Edit tour
Windows
Analysis Report
doc782.docx
Overview
General Information
Detection
Follina CVE-2022-30190
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Contains an external reference to another file
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Classification
- System is w7x64
- WINWORD.EXE (PID: 1460 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
Click to see the 1 entries |
⊘No Sigma rule has matched
Timestamp: | 185.234.247.119192.168.2.2280491732036726 06/07/22-18:38:14.250872 |
SID: | 2036726 |
Source Port: | 80 |
Destination Port: | 49173 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking |
---|
Source: | Snort IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Non-Application Layer Protocol | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 11 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
23% | Virustotal | Browse | ||
17% | ReversingLabs | Document-Office.Exploit.CVE-2021-40444 |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
true |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.234.247.119 | unknown | Russian Federation | 198004 | INTERKONEKT-ASPL | true |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 640879 |
Start date and time: 07/06/202218:37:12 | 2022-06-07 18:37:12 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | doc782.docx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal68.expl.evad.winDOCX@1/18@0/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
⊘No simulations
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.286476876836956 |
Encrypted: | false |
SSDEEP: | 48:I3qiRBtkKYcOkYkdtclI1GIRnCJyDmHR/RzrxYkQ2MNbmH:KzLtONflI1Qv9Wk/MNbmH |
MD5: | 6BCB2F665A13AD491ECC953E7DC2600A |
SHA1: | B6A006C08EFAB6680AE149871D3BCF72A899EB49 |
SHA-256: | 9F3395C72A95FB68A06293DEF18EF7D872D85C587891BEBBFF6CA40739A12455 |
SHA-512: | 3AA2E883787085CBD01D7A5C7172043EAA2B94608EA1F0CC5C8CF3352B8681A681F0795A4DED825CCE99C30FEEC478276FDD319B0E43AEEF2BAC6B1FF7415824 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{950185C1-D03B-43EE-9B9C-D0CDFF898355}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.6721178351435934 |
Encrypted: | false |
SSDEEP: | 96:K8CyRac5sakKYEaoGi0S+rg3Ezw83pXUpX2EpJOBhXkOBh:zRaykKYE/GBfrcEzt3RUR2EPOBpkOB |
MD5: | B1CC8BA869BD685529814B7A230CADC3 |
SHA1: | 4EEC65DF18DE007DFF4A6BBF9FBE63CE88B799F5 |
SHA-256: | 9D16A5F0E79E851A2DFAC0DC39DA298E387D4367F95A03CA21D59FA5EB84EBF2 |
SHA-512: | 777E7C15960292D9AF91AF27046EE70394A30E0E5CFBA3D0A5165E0C625166C32BAC0A65617A016AFFE077B03E42C977230F724F9DCA8725EB3BB78F29147A38 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.8916224090210907 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzLlUwIhVlWGgmPm7lcHkQ+27276:yPblzywI5W3Gm65+g22 |
MD5: | 626D26BA67DC406AD2544367CDA6666C |
SHA1: | 000E7519E969A23460054A3B8C27E930CE9D9A38 |
SHA-256: | 10F22C4182B3FBAF8BAAA5E8228E0E6773A64201BFFA93B9DC41F50EA6F30207 |
SHA-512: | E7FE264D610FD3BA698BFDBCA3CD547F24C831355881A2F4A4C487A884F66690DCDA190E1108BFA8CA394C544D8142F5E3619056AE90EB0D17167C040EC2CBA6 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28756379665444187 |
Encrypted: | false |
SSDEEP: | 96:KPLaryP7M08sHsfsFspsfIhsQ1L3bqiapvAowZOLuPvAowZOLuwH:Y7M0dfIOcLD |
MD5: | 8FE7BCE45842A9855FEA472DA76BF940 |
SHA1: | B6EE349F4083C102DD55840D33A213480BB35BC1 |
SHA-256: | 93E1768BDDB1FF66F4DE6374ED5FE9DB9458141495A55C88E039BECB47C5CEBB |
SHA-512: | 5A59AAE7CE8FB220C5FEE4CC9658F9105E33E3E176C478447210763A6F86394C6D359474B5B4D91B33BCFC237BC02D670F1C29640728E60ABAA9AEEC194CD1FF |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{74F2B178-00AE-424F-83E7-BA599E828254}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22102443317117917 |
Encrypted: | false |
SSDEEP: | 48:I32E3UrBcwO7h/8PV5jLqUAMU/cRMU/ck:K2E3Ccwch/QDjAMU0RMU0k |
