref=0t&WzOZ=9xyAidN&z3d9Ob0=EwAUkUUNyHsk&user=4Zky89n&cid=bE5YBOFyZvWHbGv9wPr7QVm&q=lYkgZNGYoZpu9 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: winrentals2017b.comConnection: Keep-Alive

Source: mshta.exe, 00000004.00000002.418202700.0000000006340000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000004.00000002.418202700.0000000006340000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: WINWORD.EXE, 00000000.00000002.528805255.0000000004490000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.405382642.0000000001E70000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.405616218.0000000001D60000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000004.00000002.418224211.000000000635A000.00000004.00000001.sdmp	String found in binary or memory: http://winrentals2017b.com/tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBa
Source: WINWORD.EXE, 00000000.00000002.528805255.0000000004490000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.405382642.0000000001E70000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.405616218.0000000001D60000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F929E0A5-0B20-4288-9DA9-D559EA91D780}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: winrentals2017b.com

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\SysWOW64\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation

OLE, VBA macro: Module ThisDocument, Function s, API IWshShell3.exec("explorer youTube.hta")

Name: s

Document contains no OLE stream with summary information

Source: charge_12.01.2021.doc	OLE indicator has summary info: false
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE indicator has summary info: false

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document has an unknown application name

Source: charge_12.01.2021.doc	OLE indicator application name: unknown
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: charge_12.01.2021.doc	OLE, VBA macro line: Public Sub autoopen()
Source: VBA code instrumentation	OLE, VBA macro: Module main, Function autoopen			Name: autoopen

Document contains embedded VBA macros

Source: charge_12.01.2021.doc

OLE indicator, VBA macros: true

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Source: charge_12.01.2021.doc

OLE, VBA macro line: keywords = activedocument.builtindocumentproperties("keywords").value

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: charge_12.01.2021.doc

Virustotal: Detection: 20%

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe explorer youTube.hta
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe explorer youTube.hta	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$arge_12.01.2021.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC966.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.expl.winDOC@6/14@1/1

Source: charge_12.01.2021.doc	OLE document summary: title field not present or empty
Source: charge_12.01.2021.doc	OLE document summary: edited time not present or 0
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: charge_12.01.2021.doc

Initial sample: OLE summary keywords = ath.ebuTuoy

Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 2248	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2248	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2700	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 2692	Thread sleep time: -240000s >= -30000s	Jump to behavior

Source: explorer.exe, 00000003.00000003.404886845.000000000017F000.00000004.00000001.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Searches for user specific document files

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.62.42.207	winrentals2017b.com	Russian Federation		34464	ZEISS-ASRU	false

Contacted Domains

Name	IP	Active
winrentals2017b.com	194.62.42.207	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://winrentals2017b.com/tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBaQuem65smQXYvyd/64063/g6fJYLGHRVWp7s1tvHnZdv/XcjcYCjBX8tPaALshiDAx85PEq/cab3?ref=0t&WzOZ=9xyAidN&z3d9Ob0=EwAUkUUNyHsk&user=4Zky89n&cid=bE5YBOFyZvWHbGv9wPr7QVm&q=lYkgZNGYoZpu9	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: charge_12.01.2021.doc

Virustotal: Detection: 20%

Perma Link

Machine Learning detection for sample

Source: charge_12.01.2021.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\explorer.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.207:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: winrentals2017b.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.62.42.207:80

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: mshta.exe, 00000004.00000002.418202700.0000000006340000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000004.00000002.418202700.0000000006340000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: WINWORD.EXE, 00000000.00000002.528805255.0000000004490000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.405382642.0000000001E70000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.405616218.0000000001D60000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000004.00000002.418224211.000000000635A000.00000004.00000001.sdmp	String found in binary or memory: http://winrentals2017b.com/tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBa
Source: WINWORD.EXE, 00000000.00000002.528805255.0000000004490000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.405382642.0000000001E70000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.405616218.0000000001D60000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: WINWORD.EXE, 00000000.00000002.531954331.00000000092A7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.417049273.0000000003377000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F929E0A5-0B20-4288-9DA9-D559EA91D780}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: winrentals2017b.com

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\SysWOW64\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation

OLE, VBA macro: Module ThisDocument, Function s, API IWshShell3.exec("explorer youTube.hta")

Name: s

Document contains no OLE stream with summary information

Source: charge_12.01.2021.doc	OLE indicator has summary info: false
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE indicator has summary info: false

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document has an unknown application name

Source: charge_12.01.2021.doc	OLE indicator application name: unknown
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: charge_12.01.2021.doc	OLE, VBA macro line: Public Sub autoopen()
Source: VBA code instrumentation	OLE, VBA macro: Module main, Function autoopen			Name: autoopen

Document contains embedded VBA macros

Source: charge_12.01.2021.doc

OLE indicator, VBA macros: true

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Source: charge_12.01.2021.doc

OLE, VBA macro line: keywords = activedocument.builtindocumentproperties("keywords").value

