Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CMR ART009.docx

Overview

General Information

Sample name:CMR ART009.docx
Analysis ID:1574189
MD5:8d366af5bf2de7c8453c6886d3b1ad2a
SHA1:820e87689644052965f835b03f2e70253fa78f0f
SHA256:6590d9056b142452cc3133327c4a2d7d38175728b1512581b6abded3de8510a4
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected landing page (webpage, office document or email)
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Office viewer loads remote template
Sigma detected: Suspicious Microsoft Office Child Process
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64native
  • WINWORD.EXE (PID: 4816 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: E7F3B8EA1B06F46176FC5C35307727D6)
    • splwow64.exe (PID: 5564 cmdline: C:\Windows\splwow64.exe 12288 MD5: 3F93FFE9B04F940E7B0A1B3267814592)
    • EXCEL.EXE (PID: 2340 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding MD5: 14243BD2CC9F1814023132241A51E1C6)
    • EXCEL.EXE (PID: 6808 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding MD5: 14243BD2CC9F1814023132241A51E1C6)
      • splwow64.exe (PID: 6016 cmdline: C:\Windows\splwow64.exe 12288 MD5: 3F93FFE9B04F940E7B0A1B3267814592)
    • verclsid.exe (PID: 5368 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 81D41E225B8B55748FFB0D8747FE8BAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Microsoft Office Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 4816, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 5368, ProcessName: verclsid.exe
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 4816, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: CMR ART009.docxReversingLabs: Detection: 50%
Source: CMR ART009.docxVirustotal: Detection: 41%Perma Link

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: Office documentJoe Sandbox AI: Page contains button: 'OPEN DOCUMENTS HERE' Source: 'Office document'
Source: Office documentJoe Sandbox AI: Office document contains QR code
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Source: excel.exeMemory has grown: Private usage: 61MB later: 78MB
Source: winword.exeMemory has grown: Private usage: 10MB later: 98MB
Source: classification engineClassification label: mal68.expl.evad.winDOCX@9/16@0/0
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C12423DC-3A04-4298-914E-FA0649A95359}.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{084E90FA-858B-4056-AD69-CE1D78C6841C} - OProcSessId.datJump to behavior
Source: CMR ART009.docxOLE indicator, Word Document stream: true
Source: G 50 06-2024 SKIKDA.xlsx.0.drOLE indicator, Workbook stream: true
Source: CMR ART009.docxOLE document summary: title field not present or empty
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\verclsid.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: CMR ART009.docxReversingLabs: Detection: 50%
Source: CMR ART009.docxVirustotal: Detection: 41%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Windows\System32\verclsid.exeSection loaded: edgegdi.dll
Source: C:\Windows\System32\verclsid.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\verclsid.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\verclsid.exeSection loaded: apphelp.dll
Source: CMR ART009.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\CMR ART009.docx
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: CMR ART009.docxInitial sample: OLE zip file path = word/media/image2.emf
Source: CMR ART009.docxInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet5.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: CMR ART009.docxInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Contains an external reference to another file
Source: settings.xml.relsExtracted files from sample: https://jktc.pro/whtkbb?&friction=vague&vein=miscreant&craftsman=gleaming&bug=flippant&mantel=upbeat&pew
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1834
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 7114
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Exploitation for Client Execution		1
Browser Extensions		1
Process Injection		3
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection		LSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1574189 Sample: CMR ART009.docx Startdate: 13/12/2024 Architecture: WINDOWS Score: 68 23 Multi AV Scanner detection for submitted file 2->23 25 Contains an external reference to another file 2->25 27 Document exploit detected (process start blacklist hit) 2->27 29 2 other signatures 2->29 7 WINWORD.EXE 104 59 2->7         started        process3 file4 21 C:\Users\user\AppData\...\CMR ART009.docx.LNK, MS 7->21 dropped 31 Office viewer loads remote template 7->31 11 EXCEL.EXE 30 7->11         started        13 splwow64.exe 1 7->13         started        15 EXCEL.EXE 122 18 7->15         started        17 verclsid.exe 7->17         started        signatures5 process6 process7 19 splwow64.exe 11->19         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CMR ART009.docx50%ReversingLabsDocument-XML.Exploit.CVE-2017-0199
CMR ART009.docx42%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mira-tmc.tm-4.office.com
52.123.251.27
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1574189
    Start date and time:2024-12-13 03:30:17 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 13m 39s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
    Run name:Suspected VM Detection
    Number of analysed new started processes analysed:14
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Sample name:CMR ART009.docx
    Detection:MAL
    Classification:mal68.expl.evad.winDOCX@9/16@0/0
    Cookbook Comments:
    • Found application associated with file extension: .docx
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Active ActiveX Object
    • Active ActiveX Object

