Windows Analysis Report
doc1712.docx

Overview

General Information

Sample Name:	doc1712.docx
Analysis ID:	640804
MD5:	7a91b01a037ccbfe6589161643d0a65a
SHA1:	53658a5b5bc577d601e23ae77a34cb44dcba1f27
SHA256:	f17f5c8eac3a18c961705a61385e1d2894cc8f22fb33aa3e076a40b826384c60
Infos:

Detection

Follina CVE-2022-30190

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Snort IDS alert for network traffic

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: doc1712.docx

Virustotal: Detection: 23%

Perma Link

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 45.32.185.177:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 45.32.185.177:80

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 45.32.185.177:80 -> 192.168.2.22:49176

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMTIf-None-Match: "1701-5e0db72a43821"Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185.177/123.RES
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185.177/123.RESyX
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185.177:80/123.RES

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0FB641AE-A3C8-41BE-B49C-07E97C275C10}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMTIf-None-Match: "1701-5e0db72a43821"Connection: Keep-Alive

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: doc1712.docx

Virustotal: Detection: 23%

Source: doc1712.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\doc1712.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$oc1712.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR625A.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOCX@1/18@0/1

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://45.32.185.177:80/123.res!http://45.32.185.177:80/123.res

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.32.185.177	unknown	United States		20473	AS-CHOOPAUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.32.185.177/123.RES	true	Avira URL Cloud: safe	unknown

ID:	640804
Product:	CloudBasic
Start time:	17:32:33
Start date:	07.06.2022
Sample:	doc1712.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7a91b01a037ccbfe6589161643d0a65a
SHA1:	53658a5b5bc577d601e23ae77a34cb44dcba1f27
SHA256:	f17f5c8eac3a18c961705a61385e1d2894cc8f22fb33aa3e076a40b826384c60
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	205378DA7DCF371A43C479B7B0F9A2AD	E00F4D3429165C950A6FCA02AC85B4EE4BE79F86	A04716B070A827159831E3AD865F6A62B2466F941722B54ED2862A1FD7883A3C
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{21C75FA3-D59D-4916-8777-2F8DF89A7989}.FSD	data	0619296DF6C45C7BE46A7252C333B2C2	A43D8FF16A461B32B6A7F10B8B5A63F609C35427	016831A58683C476F54FAEA19E0308406037953FB098236DD861105721775B29
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	C14E09D3EC890E7ED1042FB5E67173E4	192CBAE659A8861394BE1583C410C1AF900C503C	FA11FB46BC064933EBF6F226409F02F62AB09EAF92099BF4C6C08AA33921F326
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	9E46BE96F855416E452AF830BDB02202	14E4A4E600D7C8910070ECA1F06DD5C4356CA7C7	3E0056641E7814076CC40F431D5BAF1A69ACCCD583F4898A4E08173E08F9CD7C
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6894BD70-C9F6-4E64-BA1D-696172CE4314}.FSD	data	AD8C750FDFC17D93C33BA3087D3FD555	50AE879216EC832CD5250C3D46FD62BB28ABAC32	D70EF9A7ACC8DDF6827A899E8319116101A55544978060999A23F20BDD4A9334
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	DD3EDE691A56C2D4DFF30FF5C39C0FA5	54F859A53C2215FBF11C0951DB71E2C93FE7EDFC	38395295006CA6283B2629459D07F44B55D657303E9CEE979933FC9C72EF204A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES	HTML document, ASCII text, with very long lines, with CRLF line terminators	EA48F95AB4F3CA3B0C687A726CB00C49	C473DB9C4D460D3F7801B506F289C04A04D3A50F	CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES	HTML document, ASCII text, with very long lines, with CRLF line terminators	EA48F95AB4F3CA3B0C687A726CB00C49	C473DB9C4D460D3F7801B506F289C04A04D3A50F	CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES	HTML document, ASCII text, with very long lines, with CRLF line terminators	EA48F95AB4F3CA3B0C687A726CB00C49	C473DB9C4D460D3F7801B506F289C04A04D3A50F	CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp	Composite Document File V2 Document, Cannot read section info	8B673A3336AF537A8BE96B8EA3048871	CFBCE6835C5B31AE7170F1039BFB2C76002F1DC3	0F233D976207B3465D4C8BB3B7B8F977B8DA9BF43417A8B42E180A90FB99C2B4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0FB641AE-A3C8-41BE-B49C-07E97C275C10}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4DAF9D9-9403-4C16-9440-8C0CD34B4722}.tmp	data	06F97D56780E4E8E5E513A038B6D23C5	AC6FD87B383193CAA33E86670AD51B6689A57661	CF1AAF863CBFFBBB570286E2A20872BED7F36D039E3CE3A9FDCC0ECDBF5ED3B0
C:\Users\user\AppData\Local\Temp\{2988F61F-4F9A-4845-AAA6-0600A931CA19}	data	99C66582A073466D851197E61D9E4977	72AD2E75939E0F352912BA79B5CA0F90A8A3F642	4517A42130351BC4643AEF4246A09D32077F23EBFACEB9A4512E7C44E82C0289
C:\Users\user\AppData\Local\Temp\{DA1724A8-2EEB-4B4F-8C48-5E256737D51E}	data	2447DAB5C0393923C0417D2AF4471316	2EAF7E9074AB1AF9F59D7891C3411C1936411953	C38E53967022743EB7D114B46270D960E0E0B2A9ADF0C8EA1A92FC16BA9078B5
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc1712.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:55 2022, mtime=Tue Mar 8 15:45:55 2022, atime=Tue Jun 7 23:33:14 2022, length=10142, window=hide	D2B1BED3040717B5D022C32C68292CE1	06D6D2EECD5F069300DC1E8D0D2919BFA0503C97	E7B2E0BC2D533C2854B5C2E5ADF17D643A2DFA419D0F1B8E8D39041ED8578F0C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	2E496A3F1C20211051285A980DADA39A	B980277016A7BCCC0E108CD9A00E82AF61433394	B466FF5520F73BD086D77160EB4D437F0AA73747604E1318E3BF3C220D218763
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	1674A1C7C99CD9FAADA789F5E2AEB335	26D9E81D5ED584A899A94D5EA8945A5AE3403F85	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
C:\Users\user\Desktop\~$oc1712.docx	data	1674A1C7C99CD9FAADA789F5E2AEB335	26D9E81D5ED584A899A94D5EA8945A5AE3403F85	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6

Windows Analysis Report
doc1712.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report doc1712.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
doc1712.docx