MD5: | 2821462EBF84D7BED1E5C765DD2573B8 |
SHA1: | 445DC2799504E4508476ABB19B0AB29F9E862A09 |
SHA-256: | D19F0CE09DBC66219C5E1C2212EEEB73004DB533932038AFE394794027CBBD1E |
SHA-512: | 6A9FFA8B8042BFFBA3639C892CFC939F0AFE94053A3DA245B15F2EEC2E35EB784A04AEAEC85B68C3DF916AAD9839F465349EE215BD31980D4AEFCBD8C7D1A6D3 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9540734219927023 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlz8T0wel8NL7Qig9k+czXzlf276:yPblzbRRDGjzXzt22 |
MD5: | 82D8CBB66D292D28791B2DDFCB3F2431 |
SHA1: | 520EB0F9D499C470FA6E7DC581134B56F6473333 |
SHA-256: | 0349FEF712B994680FB04C9BB1997B021C5F8DAE134F93182F18342945757049 |
SHA-512: | BC3A424CC3C84DDB2C65D4E0CE9B96DF1105DC15B179F78B1ACA24F7B5281895638751F9500B4BB0AF0A3041A66AE9DC4847365841445F8E8F2EC0D22E1FFD6B |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 6241 |
Entropy (8bit): | 4.836014560592255 |
Encrypted: | false |
SSDEEP: | 192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47 |
MD5: | A32050027AEA96B3B70E1056490A98C9 |
SHA1: | EF28C67583C8C8048C0BAAEAD036680A60441213 |
SHA-256: | E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433 |
SHA-512: | 1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
IE Cache URL: | http://185.234.247.119/123.RES |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6241 |
Entropy (8bit): | 4.836014560592255 |
Encrypted: | false |
SSDEEP: | 192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47 |
MD5: | A32050027AEA96B3B70E1056490A98C9 |
SHA1: | EF28C67583C8C8048C0BAAEAD036680A60441213 |
SHA-256: | E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433 |
SHA-512: | 1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6241 |
Entropy (8bit): | 4.836014560592255 |
Encrypted: | false |
SSDEEP: | 192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47 |
MD5: | A32050027AEA96B3B70E1056490A98C9 |
SHA1: | EF28C67583C8C8048C0BAAEAD036680A60441213 |
SHA-256: | E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433 |
SHA-512: | 1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5632 |
Entropy (8bit): | 2.204971840955297 |
Encrypted: | false |
SSDEEP: | 12:rl3bn+kFIBmYwai621U/hCsSvuQWyRnNYnRn/5Co00RnNEKn7ivsS4CIsS4sS4Ch:r2BmK/eV8nNoWiCdeoG8noxoWi |
MD5: | DD3D8735358776F47F3F4588129200A6 |
SHA1: | 4510950838066EF408F0B44786FA17DAA6A9E0CC |
SHA-256: | D68FF93964AD863C958AE9FBA71F293622CA019543D8F2F32EA7FB77111A0DDB |
SHA-512: | 7EBA213F0D96CC2D32A1EA69EDAF384A6B4BBB96BD18F406145B21E6A925731C6951A1051266A65C9883B7AB11E0B3733C6F381151886282796DC9F390B98028 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{93886B29-9649-4D5E-975D-770BA1081A48}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2130 |
Entropy (8bit): | 1.1627960907898713 |
Encrypted: | false |
SSDEEP: | 6:/9IqgHu42sarhYkIuvgB4PxZUtr1iI5lN24NLRnyOLfEznRnyOLflqDmPm1PcV5:mbb2sOhYk5vnZA5Rn/YnRn/dom5 |
MD5: | 645EA66E0489C4D8B0D4877F7A930E07 |
SHA1: | 2961C4A1FDD07A4A6EFA47655C6087EB011B079E |
SHA-256: | ED0BFA2837448DD790D7C0450339FBAEF480535517847634136BF9F7F0B91468 |
SHA-512: | 0D1E3C8280255B0F329931CE8CE1810DFE32F5DA29A2FD9FE90B907A2546699B955D50519CE310BD63B5D84F5873F5FB3CCB0467FB48E47ABEA16962DC6BAACE |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4F5B659-EE23-4A39-84D5-F59507B69C67}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025702809661217164 |
Encrypted: | false |
SSDEEP: | 6:I3DPcx3t6JavxggLRKwsB4RXv//4tfnRujlw//+GtluJ/eRuj:I3DPI5+gvYg3J/ |
MD5: | 12657ECB0DD8B744608807DB5C70F0C7 |
SHA1: | 9CE71D2E2CADA6C25168A26FF71CDED28695D0A2 |
SHA-256: | 1AA90B3561CB40B6E35BBA8D20FDB007172F06FBF7E4ED1CC1AD1B7EF955E3E4 |
SHA-512: | F1FE88237F4D2648C52BBE4E138F6229EDD39E5CFD50DEBC92D782456EE6AF950E0146787199C8F108275A1557DDDE1CD3779AA4D1174A887E935FF1F69CA09B |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02563601517038645 |
