Edit tour

Windows Analysis Report
rcNDmdah2W.doc

Overview

General Information

Sample name:	rcNDmdah2W.doc renamed because original name is a hash value
Original sample name:	4eab5c5775c41de887ba4e589ab8cf4340236da73a68a68d26cbb7f34e0546f7.doc
Analysis ID:	1574598
MD5:	7aa2c6c221a36ac19ce795a370cc4e29
SHA1:	dfbe7f7af54a9b315fc4f868726f050ab106294d
SHA256:	4eab5c5775c41de887ba4e589ab8cf4340236da73a68a68d26cbb7f34e0546f7
Tags:	docSideWinderuser-JAMESWT_MHT
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Contains an external reference to another file

Office viewer loads remote template

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Suspicious Office Outbound Connections

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3236 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
_rels\document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x481:$olerel: relationships/oleObject 0x49a:$target1: Target="http 0x4f3:$mode: TargetMode="External

Sigma Signatures

System Summary

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3236, Protocol: tcp, SourceIp: 114.55.89.54, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3236, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3236, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T13:15:27.997658+0100	2055190	1	A Network Trojan was detected	192.168.2.22	49165	114.55.89.54	443	TCP
2024-12-13T13:15:40.949381+0100	2055190	1	A Network Trojan was detected	192.168.2.22	49166	114.55.89.54	443	TCP
2024-12-13T13:15:48.773400+0100	2055190	1	A Network Trojan was detected	192.168.2.22	49168	114.55.89.54	443	TCP
2024-12-13T13:15:54.087126+0100	2055190	1	A Network Trojan was detected	192.168.2.22	49170	114.55.89.54	443	TCP
2024-12-13T13:15:58.583414+0100	2055190	1	A Network Trojan was detected	192.168.2.22	49171	114.55.89.54	443	TCP
2024-12-13T13:16:05.155417+0100	2055190	1	A Network Trojan was detected	192.168.2.22	49173	114.55.89.54	443	TCP
2024-12-13T13:16:10.225575+0100	2055190	1	A Network Trojan was detected	192.168.2.22	49175	114.55.89.54	443	TCP

ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T13:15:22.949636+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:23.957927+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:32.076387+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:33.083694+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:33.423167+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:34.424771+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:43.885790+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:44.892281+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:45.253546+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	54821	8.8.8.8	53	UDP
2024-12-13T13:15:54.713140+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	54719	8.8.8.8	53	UDP
2024-12-13T13:15:54.855339+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	49881	8.8.8.8	53	UDP
2024-12-13T13:16:00.518052+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	54998	8.8.8.8	53	UDP
2024-12-13T13:16:00.642918+0100	2038860	1	Domain Observed Used for C2 Detected	192.168.2.22	52781	8.8.8.8	53	UDP

ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T13:15:22.949636+0100	2055162	1	A Network Trojan was detected	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:23.957927+0100	2055162	1	A Network Trojan was detected	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:32.076387+0100	2055162	1	A Network Trojan was detected	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:33.083694+0100	2055162	1	A Network Trojan was detected	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:33.423167+0100	2055162	1	A Network Trojan was detected	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:34.424771+0100	2055162	1	A Network Trojan was detected	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:43.885790+0100	2055162	1	A Network Trojan was detected	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:44.892281+0100	2055162	1	A Network Trojan was detected	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:45.253546+0100	2055162	1	A Network Trojan was detected	192.168.2.22	54821	8.8.8.8	53	UDP
2024-12-13T13:15:54.713140+0100	2055162	1	A Network Trojan was detected	192.168.2.22	54719	8.8.8.8	53	UDP
2024-12-13T13:15:54.855339+0100	2055162	1	A Network Trojan was detected	192.168.2.22	49881	8.8.8.8	53	UDP
2024-12-13T13:16:00.518052+0100	2055162	1	A Network Trojan was detected	192.168.2.22	54998	8.8.8.8	53	UDP
2024-12-13T13:16:00.642918+0100	2055162	1	A Network Trojan was detected	192.168.2.22	52781	8.8.8.8	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rcNDmdah2W.doc

ReversingLabs: Detection: 36%

Source: unknown

HTTPS traffic detected: 114.55.89.54:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com
Source: global traffic	DNS query: name: mofadividion.ptcl-gov.com

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 114.55.89.54:443
Source: global traffic	TCP traffic: 114.55.89.54:443 -> 192.168.2.22:49175

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:54562 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:54562 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:52917 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:52781 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:52917 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:52781 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:57893 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:57893 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055190 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) : 192.168.2.22:49173 -> 114.55.89.54:443
Source: Network traffic	Suricata IDS: 2055190 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) : 192.168.2.22:49166 -> 114.55.89.54:443
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:54998 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:54998 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:54821 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:54821 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055190 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) : 192.168.2.22:49175 -> 114.55.89.54:443
Source: Network traffic	Suricata IDS: 2055190 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) : 192.168.2.22:49168 -> 114.55.89.54:443
Source: Network traffic	Suricata IDS: 2055190 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) : 192.168.2.22:49165 -> 114.55.89.54:443
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:62751 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055190 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) : 192.168.2.22:49170 -> 114.55.89.54:443
Source: Network traffic	Suricata IDS: 2055190 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) : 192.168.2.22:49171 -> 114.55.89.54:443
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:62751 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:49881 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:49881 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2038860 - Severity 1 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) : 192.168.2.22:54719 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055162 - Severity 1 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) : 192.168.2.22:54719 -> 8.8.8.8:53

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: unknown

HTTPS traffic detected: 114.55.89.54:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7637A8B-232A-4C9D-AD88-33F77F399EE9}.tmp

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: mofadividion.ptcl-gov.com

Source: ~WRS{C538C006-CC9B-485B-874D-E099D08C4F56}.tmp.0.dr

String found in binary or memory: https://mofadividion.ptcl-gov.com/5724/1/3268/2/0/0/0/m/files-11e30891/file.rtf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: _rels\document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: _rels\document.xml.rels, type: SAMPLE

Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Source: classification engine

Classification label: mal80.evad.winDOC@1/23@13/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$NDmdah2W.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8036.tmp

Jump to behavior

Source: rcNDmdah2W.doc	OLE indicator, Word Document stream: true
Source: msoA5D6.tmp.0.dr	OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: rcNDmdah2W.doc

ReversingLabs: Detection: 36%

Source: rcNDmdah2W.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\rcNDmdah2W.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: rcNDmdah2W.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\mofadividion.ptcl-gov.com@SSL\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: _rels\document.xml.rels

Extracted files from sample: https://mofadividion.ptcl-gov.com/5724/1/3268/2/0/0/0/m/files-11e30891/file.rtf

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rcNDmdah2W.doc	37%	ReversingLabs	Document-Word.Downloader.Donoff

Source	Detection	Scanner	Label	Link
https://mofadividion.ptcl-gov.com/5724/1/3268/2/0/0/0/m/files-11e30891/file.rtf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mofadividion.ptcl-gov.com	114.55.89.54	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mofadividion.ptcl-gov.com/5724/1/3268/2/0/0/0/m/files-11e30891/file.rtf	~WRS{C538C006-CC9B-485B-874D-E099D08C4F56}.tmp.0.dr	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
114.55.89.54	mofadividion.ptcl-gov.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574598
Start date and time:	2024-12-13 13:14:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rcNDmdah2W.doc renamed because original name is a hash value
Original Sample Name:	4eab5c5775c41de887ba4e589ab8cf4340236da73a68a68d26cbb7f34e0546f7.doc
Detection:	MAL
Classification:	mal80.evad.winDOC@1/23@13/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, svchost.exe
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rcNDmdah2W.doc

Input	Output
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Downloading", "prominent_button_name": "Cancel", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Contacting the server for information.", "prominent_button_name": "Cancel", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Contacting the server for information.", "prominent_button_name": "Cancel", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Downloading", "prominent_button_name": "Cancel", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Downloading", "prominent_button_name": "Cancel", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Copy also forwarded for information to:", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 21 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Do you want to save changes you made to Document1?", "prominent_button_name": "Save", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Copy also forwarded for information to:", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Click here to view document", "prominent_button_name": "Go To", "text_input_field_labels": [ "Error Description", "Location" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Copy also forward", "prominent_button_name": "Go To", "text_input_field_labels": [ "Error Description", "Location" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 20 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Do you want to save changes you made to Document1?", "prominent_button_name": "Save", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Word found unreadable content in rch\mdah2W. Do you want to recover the contents of this document? If you trust the source of this document, click Yes.", "prominent_button_name": "Yes", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Do you want to save changes you made to Document1?", "prominent_button_name": "Save", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "The file (D:\Domain\2\) cannot be opened because there are problems with the contents.", "prominent_button_name": "OK", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Do you want to save changes you made to Document1?", "prominent_button_name": "Save", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PROVIDENT FUND", "prominent_button_name": "Go To", "text_input_field_labels": [ "SUBJECT-" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 21 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }
URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 20 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }
URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
114.55.89.54	Payment-251124.exe	Get hash	malicious	FormBook	Browse	www.buckser.info/4a2y/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	artifact.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	118.31.122.36
	3.exe	Get hash	malicious	CobaltStrike, ReflectiveLoader	Browse	101.37.34.164
	3.exe	Get hash	malicious	CobaltStrike	Browse	101.37.34.164
	1.exe	Get hash	malicious	CobaltStrike	Browse	101.37.34.164
	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	59.83.11.245
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	8.149.48.177
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	112.125.98.26
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	47.104.176.150
	b3astmode.mpsl.elf	Get hash	malicious	Mirai	Browse	223.7.237.157
	b3astmode.ppc.elf	Get hash	malicious	Mirai	Browse	8.188.217.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	SLNA_Updated_Medical_Grant_Application(1).docx	Get hash	malicious	Unknown	Browse	114.55.89.54
	CMR ART009.docx	Get hash	malicious	Unknown	Browse	114.55.89.54
	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	114.55.89.54
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	114.55.89.54
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	114.55.89.54
	invoice09850.xls	Get hash	malicious	Remcos	Browse	114.55.89.54
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	114.55.89.54
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	114.55.89.54
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	114.55.89.54
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	114.55.89.54