    Warnings

    • Max analysis timeout: 600s exceeded, the analysis took too long
    • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.111.227.11, 52.182.143.208, 52.109.20.38, 52.113.194.132, 52.111.227.13, 20.44.10.123, 51.116.246.105, 52.123.251.27, 40.126.28.23
    • Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, onedscolprdgwc03.germanywestcentral.cloudapp.azure.com, self.events.data.microsoft.com, prod.configsvc1.live.com.akadns.net, scus-azsc-config.officeapps.live.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, onedscolprdcus05.centralus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, onedscolprdcus04.centralus.cloudapp.azure.com, nexusrules.officeapps.live.com, mira.config.skype.com
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtCreateKey calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    21:32:46API Interceptor22207403x Sleep call for process: splwow64.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    mira-tmc.tm-4.office.comfile.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
    • 52.123.243.177
    510005940.docx.docGet hashmaliciousUnknownBrowse
    • 52.123.243.184
    OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.243.178
    TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
    • 52.123.243.181
    List of required items.vbsGet hashmaliciousUnknownBrowse
    • 52.123.243.179
    K0Szg26cRh.docGet hashmaliciousUnknownBrowse
    • 52.123.243.180
    Note no. ROC 2453-2024.docGet hashmaliciousUnknownBrowse
    • 52.123.243.181
    https://trinasolarus-my.sharepoint.com/:f:/g/personal/matt_hutchison_trinasolar_com/EuTm6V8CKxFPmV0-8tDYkU8B7bgg8BNpE1Urptg3NNJsZw?e=bQub2MGet hashmaliciousUnknownBrowse
    • 52.123.243.183
    MdDRzxozMD.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.243.183
    NEW ORDER #233.xlam.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.243.178

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):118
    Entropy (8bit):3.5700810731231707
    Encrypted:false
    SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
    MD5:573220372DA4ED487441611079B623CD
    SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
    SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
    SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
    Malicious:false
    Reputation:high, very likely benign file
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):2278
    Entropy (8bit):3.839573090916458
    Encrypted:false
    SSDEEP:48:uiTrlKxsxxLfxl9Il8uQcT6jerF59wSsPMd1rc:vPYicT6je55e1Pr
    MD5:C9448801D85139163EB4BC5E97899DB3
    SHA1:26075C902964FCB1DC502FB7713D76BA155282D9
    SHA-256:D1F3946F03DCAAA049B3B33FFAA91605F375E39A702C6449978BA4ED4434217F
    SHA-512:12347D5DC7DF483E46BEE03087668B7A3BD437E8181052765F683492BEDD20E74549506657FA911FFF3619544C4E828AFB7ECD081D1237B1E71F9DB07CD9383E
    Malicious:false
    Reputation:low
    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.E.E.W.o.Q.9.N.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.O.j.C.1.l.o.

    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):4542
    Entropy (8bit):3.9949613960576493
    Encrypted:false
    SSDEEP:96:cYJN0QQii3CjqUTcg8xIensTyRl2Vy4OwGegXv2F:ciqQiZPnsTql28ygq
    MD5:A84E4D63B7DC73FDCAF46160F82FD893
    SHA1:CE3ACEA4E0C39C9174A0024B3B3A0429292C974F
    SHA-256:C378C4135D29B4FBF6B88F67A503DCD96FDB1FE6D37A3FE7537C70CA65DFE751
    SHA-512:165CD9C3E98E09686EB506581FB1AC4BC894A126B00BEB0CD0A4512676EB77E49739BA3B74E062697597ECD1AD0DED43FFB1C7EDDACBF824C61E1E9E4B326268
    Malicious:false
    Reputation:low
    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".P.S.c.V.h.w.d.N.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.O.j.C.1.l.o.

