Windows Analysis Report
C1ZGt61uGv

Overview

General Information

Sample Name: C1ZGt61uGv (renamed file extension from none to docx)
Analysis ID: 686026
MD5: 98998af843c2c938c079a102abe6c73d
SHA1: b1a1dda90b3df0ba5f23430a6c55c48a9c3dbe9d
SHA256: b0cfd511498cbaed084fa622cfeb1a07de7478205cbff58cb40cb89091813593
Infos:

Detection

Follina CVE-2022-30190
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: C1ZGt61uGv.docx Avira: detected
Multi AV Scanner detection for submitted file
Source: C1ZGt61uGv.docx Virustotal: Detection: 45% Perma Link
Source: C1ZGt61uGv.docx Metadefender: Detection: 25% Perma Link
Source: C1ZGt61uGv.docx ReversingLabs: Detection: 35%
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, type: DROPPED
Detected suspicious Microsoft Office reference URL
Source: document.xml.rels Extracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49180 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 35.186.245.55:443 -> 192.168.2.22:49173 version: TLS 1.2
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: dullghostwhitetwintext.karewen.repl.co
Source: global traffic DNS query: name: dullghostwhitetwintext.karewen.repl.co
Source: global traffic DNS query: name: dullghostwhitetwintext.karewen.repl.co
Source: global traffic DNS query: name: dullghostwhitetwintext.karewen.repl.co
Source: global traffic DNS query: name: dullghostwhitetwintext.karewen.repl.co
Source: global traffic DNS query: name: dullghostwhitetwintext.karewen.repl.co
Source: global traffic DNS query: name: dullghostwhitetwintext.karewen.repl.co
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49176
Source: Traffic Snort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49181
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49180 version: TLS 1.0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:23:07 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7758095; includeSubDomainsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:23:24 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7758077; includeSubDomainsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:23:27 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7758074; includeSubDomainsConnection: close
Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.dr, ~WRS{D894BCB6-25AA-45DC-81E3-B0273BF56D57}.tmp.0.dr String found in binary or memory: https://dullghostwhitetwintext.karewen.repl.co/index.html
Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.dr String found in binary or memory: https://dullghostwhitetwintext.karewen.repl.co/index.htmlyX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{92861601-980D-49B7-B60E-86BDABC4A51A}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: dullghostwhitetwintext.karewen.repl.co
Source: global traffic HTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 35.186.245.55:443 -> 192.168.2.22:49173 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: document.xml.rels, type: SAMPLE Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
Yara signature match
Source: sslproxydump.pcap, type: PCAP Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: document.xml.rels, type: SAMPLE Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C1ZGt61uGv.docx Virustotal: Detection: 45%
Source: C1ZGt61uGv.docx Metadefender: Detection: 25%
Source: C1ZGt61uGv.docx ReversingLabs: Detection: 35%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C1ZGt61uGv.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\C1ZGt61uGv.docx
Source: C1ZGt61uGv.docx OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ZGt61uGv.docx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6279.tmp Jump to behavior
Source: classification engine Classification label: mal96.expl.evad.winDOCX@1/20@7/2
Source: C1ZGt61uGv.docx OLE document summary: title field not present or empty
Source: C1ZGt61uGv.docx OLE document summary: edited time not present or 0
Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C1ZGt61uGv.docx Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior
barindex
Contains an external reference to another file
Source: document.xml.rels Extracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 686026 Sample: C1ZGt61uGv Startdate: 18/08/2022 Architecture: WINDOWS Score: 96 16 dullghostwhitetwintext.karewen.repl.co 2->16 22 Snort IDS alert for network traffic 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Antivirus detection for dropped file 2->26 28 5 other signatures 2->28 6 WINWORD.EXE 295 62 2->6         started        signatures3 process4 dnsIp5 18 dullghostwhitetwintext.karewen.repl.co 35.186.245.55, 443, 49173, 49176 GOOGLEUS United States 6->18 20 34.149.204.188, 443, 49174, 49175 ATGS-MMD-ASUS United States 6->20 10 C:\Users\user\AppData\Local\...\FEAC362C.htm, HTML 6->10 dropped 12 C:\Users\user\AppData\Local\...\535F33EE.htm, HTML 6->12 dropped 14 C:\Users\user\AppData\Local\...\index[1].htm, HTML 6->14 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
35.186.245.55
 dullghostwhitetwintext.karewen.repl.co United States
15169 GOOGLEUS false
34.149.204.188
 unknown United States
2686 ATGS-MMD-ASUS false

Contacted Domains

Name IP Active
dullghostwhitetwintext.karewen.repl.co 35.186.245.55 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dullghostwhitetwintext.karewen.repl.co/index.html false
    		high