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025527862132460118
Encrypted:	false
SSDEEP:	6:I3DPcROCgHvxggLREKmgliPxvRXv//4tfnRujlw//+GtluJ/eRuj:I3DPAOCwIg455vYg3J/
MD5:	F3E8C50E3FF3DC8223B886269877FE06
SHA1:	5AC5F6F4813E5BDDA01E5A36D4C06A7EE9A6A577
SHA-256:	26D5344A2A0D731BA1D2C2513B474DE68E801C8E23B69F0BF579B034B90DB077
SHA-512:	A1D1288814C4D92F6A8C1D0B7C2FD1A3E4E3E2F012D6B74E79D6D6BA598E6617AB42E576E9233E39CB6D9F6435E9DB03887A52BDE6F7EADB3ED425B0226648AD
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zV.Vu..~A.a.....S,...X.F...Fa.q............................{h6@..E..m?$[...........6.\|..AG.\|l./d.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D3603C.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3115AF98.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43C4F166.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C2D6A64.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1589x2269, components 3
Category:	dropped
Size (bytes):	454054
Entropy (8bit):	7.847430416886664
Encrypted:	false
SSDEEP:	6144:wbcBowLZc2lysUhOwRJAToIqOgNG7jt1OWr62HwzhDKGykl4Luiupzxj91K:wwpVtRwRiToIqr+iWmFzhDt4qiEm
MD5:	36A76B9E86DEE297AD073E1D71611D05
SHA1:	71B7489424654DC8A6D7C7466789DE595D990FB3
SHA-256:	08BD491928A27919728398DA4A3A8AC8659EBA40DAF9DBF122F272EB92867A45
SHA-512:	3097BF5FD33C109060D2F7C27726FCED6B86BD20F7A6A629C818F66CF7D51CD47522898B5099E25A38FC0204BD3942069660DD5CBEFC5AD58935029DB23768D3
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........5.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E309212.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B46D7B31.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA763F15.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1589x2269, components 3
Category:	dropped
Size (bytes):	364910
Entropy (8bit):	7.832325636145698
Encrypted:	false
SSDEEP:	6144:zr4kD7kg/tRaIvyw5yTEhWGTO94uZR0ZmMUZ2fOgOHwsc:zrf7kGHa/Eyd0OGYSZmBkOgOPc
MD5:	C6C03425F4D5BEDB53D7746F59C1002A
SHA1:	83E310D86AE81D8DE7D20AF793230A37D5A577D6
SHA-256:	4F3447D478A3D8677B9CC473E11F32F97BAA582B5A84D8501129EF80EB1B763C
SHA-512:	6B9E27846D82E2EEDEA8FC4B3AB6AB5B4E98B25D1225EA02BBC596A683DC0C2ADEB1C91AFF14243278DF83BC4C08896AAAB3E4EAEA8A6E2E8532D85A96E8736F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........5.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...f....G".V.PFE>.(...(...(...(...(...(...(...(...(...(...(...(...(...(...d..6._..}.>.(...(..K'...;e...'...).P.E.P.E.P.E.P.E.P.E.P.Q$..e..Dj..#.l.{..~.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..+..u......_1.G.`.X.9..2q..b.(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..........\|.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE5D5567.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D06DC77E.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D66C96EB.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4984BF0.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.408877036242436
Encrypted:	false
SSDEEP:	3:wcezDHulxkAMviHAn:wJvYxJDHA
MD5:	912FF26AC760112B12167F902F17ECFD
SHA1:	AC2D2544F0607A40D2255A04AEDE580AC91F4673