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1794AA31.emf

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):96660
    Entropy (8bit):2.5837679002593497
    Encrypted:false
    SSDEEP:1536:Kc40wx0ikNs+zdNau7u2TXkLnAoH0STds10biZy0:wkWAoH0STC
    MD5:994229B2E2F729428CD701E326E11469
    SHA1:65ABAD93FCA7C686EAF9C16958B046510189C104
    SHA-256:7FE6559C24703ACF28EB04AA43D69D3858D9A59A7095DDD3D801775AE4846E2E
    SHA-512:344B423CBC9ED49FEFEF9D1E7B0FE3E5FCD8574F5B9AEC1CE179265FFD0741BC8FE79709132A85E593D32EBB413CA7973E64FE309C74B6A264CC394303E10152
    Malicious:false
    Preview:....l........... ....................... EMF.....y..........................8...l...T................u.. 0..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!...............................................!.......K..............."...........!...............................................!......."...........!...............................................!......."...........!...............................................!......."...........!...............................................!.......'......................%..................................L...d...........W...v...........X...w...!..............?...........?................................'.......................%...........(.......................L...

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2320ADEB.emf

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):97644
    Entropy (8bit):2.8938841171820995
    Encrypted:false
    SSDEEP:384:LQmJ4yzuqK7jqLO6DI9v7d5Prtd9SDkBmyE0Ld47SdarOQ3Z1V2QOtiidyl0jXRo:L4KizHrtjmSdarOQTv
    MD5:84BA3C6FF9323418DFAAEA0290E73C5B
    SHA1:1B46B09650E390A30E37BE19964138BF8FDBD60B
    SHA-256:F310C5EB3EC4DFDBA85FD4AD05570F37FF0D9C7C8DCDB21345EB9964C835B7B5
    SHA-512:7DF7C13DF95377B0FC80F438C037FC8C744774DA01F8B0A2DA2D3A51BBDBAAE95F7092259CE4B46BF6A848FC669A5D225176198A5A4DE186CB84E69586B121ED
    Malicious:false
    Preview:....l...............M...........)...7... EMF....l}..Z.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................N..."...........!...................................................N..."...........!...................................................N..."...........!...................................................N..."...........!...................................................N...'......................%..........................................................L...d...........q...............r.......!..............?...........?................................'.......................%...........(.......................L...d...q...............q...........

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A01F5C67.emf

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):96060
    Entropy (8bit):2.5837996451824186
    Encrypted:false
    SSDEEP:1536:HcuOQxgCkwM5/dWaqNQWz3sLZAoH0STds10biZy0:VkXAoH0STC
    MD5:149EA4EAFBBFB229E5037748E03BF10C
    SHA1:7FFC2A2D1F2B0B3D383FF000CC1315B4DCE8D274
    SHA-256:1B6ADD7FFB1D009C6881671C00C238176F9D88AA8365C852D5557104BC5F1514
    SHA-512:3FF0752BD070E2C1F90BD569FFAC04A9031075DEF89327376D423D508DCA8EB842216F703FFFC34D075A54354414B14078F6AD3C8AB04FE0B4A8E42236AF350A
    Malicious:false
    Preview:....l........... ....................... EMF....<w..........................8...l...T................u.. 0..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!...............................................!.......K..............."...........!...............................................!......."...........!...............................................!......."...........!...............................................!......."...........!...............................................!.......'......................%..................................L...d...........W...v...........X...w...!..............?...........?................................'.......................%...........(.......................L...

