Windows Analysis Report
MuUeMZphCk.docx

Overview

General Information

Sample Name: MuUeMZphCk.docx
Analysis ID: 794514
MD5: cda4155d33b715f31315a9247d56ed3d
SHA1: 7a495ae1b4c9132d0afb9b058e049cc71c5a5a55
SHA256: 62243a041c28b5f98f0d29780250bf83e61a85523ddce855745f94d381006615
Tags: CVE-2022-30190docx
Infos:

Detection

Follina CVE-2022-30190
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: MuUeMZphCk.docx Avira: detected
Multi AV Scanner detection for submitted file
Source: MuUeMZphCk.docx ReversingLabs: Detection: 46%
Source: MuUeMZphCk.docx Virustotal: Detection: 50% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, type: DROPPED
Detected suspicious Microsoft Office reference URL
Source: document.xml.rels Extracted files from sample: http://baza-novostei.name/dir/info/priny/t.html!
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49176 version: TLS 1.2
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: baza-novostei.name
Source: global traffic DNS query: name: baza-novostei.name
Source: global traffic DNS query: name: baza-novostei.name
Source: global traffic DNS query: name: baza-novostei.name
Source: global traffic DNS query: name: baza-novostei.name
Source: global traffic DNS query: name: baza-novostei.name
Source: global traffic DNS query: name: baza-novostei.name
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 195.201.110.47:443 -> 192.168.2.22:49176
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-AliveIf-Modified-Since: Sun, 29 Jan 2023 13:29:26 GMTIf-None-Match: "63d674b6-18c0"
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.dr String found in binary or memory: http://baza-novostei.name/dir/info/priny/t.html
Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.dr String found in binary or memory: http://baza-novostei.name/dir/info/priny/t.htmlyX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{87D8FFE7-04E6-4C98-8E49-7EEE49FEBDC8}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: baza-novostei.name
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-AliveIf-Modified-Since: Sun, 29 Jan 2023 13:29:26 GMTIf-None-Match: "63d674b6-18c0"
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49176 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: document.xml.rels, type: SAMPLE Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
Yara signature match
Source: sslproxydump.pcap, type: PCAP Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: sslproxydump.pcap, type: PCAP Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: MuUeMZphCk.docx ReversingLabs: Detection: 46%
Source: MuUeMZphCk.docx Virustotal: Detection: 50%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: MuUeMZphCk.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\MuUeMZphCk.docx
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$UeMZphCk.docx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR5A4F.tmp Jump to behavior
Source: classification engine Classification label: mal96.expl.evad.winDOCX@1/20@7/1
Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior
barindex
Contains an external reference to another file
Source: document.xml.rels Extracted files from sample: http://baza-novostei.name/dir/info/priny/t.html!
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 794514 Sample: MuUeMZphCk.docx Startdate: 30/01/2023 Architecture: WINDOWS Score: 96 14 baza-novostei.name 2->14 18 Snort IDS alert for network traffic 2->18 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus detection for dropped file 2->22 24 5 other signatures 2->24 6 WINWORD.EXE 294 59 2->6         started        signatures3 process4 dnsIp5 16 baza-novostei.name 195.201.110.47, 443, 49171, 49172 HETZNER-ASDE Germany 6->16 10 C:\Users\user\AppData\Local\...\F29C8AAB.htm, HTML 6->10 dropped 12 C:\Users\user\AppData\Local\...\B0C92CD5.htm, HTML 6->12 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.201.110.47
 baza-novostei.name Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
baza-novostei.name 195.201.110.47 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://baza-novostei.name/dir/info/priny/t.html true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://baza-novostei.name/dir/info/priny/t.html true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown