Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

airequipmentcorp-doc-08.11.2022.doc

Zip archive data, at least v2.0 to extract

initial sample

Details

Filetype:	Zip archive data, at least v2.0 to extract
Entropy:	7.993807361796733
Filename:	airequipmentcorp-doc-08.11.2022.doc
Filesize:	2297841
MD5:	84904f679048e45c43210c22f8fcc5df
SHA1:	7e23ee02e2543e51a2ad97b2ede96c441d34e6eb
SHA256:	78c296d80214d887820a3c55bc06fbc42b17db90fb01aef0766365b383f1e7f1
SHA512:	c7f757c4b357b72f8edc9988ef99dd73b2d0fb9c48f928a3d806c57fbc168b8d2d141a625a5ce76a4c7a6533708984d200031bc56d44b6d756e512cfd823b3d7
SSDEEP:	49152:tqI9FlNmHCQkEV8Uxd938Vx8Z3rm06VNN9hTobO3b1:4I9F3miQkimVi3rD6VP4aB
Preview:	PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........\|.zs..z..z.X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q...;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Document contains an embedded VBA macro with suspicious strings	System Summary
Machine Learning detection for sample	AV Detection
Document contains an embedded VBA macro which executes code when the document is opened / closed	System Summary
Document contains embedded VBA macros	System Summary	Scripting
Sample is known by Antivirus	System Summary
Document contains an OLE Word Document stream indicating a Microsoft Word file	System Summary
Document contains summary information with irregular field values	System Summary
Submission file is bigger than most known malware samples	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Temp\y6CDC.tmp.dll

HTML document, ASCII text

modified

Details

File:	C:\Users\user\AppData\Local\Temp\y6CDC.tmp.dll
Category:	modified
Dump:	y6CDC.tmp.dll.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	HTML document, ASCII text
Entropy:	5.110875983732391
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3bIGKCezocKqD:J0+oxBeRmR9etdzRxbIYez1T
Size:	201
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (creates forbidden files)	Software Vulnerabilities	Exploitation for Client Execution

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rm[1].htm

HTML document, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rm[1].htm
Category:	dropped
Dump:	rm[1].htm.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	HTML document, ASCII text
Entropy:	5.110875983732391
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3bIGKCezocKqD:J0+oxBeRmR9etdzRxbIYez1T
Size:	201
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\airequipmentcorp-doc-08.11.2022.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Thu Aug 11 23:55:11 2022, length=2203070, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\airequipmentcorp-doc-08.11.2022.LNK
Category:	dropped
Dump:	airequipmentcorp-doc-08.11.2022.LNK.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Thu Aug 11 23:55:11 2022, length=2203070, window=hide
Entropy:	4.556562729755983
Encrypted:	false
Ssdeep:	12:8HtbgXg/XAlCPCHaXRBktB/eLX+WjYW/xgi2LGejuicvbAKX9sxLG8DtZ3YilMM5:8H3/XThOMWW/xfKJeMM9KDv3qdu7D
Size:	1119
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Category:	dropped
Dump:	index.dat.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.790918623838269
Encrypted:	false
Ssdeep:	3:bDuMJlcMQJM3aBYUULX9omX1QM3aBYUULX9ov:bC3J+LX9Y+LX9y
Size:	113
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Category:	dropped
Dump:	~$Normal.dotm.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	2.503835550707525
Encrypted:	false
Ssdeep:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
Size:	162
Whitelisted:	false
Reputation:	moderate

C:\Users\user\Desktop\~$requipmentcorp-doc-08.11.2022.doc

data

dropped

Details

File:	C:\Users\user\Desktop\~$requipmentcorp-doc-08.11.2022.doc
Category:	dropped
Dump:	~$requipmentcorp-doc-08.11.2022.doc.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	2.503835550707525
Encrypted:	false
Ssdeep:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
Size:	162
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1404
Target ID:	0
Parent PID:	576
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	17:55:12
Date:	11/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f630000
Modulesize:	1437696
Wow64:	false

URLs

Name

Malicious

http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm

45.8.146.139

Details

Name:	http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
IP:	45.8.146.139
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

45.8.146.139

unknown

Russian Federation

Details

IP:	45.8.146.139
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44676
ASN name:	VMAGE-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

1//

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

90/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

&3/

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\65EF2

65EF2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

WORDFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

There are 20 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

5A0000

heap

page read and write

366000

heap

page read and write

6DE000

stack

page read and write

2C0000

heap

page read and write

10000

heap

page read and write

4CA000

stack

page read and write

1B6000

heap

page read and write

327000

heap

page read and write

17D000

stack

page read and write

58F000

stack

page read and write

7EFE0000

unkown

page readonly

35D000

heap

page read and write

AEF000

stack

page read and write

320000

heap

page read and write

2C4000

heap

page read and write

180000

heap

page read and write

There are 6 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
airequipmentcorp-doc-08.11.2022.doc

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportairequipmentcorp-doc-08.11.2022.doc

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
airequipmentcorp-doc-08.11.2022.doc