SHA-256:	1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
SHA-512:	E837E4EE45800980D4001A80988224641538FD2F26A18BB5E9A68EBBEA7A97F47AACC5B81FE9105931CDA6DD2A721D5F7DE880417560096C1E779EAF5C6D82F7
Malicious:	false
Preview:	<Default Extension="emf" ContentType="image/x-emf"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoA5D6.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	745770
Entropy (8bit):	7.997693280277053
Encrypted:	true
SSDEEP:	12288:/PlUMskI+N9OKy/44q9CtbIwGyNoZKjbR0Nygt7x+DiPE+pGsMVZFxl6Yo:/P2MzH0tswGKjbR0AgjntpGsMVZDC
MD5:	43BDD79B5512296FE3D16DCA5522663F
SHA1:	D7E3841EA27ABEA580F44364BB95EB6EDE0B6AE5
SHA-256:	C22D2D21EAA9511FD84DF3B64E715F9E9909355D0297EEC3F9904839018B9013
SHA-512:	4E7623C183D286A3A9F3D9C3789CB471548F4501A431BCA8BA33296F6E61350ED5F9AEF1DA60D0506327A8DA0493EE6C9F575C8FDD9F5FC20D8CD0BB5CB27274
Malicious:	false
Preview:	PK..........!.{.\|...........[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..7.......1....K%.....Fu=.-....`.q2.p......t0Z.........I@s#..s.6yJoI...UFCNV..hxy1..,.....d......)(.3cA.0N..KWR..'+.^.z7...@.4D.2.<@.fUH...{..TA....(..."~...m.\|X([A.....{.fm%9....k..&.$..Y..Si.....U.\|O.+.....8) .3....T.>v.z....,-6MQH..1SXu..Z.".H..H.z>......".....D...{j..I9x.7YU.Y1...jK^.(..M.{...{..0...4.!.4...C..m!.8....S>.s....On...\....z.!o.....~.......PK..........!.........N......._rels/.rels ...(.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BDAC67AA-44FA-4D88-AB02-BCE04AC508ED}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7637A8B-232A-4C9D-AD88-33F77F399EE9}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C538C006-CC9B-485B-874D-E099D08C4F56}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	2.2544553565617265
Encrypted:	false
SSDEEP:	12:8CvltebYcZBW0lFegN4lx1tK7HbtJWkwSGJk5u:jPelu0SlxC7HbtOBf
MD5:	BD268E089D33EF83C9DDAA6637D1C2B7
SHA1:	F83C7A94D76F027C367AA69DFBF680F82DCB17DF
SHA-256:	7D93E8D3D9CEE62BEB9EDF45C88FEA16DEEA31E55360FD64C65D2B778FD6AB40
SHA-512:	3213EAF2ED657DC1306F08048C65EB77915089AFC5F45855C272EF1C507AD2743B479D102C0C0D1FFAEF73B480FCC84A02A0875B510F21F5D275161EB78C449F
Malicious:	false
Preview:	../................... .\|B$.k...../.....L.I.N.K. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".h.t.t.p.s.:././.m.o.f.a.d.i.v.i.d.i.o.n...p.t.c.l.-.g.o.v...c.o.m./.5.7.2.4./.1./.3.2.6.8./.2./.0./.0./.0./.m./.f.i.l.e.s.-.1.1.e.3.0.8.9.1./.f.i.l.e...r.t.f.". .".". .\.a. .\.p. .\.f. .0..... . ................................................................................................................................................................................................................................................. ..."...&............................................................................................................................................................................................................................................................................................................................................................................................................................................................................d...d.-D..M