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A677BB3C.emf

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):95964
    Entropy (8bit):2.5874630432581296
    Encrypted:false
    SSDEEP:1536:Qcf+QxTCkRM5/dYaqEQWz36hLsAoH0STds10biZy0:sk9GAoH0STC
    MD5:491A42199DCCEBEE8F55FF2DA2441381
    SHA1:EDBB2D2E6F9BB53BE61C3AFB9853D7B6BCFC229B
    SHA-256:B66130AEC152A796529A053D30F77A33009DE7D22984F8AE09DBDF29351DCB84
    SHA-512:B1921ADB19A3D068791B0BA8E01643D06EB61E2865E769E09A7F405E2B3E43D651DE95CE02E7A0F9614A16CC379AF023A3461008AC7B6FD412F89697D3E405A8
    Malicious:false
    Preview:....l........... ....................... EMF.....v..........................8...l...T................u.. 0..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!...............................................!.......K..............."...........!...............................................!......."...........!...............................................!......."...........!...............................................!......."...........!...............................................!.......'......................%..................................L...d...........W...v...........X...w...!..............?...........?................................'.......................%...........(.......................L...

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C9E776F0.emf

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):7392
    Entropy (8bit):5.625010366507759
    Encrypted:false
    SSDEEP:96:3q1blJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHuRY:3oTNAK4oOIGbK1RvVwPAWmOH1
    MD5:617A127B3E0FDEF0778C2F508CDA7B41
    SHA1:149784230B2202BBF25EDBEEC1D53085F1F50EA1
    SHA-256:DB6E0B643E7DF2ADF770109C59829A2DAE15B58902C7F3AB837973158CD55DF4
    SHA-512:EEBD6039B4BCA2B545586BEB617D90E238B0106EB18BE41E0AF3D33B44CEFC0787DF5CCABA07105216C8178705209460AD17FD2306958B916F9BD162EB334A8B
    Malicious:false
    Preview:....l...............<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d....................u...u....t....\....u......u.<.u.7..t.....u.\\.u?..t.......t.\.....w8y............u....w....$.....a.d.......t.u.*X.t.....X.t@t..8y..x......-...$.u.6=.w................<.\w.[Pw....X.Z.....\........................Qwdv......%...................................r.......[...........'...[.......(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D252A7E.emf

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):96780
    Entropy (8bit):2.582626926441759
    Encrypted:false
    SSDEEP:1536:R/cf+QxIikTsz/dDaOzw2TXHu2AoH0STds10biZy0:R8kkAoH0STC
    MD5:49B1FE485AD4DFE4CE336AA29E75856B
    SHA1:4CDC036AB7A9003E35061CF0D986925E8BA0A532
    SHA-256:8478FF70C8D788698E155DC6577612DF99FD8D168FE76F92604C1951001768B0
    SHA-512:43969D782A5CCF5C8C9D4761A1987FE8A443D4D1A9C2079083B89F766C1011F28E49935FAB8B7D8C830D889C2697D447801CB9B771EFB05A4AD3A7690E1A67C9
    Malicious:false
    Preview:....l........... ....................... EMF.....z..........................8...l...T................u.. 0..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!...............................................!.......K..............."...........!...............................................!......."...........!...............................................!......."...........!...............................................!......."...........!...............................................!.......'......................%..................................L...d...........W...v...........X...w...!..............?...........?................................'.......................%...........(.......................L...

    C:\Users\user\AppData\Local\Temp\{FB7807A5-995E-438D-B0B9-2412EB9EAC87}\G 50 06-2024 SKIKDA.xlsx

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft Excel 2007+
    Category:dropped
    Size (bytes):38971
    Entropy (8bit):7.714275544485921
    Encrypted:false
    SSDEEP:768:fIn6WqQw0TJ7t7XGvdfBwEhkY2FXV7hyZK7pSOqJqb:A6t0tytSEqlF7oZTpIb
    MD5:D002DEB2631FFD8072C540692E5990F4
    SHA1:97D66B498849964BD44CE33DE14AF5A26F44331B
    SHA-256:84A720AE192846078648C7445B123CFF9DF3B89BCA032B7329EC46874C2A8A4C
    SHA-512:DBE2D4872F6824C731062D68BA302014EA09D1C0C271382238FEF68F8E7291503C8414D19344D1F156072A1D2227ED3DD932CE8B7EE9AF3EBCC3C1750DF923C0
    Malicious:false
    Preview:PK..........!....V....K.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V_O.0.......uJ\.L.j..l......}m.:..;J..)....D./...?..|..e..$...........Y).>.....Iy.\.P.....|.2~\E..g{,EE...D]A....<.LC...g...\.@..F?....SN....oa...e...{...z...5T.P1:...P....I..S....\3t.1.2X.P.,3.. bc(....G.*xf+.+...[....>.x.mR/.a.AC....v......^%..j^\.t.%..S..b7.k..AQ+.7.......}..,........Dt|?...'...t.'9.....0{..i...>.-.>.J%0...s6......0..k._..h.....S.(7.C.k.a....=......,.].[2.{..3...<.y0....6..7._D..%....M\.t

    C:\Users\user\AppData\Local\Temp\{FB7807A5-995E-438D-B0B9-2412EB9EAC87}\G 50 06-2024 SKIKDA.xlsx:Zone.Identifier

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:modified
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:gAWY3n:qY3n
    MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
    SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
    SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
    SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
    Malicious:false
    Preview:[ZoneTransfer]..ZoneId=3..

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\CMR ART009.docx.LNK

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 12 19:31:59 2024, mtime=Fri Dec 13 01:32:28 2024, atime=Fri Dec 13 01:32:25 2024, length=76421, window=hide
    Category:dropped
    Size (bytes):521
    Entropy (8bit):4.721161827394141
    Encrypted:false
    SSDEEP:6:4xtQl3KX/KPAp3t7/6k0rrWNljAl5tC2nRmCDmWdW6iewJVrH9VrHmllvGmrGt:8RKPYN6hryjA+sDmdew37FmCt
    MD5:95048B9027C2013F07DAB93E6D9C8943
    SHA1:DB9C4616130C668344C7E8E19864C5ECC77A23F9
    SHA-256:A48602F601E5073E9103B078EDB70308644CE28FB82AF7136E65A6F2EE8A9856
    SHA-512:2A03804ED747199A2D4FD871891DD90276E0EBA6592E36A732144DEC1D597D6F1505F00477A83FB9B05E9275F22087781ACEDB5A40D43F9A1D1BBFBDA0BF454E
    Malicious:true
    Preview:L..................F.... ....<...L..;..@.M...p.>.M...*......................n.l.2..*...Y.. .CMRART~1.DOC..P......Y...Y......e......................hY.C.M.R. .A.R.T.0.0.9...d.o.c.x.......V...............-.......U...........[........C:\Users\user\Desktop\CMR ART009.docx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.M.R. .A.R.T.0.0.9...d.o.c.x.`.......X.......928100..............n4UB.. .|..o........G.P..#.....n4UB.. .|..o........G.P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Generic INItialization configuration [misc]
    Category:dropped
    Size (bytes):82
    Entropy (8bit):4.7718290668211525
    Encrypted:false
    SSDEEP:3:bDuMJl+qsqK6SmxWto1+qK6Sv:bCU5gCc
    MD5:B622FFAC4647A97D62F568A9D82B7BCF
    SHA1:7A45A61A4F5132915B97827A502579FC2030FDEF
    SHA-256:6495089474CAE49C94CCC5636ABD500C8D167A6C21D1925EC9F81A03CA2C5DB3
    SHA-512:1668A61F20AF97B5EA99F5849AE34B59CD33BCAFA17E2637D267F26FD79FAF8EDBF10A5412573E8EFB868BE816613AAD37B220CC564D729DE71A8FEE38AA84E6
    Malicious:false
    Preview:[folders]..Templates.LNK=0..CMR ART009.docx.LNK=0..[misc]..CMR ART009.docx.LNK=0..

    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.7295408526632032
    Encrypted:false
    SSDEEP:3:6NmltlylDQNTprTliOnlNAH32V6B//FQn:mSmMDrMOjI32gBXq
    MD5:BCFEE51E0CD024044C9FBB68F3F90928
    SHA1:98D4149D62D3B0B7127AF3C06827489DB6DF700C
    SHA-256:8FEB7D39EEE30A125DA0F6D0973331B6EAA270F8C9050507330D36E9BC478CC9
    SHA-512:B9C62B89A5A28E6C4B1683CDCA1D6C1DD5E4C7BBE73A51547CFD231C0A9C611747C8095D3AE3F6D5CA36A31C862B0B429131E58A129DB513FFADE8E67952D994
    Malicious:false
    Preview:.user.................................................A.r.t.h.u.r...............O.....r....GK......................GK..................2......?.M...........Geu

    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):18
    Entropy (8bit):2.725480556997868
    Encrypted:false
    SSDEEP:3:Qkh1QNIl:Qk8W
    MD5:D1F4EBCAA7623D3DBFBF051D65AB1130
    SHA1:A51DDF1371C35784AA2AF44C5EE706285B378CF7
    SHA-256:A838F07E91D01FCF6874D4F5495F69B9E6AB483D367E0E188A809700DC0D0AAE
    SHA-512:EC32CB4736C75066947B9478B644F550D8B48510D98B4E2D065DFF2219F94D76E83AC886D9FEE795580C17C33388A8B7AA858F71754C97A34CAF976B21B17448
    Malicious:false
    Preview:..A.r.t.h.u.r.....

    C:\Users\user\Desktop\~$R ART009.docx

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.7521323568150318
    Encrypted:false
    SSDEEP:3:6NmltlylDQNST2k2l6kHiYU7lpl/FQn:mSmMG2kTkCYU7lDq
    MD5:2AF52F53A9DF2EF96305A9EB87EF22FD
    SHA1:3BBB197D42B7A45FD2398A823F21213C22308600
    SHA-256:997E79CA76489BCD09B81866EDB0D654FFC5C36925614F19B114C9E51DC793A1
    SHA-512:718ACD191D46F069302980491464C103CD53CA6D7F0C889D78C7923417676C95DCE0398D63CD9B293F8EEE35A68617FE264B8D0BFA10B74EA93D28283A47447B
    Malicious:false
    Preview:.user.................................................A.r.t.h.u.r...............O...........*.......................*.......p.>.M..o...2....@.M...........Geu

    Static File Info

    General

    File type:Microsoft Word 2007+
    Entropy (8bit):7.988921116771216
    TrID:
    • Word Microsoft Office Open XML Format document (49504/1) 58.23%
    • Word Microsoft Office Open XML Format document (27504/1) 32.35%
    • ZIP compressed archive (8000/1) 9.41%
    File name:CMR ART009.docx
    File size:76'421 bytes
    MD5:8d366af5bf2de7c8453c6886d3b1ad2a
    SHA1:820e87689644052965f835b03f2e70253fa78f0f
    SHA256:6590d9056b142452cc3133327c4a2d7d38175728b1512581b6abded3de8510a4
    SHA512:db9d686d3b30b8437261d32c73b6b5a64e1239baa05835d66b175c97a075d989a4a0ee02d8a2aa3a4c509252d9b7f180eae6da2f65cebfe5c32328f2912e151d
    SSDEEP:1536:Xte6trQ5lcyjRgDJYIq1tI34qbjfU3jmgzIY0I7B7+B0aE:ylchDJqMZUzmgMY77ZaE
    TLSH:967302B298719AEDC78A817719C8223DD388990F5F4F411EAB62C6FD94BF0774751141
    File Content Preview:PK........~h.YU...............[Content_Types].xmlUT.....Zg..Zg..Zg.TKO.0..#...|E.....5...G@...\{.z./y.h.=..T..)P.$.g..<.......2..Zq..D.AGc......._.BR.(...b.(.'?N..U........t!%..x.ML.8.....g.....5.y>...:..@5..1._C...U..|.;.. ..>.H.B...V.a.....:v..`.~..i...

    File Icon

    Icon Hash:35e5c48caa8a8599

    Static OLE Info

    General

    Document Type:OpenXML
    Number of OLE Files:1

    OLE File "CMR ART009.docx"

    Indicators
    Has Summary Info:
    Application Name:
    Encrypted Document:False
    Contains Word Document Stream:True
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:False
    Summary
    Title:
    Subject:
    Author:91974
    Keywords:
    Template:Normal.dotm
    Last Saved By:91974
    Revion Number:2
    Total Edit Time:1
    Create Time:2024-12-11T10:06:00Z
    Last Saved Time:2024-12-11T10:07:00Z
    Number of Pages:1
    Number of Words:8
    Number of Characters:51
    Creating Application:Microsoft Office Word
    Security:0
    Document Summary
    Number of Lines:1
    Number of Paragraphs:1
    Thumbnail Scaling Desired:false
    Company:Grizli777
    Contains Dirty Links:false
    Shared Document:false
    Changed Hyperlinks:false
    Application Version:12.0000

    Streams

    Stream Path: \x1Ole10Native, File Type: data, Stream Size: 39490
    General
    Stream Path:\x1Ole10Native
    CLSID:
    File Type:data
    Stream Size:39490
    Entropy:7.696361051343165
    Base64 Encoded:True
    Data ASCII:> . . . . G 5 0 0 6 - 2 0 2 4 S K I K D A . x l s x . C : \\ U s e r s \\ 9 1 9 7 4 \\ O n e D r i v e \\ D e s k t o p \\ W o r d F i l e \\ N E W F I L E S \\ G 5 0 0 6 - 2 0 2 4 S K I K D A . x l s x . . . . . = . . . C : \\ U s e r s \\ 9 1 9 7 4 \\ A p p D a t a \\ L o c a l \\ T e m p \\ G 5 0 0 6 - 2 0 2 4 S K I K D A . x l s x . ; . . P K . . . . . . . . . . ! . . V . . . K . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:3e 9a 00 00 02 00 47 20 35 30 20 20 20 30 36 2d 32 30 32 34 20 53 4b 49 4b 44 41 2e 78 6c 73 78 00 43 3a 5c 55 73 65 72 73 5c 39 31 39 37 34 5c 4f 6e 65 44 72 69 76 65 5c 44 65 73 6b 74 6f 70 5c 57 6f 72 64 46 69 6c 65 5c 4e 45 57 46 49 4c 45 53 5c 47 20 35 30 20 20 20 30 36 2d 32 30 32 34 20 53 4b 49 4b 44 41 2e 78 6c 73 78 00 00 00 03 00 3d 00 00 00 43 3a 5c 55 73 65 72 73 5c 39
    Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
    General
    Stream Path:\x3ObjInfo
    CLSID:
    File Type:data
    Stream Size:6
    Entropy:1.2516291673878228
    Base64 Encoded:False
    Data ASCII:. . . . . .
    Data Raw:00 00 03 00 0d 00

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)svc.ha-teams.office.commira-tmc.tm-4.office.comCNAME (Canonical name)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.27A (IP address)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.36A (IP address)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.62A (IP address)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.55A (IP address)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.30A (IP address)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.72A (IP address)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.1A (IP address)IN (0x0001)false
    Dec 13, 2024 03:32:27.229990959 CET1.1.1.1192.168.11.200x1976No error (0)mira-tmc.tm-4.office.com52.123.251.9A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:21:32:25
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x7ff62cd20000
    File size:1'635'104 bytes
    MD5 hash:E7F3B8EA1B06F46176FC5C35307727D6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:7
    Start time:21:32:46
    Start date:12/12/2024
    Path:C:\Windows\splwow64.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\splwow64.exe 12288
    Imagebase:0x7ff67c7f0000
    File size:136'192 bytes
    MD5 hash:3F93FFE9B04F940E7B0A1B3267814592
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:8
    Start time:21:32:46
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
    Imagebase:0x7ff60d1c0000
    File size:64'236'848 bytes
    MD5 hash:14243BD2CC9F1814023132241A51E1C6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:9
    Start time:21:32:47
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
    Imagebase:0x7ff60d1c0000
    File size:64'236'848 bytes
    MD5 hash:14243BD2CC9F1814023132241A51E1C6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:10
    Start time:21:32:49
    Start date:12/12/2024
    Path:C:\Windows\System32\verclsid.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5
    Imagebase:0x7ff7d24e0000
    File size:13'824 bytes
    MD5 hash:81D41E225B8B55748FFB0D8747FE8BAC
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:11
    Start time:21:32:49
    Start date:12/12/2024
    Path:C:\Windows\splwow64.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\splwow64.exe 12288
    Imagebase:0x7ff67c7f0000
    File size:136'192 bytes
    MD5 hash:3F93FFE9B04F940E7B0A1B3267814592
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    Disassembly

    No disassembly