Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

cnewton doc 08.11.2022.doc

Zip archive data, at least v2.0 to extract

initial sample

Details

Filetype:	Zip archive data, at least v2.0 to extract
Entropy:	7.993716519832146
Filename:	cnewton doc 08.11.2022.doc
Filesize:	2343230
MD5:	ee1d6eb5b07b99e65fc0cb477193c35c
SHA1:	9d4dbf701c8ede93a79036dd5a0316da988a2eeb
SHA256:	23b9a20a59041fc7d484957e49ffa7e0f6dba7dbbec0628a4adb69c2e05863ab
SHA512:	869cdd01eb85cd12a1a27dc0099250e4fb33b3ed72a7e0375e80206b07b01aaff108ede1626de99f29c9a7cbc7524a4e4947b976be2e392b2d777c8df1fc54fc
SSDEEP:	49152:xyG/bJ98ozhp4kBA4Y0bRfqmlYOxtKW72swkql:QS8otukBbRfqUjRy7T
Preview:	PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........\|.zs..z..z.X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q...;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Document contains an embedded VBA macro with suspicious strings	System Summary
Machine Learning detection for sample	AV Detection
Document contains an embedded VBA macro which executes code when the document is opened / closed	System Summary
Document contains embedded VBA macros	System Summary	Scripting
Sample is known by Antivirus	System Summary
Document contains an OLE Word Document stream indicating a Microsoft Word file	System Summary
Document contains summary information with irregular field values	System Summary
Submission file is bigger than most known malware samples	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Temp\y745B.tmp.dll

HTML document, ASCII text

modified

Details

File:	C:\Users\user\AppData\Local\Temp\y745B.tmp.dll
Category:	modified
Dump:	y745B.tmp.dll.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	HTML document, ASCII text
Entropy:	5.120826232488609
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3LZKCezocKqD:J0+oxBeRmR9etdzRxLFez1T
Size:	201
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (creates forbidden files)	Software Vulnerabilities	Exploitation for Client Execution

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\-f[1].htm

HTML document, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\-f[1].htm
Category:	dropped
Dump:	-f[1].htm.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	HTML document, ASCII text
Entropy:	5.120826232488609
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3LZKCezocKqD:J0+oxBeRmR9etdzRxLFez1T
Size:	201
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cnewton doc 08.11.2022.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Fri Aug 12 00:35:14 2022, length=2248355, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cnewton doc 08.11.2022.LNK
Category:	dropped
Dump:	cnewton doc 08.11.2022.LNK.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Fri Aug 12 00:35:14 2022, length=2248355, window=hide
Entropy:	4.550387546578268
Encrypted:	false
Ssdeep:	12:8Lk19gXg/XAlCPCHaXBKBnB/xQpX+WZMfcfaiFGnicvbS5V7p9lAG9DtZ3YilMM4:8Li/XTRKJIHtneWhp9bDv3qgu7D
Size:	1074
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Category:	dropped
Dump:	index.dat.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.627376468057002
Encrypted:	false
Ssdeep:	3:bDuMJle+FXF7Uk9omX1c6FXF7Uk9ov:bCMXF7p9kuXF7p9y
Size:	95
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Category:	dropped
Dump:	~$Normal.dotm.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	2.503835550707525
Encrypted:	false
Ssdeep:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
Size:	162
Whitelisted:	false
Reputation:	moderate

C:\Users\user\Desktop\~$ewton doc 08.11.2022.doc

data

dropped

Details

File:	C:\Users\user\Desktop\~$ewton doc 08.11.2022.doc
Category:	dropped
Dump:	~$ewton doc 08.11.2022.doc.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	2.503835550707525
Encrypted:	false
Ssdeep:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
Size:	162
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2164
Target ID:	0
Parent PID:	576
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	18:35:14
Date:	11/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f580000
Modulesize:	1437696
Wow64:	false

URLs

Name

Malicious

http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f

45.8.146.139

Details

Name:	http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
IP:	45.8.146.139
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

45.8.146.139

unknown

Russian Federation

Details

IP:	45.8.146.139
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44676
ASN name:	VMAGE-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

)l0

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

/m0

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

#o0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\666DE

666DE

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

WORDFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

There are 20 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

277000

heap

page read and write

2B6000

heap

page read and write

AD000

stack

page read and write

6BA000

stack

page read and write

4F0000

heap

page read and write

150000

heap

page read and write

A6F000

stack

page read and write

7EFE0000

unkown

page readonly

186000

heap

page read and write

270000

heap

page read and write

2AD000

heap

page read and write

57F000

stack

page read and write

1630000

heap

page read and write

B2E000

stack

page read and write

10000

heap

page read and write

4F4000

heap

page read and write

There are 6 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
cnewton doc 08.11.2022.doc

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportcnewton doc 08.11.2022.doc

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
cnewton doc 08.11.2022.doc