Encrypted: | false |
SSDEEP: | 6:I3DPc2sRc9avxggLRmk9XgLkrfdRXv//4tfnRujlw//+GtluJ/eRuj:I3DPxsGcVXFrbvYg3J/ |
MD5: | 22FA1EB8556154E2A6FECC5FA08D274E |
SHA1: | 615CD82CE3D9F9BF38FE78F0CF1A2754254A4B31 |
SHA-256: | C702AA3690D5FABD5D5F8B0376B275E34D9B5D23163A8CCDEAC7943625AFD06D |
SHA-512: | 1333A393635A4D08C1E07E54168659A7BC63E4745D914BDD1D91C81F0896C9CBBD8E1310B19FF563E9999FFA46676419DF1D1F8D1FA7274143F3281A074C7618 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 999 |
Entropy (8bit): | 4.518251587426856 |
Encrypted: | false |
SSDEEP: | 12:80rgXg/XAlCPCHaXBKBnB/xQpX+WquYWaitCicvbdF42NDtZ3YilMMEpxRljKYtX:8C/XTRKJIgbWttJe7xDv3qTaY7h |
MD5: | 51D4ED26C8705FBE83CB8C15EE3B2BD8 |
SHA1: | 342B0D8DF8E38387136D83AF766BE91256EF1A0B |
SHA-256: | 3D08E45B4B67ED3E1E498672E206F82C9D1F1842C85289E714F330E5E05D19BF |
SHA-512: | 59E59D8CE0395298163CC8FD031DBA03A56B2F9B3E8C19D3F8675811B6A463073F8BAA5B2A4E44E2811CB0E5B9FB97E755DFA3333EFA4E1F213C7D2E458EDE48 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 4.601202445739505 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlZIbFXCmxWKIbFXCv:bCSa6c |
MD5: | 538F5016C24249AC1799BBBB20B4BD97 |
SHA1: | 1B0ECD98E7D3BFECA78B00528138FA8D84F35BED |
SHA-256: | 249CC3AF3819FB4142D7A65254BD454ACF580489E19A50D71007A7E998B4A70F |
SHA-512: | E0E8040389BABFFD046E57AAD3ECFEE9A9171B4D00EC75EE3DF48710FC452C479692121776D17DCBCCC72E4A1CA0B6570484C007B282C9DBF05EDD34C9463EDA |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020303 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl |
MD5: | 1674A1C7C99CD9FAADA789F5E2AEB335 |
SHA1: | 26D9E81D5ED584A899A94D5EA8945A5AE3403F85 |
SHA-256: | BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6 |
SHA-512: | B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020303 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl |
MD5: | 1674A1C7C99CD9FAADA789F5E2AEB335 |
SHA1: | 26D9E81D5ED584A899A94D5EA8945A5AE3403F85 |
SHA-256: | BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6 |
SHA-512: | B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.869060797789825 |
TrID: |
|
File name: | doc782.docx |
File size: | 10144 |
MD5: | e7015438268464cedad98b1544d643ad |
SHA1: | 03ef0e06d678a07f0413d95f0deb8968190e4f6b |
SHA256: | d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93 |
SHA512: | d134d87c28acb758b897a287a9f6ce86776f384f43ee963f52b40e173b6bfcd9dc76e5f64b9a40b93d3bf2a5b988f842c27c90611a8b4408abd9e197191e4aad |
SSDEEP: | 192:s5VReDWRPj8Iugw1Blb8VPkf+CFk4v1Y2VveFLC9FJ9Q7dlpN2:snPj8I10lD9+2Vvx9qlpN2 |
TLSH: | A3228E3ADA5508B5CAD2A275E0AC0B2AD30C42BBB73BE9CB65C653E402C85DB0F5530C |
File Content Preview: | PK.........k.T...L....'.......[Content_Types].xml...n.0.E....m.NR....,.X...~...`.l.....C ......l....sg..'.m..kp^...Q4d...H..1.X...,.(.......x6..L.;.>.b.c.!...}.A!|d,h.....i.....K,....;....1.R.M'O..U....^WF.....Ub....6W.@.....(aM..r..3e....?J(#....7..S...p |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
185.234.247.119192.168.2.2280491732036726 06/07/22-18:38:14.250872 | TCP | 2036726 | ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 7, 2022 18:38:04.559988022 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:04.587605953 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:04.587683916 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:04.587856054 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:04.615333080 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:04.615535021 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:04.615578890 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:10.103796005 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:10.131787062 CEST | 80 | 49174 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:10.131875992 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:10.132050991 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:10.160005093 CEST | 80 | 49174 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:10.160626888 CEST | 80 | 49174 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:10.372772932 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:10.388240099 CEST | 80 | 49174 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:10.388413906 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.112446070 CEST | 49175 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.140769958 CEST | 80 | 49175 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.140855074 CEST | 49175 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.141001940 CEST | 49175 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.171103954 CEST | 80 | 49175 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.171741962 CEST | 80 | 49175 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.222954988 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.250871897 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.250910044 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.250941992 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.250956059 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.250973940 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.250988007 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.251005888 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.251019001 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.251049042 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.382347107 CEST | 49175 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.401310921 CEST | 80 | 49175 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.401400089 CEST | 49175 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.639050961 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.674964905 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.675029039 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.681684017 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.709424973 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.709614038 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.734277010 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.762449980 CEST | 80 | 49174 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.802052975 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.829963923 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.830189943 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.975172043 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:14.990220070 CEST | 80 | 49174 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:14.990324020 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:15.016185045 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:38:15.044190884 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:38:15.044383049 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:39:15.056456089 CEST | 49174 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:39:17.564933062 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:39:19.173058987 CEST | 80 | 49175 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 18:39:19.173165083 CEST | 49175 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:39:19.173510075 CEST | 49175 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 18:39:19.201189041 CEST | 80 | 49175 | 185.234.247.119 | 192.168.2.22 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49173 | 185.234.247.119 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 7, 2022 18:38:04.587856054 CEST | 1 | OUT | |
Jun 7, 2022 18:38:04.615535021 CEST | 2 | IN | |
Jun 7, 2022 18:38:14.222954988 CEST | 4 | OUT | |
Jun 7, 2022 18:38:14.250871897 CEST | 6 | IN |