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: charge_12.01.2021.doc

Virustotal: Detection: 20%

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe explorer youTube.hta
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe explorer youTube.hta	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: WINWORD.EXE, 00000000.00000002.531696202.00000000090C0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.416843704.0000000003190000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$arge_12.01.2021.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC966.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.expl.winDOC@6/14@1/1

Source: charge_12.01.2021.doc	OLE document summary: title field not present or empty
Source: charge_12.01.2021.doc	OLE document summary: edited time not present or 0
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: charge_12.01.2021.doc

Initial sample: OLE summary keywords = ath.ebuTuoy

Source: ~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 2248	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2248	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2700	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 2692	Thread sleep time: -240000s >= -30000s	Jump to behavior

Source: explorer.exe, 00000003.00000003.404886845.000000000017F000.00000004.00000001.sdmp

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Searches for user specific document files

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

ID:	532355
Product:	CloudBasic
Start time:	04:19:19
Start date:	02.12.2021
Sample:	charge_12.01.2021.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	18499830201cddade8183b8e24fdf30a
SHA1:	55c498cf7273cab567f49a00c15ca3316c001215
SHA256:	0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\cab3[1].htm	HTML document, ASCII text	B5FF4C0F214FDF079AE6D835F046B7C5	FC1F09A696C92D366E4868A35A5AFA79129B12BE	AAF04ECB4C67DE5A7833184F5ABEEC5F48A2FC17BB8167637A421596E00C7E4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF8DB82E.gif	GIF image data, version 89a, 774 x 198	76DA3E2154587DD3D69A81FCDB0C7364	0F23E27B3A456B22A11D3FBC3132397B0DDC9357	F9299AB3483A8F729B2ACA2111B46E9952D4491AC66124FEC22C1C789EBC3139
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{477B7D15-E68B-42EE-9265-E39BF1B772F7}.tmp	Composite Document File V2 Document, Cannot read section info	CB1824FD94AC639BBC2FA16B0428D68D	857B6763C495ADC01475B0E6FD8A78BC5FE8E4A1	5F45665D6EC34D66D8FE61F17AE4F8DF54DEFABE561D5FF517EC7D2C2DDE7CCC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEA20A45-6520-4724-B440-5537342337CC}.tmp	data	F21872093625D2BA00E54A3D108AF87C	863CA8B13F268B27CCE55FB2529F6DEB0E3F7FAD	415D7D16904A8DEFC4E43F7B987E07C6DE35129DA74C02EDF24AA2D09BBE0D65
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F929E0A5-0B20-4288-9DA9-D559EA91D780}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\My Documents.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Dec 2 11:20:15 2021, atime=Thu Dec 2 11:20:15 2021, length=8192, window=hide	06C90362D402245A0B0BAFA5A3E6531B	6D411C7BAFCCFBDA2233AE29DF9A94016DC49CFD	A0B8A90325D92635152F8102568FE6C0BB54408D11D32C72A30595C61CCFAC17
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\charge_12.01.2021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:54 2021, mtime=Mon Aug 30 20:08:54 2021, atime=Thu Dec 2 11:20:11 2021, length=33465, window=hide	E709F4ED79010029EA756E43C97300E0	EB8BF923D3FCFB7C7506DC3746848ECAD22A6785	7315E9E82BFD64A149C161A616757BFE34938D92548C05C36B06BADA5D0D3EEA
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	8783DD2CAE71F2E44E75175200CC3C71	59A8D8943F354672ED2E4E1B0B97BC85F4529446	D3511F772A8D95B4A56063132C49190D6165483DD1005B36647DF6AFB0D4567B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\youTube.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 2 11:20:15 2021, mtime=Thu Dec 2 11:20:15 2021, atime=Thu Dec 2 11:20:15 2021, length=3342, window=hide	0A9A707360E344370C535C595C655FE5	3DBD4D9B42BEBB0718FDD2E70B81CEAC0E500865	7A90EDFC0B1456A5B5735277C9F2A363BB703A2B7ADF4F9575227104FF0F0FFB
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\Desktop\~$arge_12.01.2021.doc	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\Documents\youTube.hta (copy)	HTML document, ASCII text, with very long lines, with CRLF line terminators	55D9EAB53D4063A53B6ED05F7B1E75E7	E6B4C81676D3EF0D2F7D08A6CC2AD90EB54908C3	C7F40608CE8A3DDA25C13D117790D08EF757B07B8C2CCB645A27A71ADC322FB2
C:\Users\user\Documents\~$ouTube.hta	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\Documents\~WRD0000.tmp	HTML document, ASCII text, with very long lines, with CRLF line terminators	55D9EAB53D4063A53B6ED05F7B1E75E7	E6B4C81676D3EF0D2F7D08A6CC2AD90EB54908C3	C7F40608CE8A3DDA25C13D117790D08EF757B07B8C2CCB645A27A71ADC322FB2

Windows Analysis Report charge_12.01.2021.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs