Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

TranQuangDai.docx

Microsoft Word 2007+

initial sample

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\10BDC45B4A27319429BBC4F08A4E8A10

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, 61476 bytes, 1 file

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\10BDC45B4A27319429BBC4F08A4E8A10

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{44059877-72AB-4C9A-8258-B3A4CC3F341F}.FSD

data

modified

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A1B857E3-B132-4673-AC9F-79338C2FA8BB}.FSD

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

data

dropped

C:\Users\user\AppData\Local\Temp\Cab68B2.tmp

Microsoft Cabinet archive data, 61476 bytes, 1 file

dropped

C:\Users\user\AppData\Local\Temp\Tar68B3.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\{2BA8F08F-11BD-48DD-91CA-8557D0F641F7}

data

dropped

C:\Users\user\AppData\Local\Temp\{6D5470AD-7571-4443-B52C-CEA4592715E2}

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

data

dropped

C:\Users\user\Desktop\~$anQuangDai.docx

data

dropped

There are 9 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1144
Target ID:	0
Parent PID:	576
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	12:30:12
Date:	10/06/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f480000
Modulesize:	1437696
Wow64:	false

URLs

Name

Malicious

http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt

unknown

Domains

Name

Malicious

updatebkav.cf

203.171.20.127

Details

Name:	updatebkav.cf
IP:	203.171.20.127
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Contains an external reference to another file	Persistence and Installation Behavior
Detected suspicious Microsoft Office reference URL	Exploits	Exploitation for Client Execution
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

crt.sectigo.com

91.199.212.52

zerossl.crt.sectigo.com

unknown

IPs

Domain

Country

Malicious

203.171.20.127

updatebkav.cf

Viet Nam

Details

IP:	203.171.20.127
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	Viet Nam
Countrycode:	VNM
ASN number:	45903
ASN name:	CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN
Private:	false
Domain:	updatebkav.cf

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

=%+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

s'+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

r)+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Version

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\C81A8BD1F9CF6D84C525F378CA1D3F8C30770E34

Blob

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C

Blob

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Count