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D93DC156-D199-441C-8DD5-23C2B5414610}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.14506762849621524
Encrypted:	false
SSDEEP:	3:JlXll/lY4GlxlG:fyC
MD5:	DF4E8F0F79A1CD6BD344AEE21E37CDF7
SHA1:	A9E7BAE751AFC3F9B1DC1BC699896B53EB7405E3
SHA-256:	4A31B435E99CBF16ED5B56AF91656B92A2B39EFEE43D66BFAAB5F10F9F375242
SHA-512:	77D69A2D1F5AC99EC6E343EBAA3540514157CC6125CEAB076D1321D7731089F414AF2840808AB456266C8F51325411DEFC8D0C751FF2B3FA57495FA94CD311BA
Malicious:	false
Preview:	D...D.d......................$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{14040535-94F4-4528-9198-BFE9646EF006}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025527862132460118
Encrypted:	false
SSDEEP:	6:I3DPcROCgHvxggLREKmgliPxvRXv//4tfnRujlw//+GtluJ/eRuj:I3DPAOCwIg455vYg3J/
MD5:	F3E8C50E3FF3DC8223B886269877FE06
SHA1:	5AC5F6F4813E5BDDA01E5A36D4C06A7EE9A6A577
SHA-256:	26D5344A2A0D731BA1D2C2513B474DE68E801C8E23B69F0BF579B034B90DB077
SHA-512:	A1D1288814C4D92F6A8C1D0B7C2FD1A3E4E3E2F012D6B74E79D6D6BA598E6617AB42E576E9233E39CB6D9F6435E9DB03887A52BDE6F7EADB3ED425B0226648AD
Malicious:	false
Preview:	......M.eFy...zV.Vu..~A.a.....S,...X.F...Fa.q............................{h6@..E..m?$[...........6.\|..AG.\|l./d.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EF027490-99CF-4BDC-B846-F101521095EC}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02564677192647636
Encrypted:	false
SSDEEP:	6:I3DPcWvGvxggLRJ80p18eGDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPP430e2vYg3J/
MD5:	C6633B213414F4C9CF969EB597AD0972
SHA1:	F1F4771749E18F11493749A42494F83FDDF548AB
SHA-256:	0242870B331667F04A41C7D75E9E46559BE092FC6B5045D21AEDCE488999FB66
SHA-512:	06A4D72BBC94A8FAED5D68C9F54371AF71B5EA2C2084BAA3853F9BB34F2975231446DAB361BD1BA1D35F2F176205F9601F9EA0E3AFB0072AB67CB7D307756CAD
Malicious:	false
Preview:	......M.eFy...z]Y!).'.O.......S,...X.F...Fa.q.............................`.z..L..egL...........M.D..N....6........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.467669446527785
Encrypted:	false
SSDEEP:	3:M1AIBEFYUlm4UhIBEFYUlv:Mi85Uu85U1
MD5:	18B59A34468ED9BA0E094560759ED81F
SHA1:	3B5417850FF2479BDD4D099406EF3AF957B6094E
SHA-256:	9AC16598B6CB5F0AF8637FC69704F7C3411EDA7CA465E1F2DF590883BF9D34E5
SHA-512:	A9AAFCC242952685667A19B8E0099FBDCD13517A0AB310EB8B363C8D67472A09392E75BD1777B0BD5386CB79AFEB59A1408378522CFDFAC3C2B9A99EAA9B6033
Malicious:	false
Preview:	[doc]..rcNDmdah2W.LNK=0..[folders]..rcNDmdah2W.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\rcNDmdah2W.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Fri Dec 13 11:15:10 2024, length=739377, window=hide
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.540073246860138
Encrypted:	false
SSDEEP:	12:82CFgXg/XAlCPCHaXIBfXB/BGFX+WMjCcuoNAKicvblkqDtZ3YilMMEpxRljK6TQ:82u/XT4hXbklDexDv3qf57u
MD5:	D3BB885BDC025E511D013A3BCEF51589
SHA1:	2ED5EEFF60159213EBD3AB9E274E1FFFD0CCE857
SHA-256:	531B2819A9C641ED2B0D7D5365D6C05C9D2C081022C4F0A8FD2974E95A567A96
SHA-512:	91477F6223E61E9DA3DBE4B49BB68317733ABFB35164DED3AAB0B36A557D252B6DB310F9910EC074B5454CCD21F1B074C499E78FC8BCD8EBC00DCBB7EB6FC3F6
Malicious:	false
Preview:	L..................F.... ...5QO.r...5QO.r...>...XM..1H...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Y.a..user.8......QK.X.Y.a...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.1H...Y.a .RCNDMD~1.DOC..J.......WD..WD..........................r.c.N.D.m.d.a.h.2.W...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\688098\Users.user\Desktop\rcNDmdah2W.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.r.c.N.D.m.d.a.h.2.W...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......688098..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~$NDmdah2W.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.998197327007302
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	rcNDmdah2W.doc
File size:	739'377 bytes
MD5:	7aa2c6c221a36ac19ce795a370cc4e29
SHA1:	dfbe7f7af54a9b315fc4f868726f050ab106294d
SHA256:	4eab5c5775c41de887ba4e589ab8cf4340236da73a68a68d26cbb7f34e0546f7
SHA512:	3dad0457fee6e1a6ce1ef08167386f320043564fc1f7b78e3cc35fec2d02c2c16b7fac8ba1a63a064a9f4ab23aa100a446dc279cb81bdd59587f42648cbea405
SSDEEP:	12288:/LPoNnPVp0Fg+rydPnhrnsTnjqfV+9ow2+Bk6VL+sOolcHvJxvhfXBT:zPoNPSenhDWOd0T2+Bk6VDlcHv3hvp
TLSH:	C5F423B9580C8E36C5A3E5794B9C72D2646D2A359A0FC03B271363E75F74348FADA0D8
File Content Preview:	PK........T8%U........N......._rels/.rels...j.0.@......Q....N/c......[IL...j...<...].aG.....zs.Fu..]...U......^.[..x.....1x.p.....f..#I)...Y.............*D....i")..c$...qU...~3..1..jH[{..=E......~.f?..3-.....].T...2.j).,.l0/%..b.......z......,..../.\|f\.Z.

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "rcNDmdah2W.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T13:15:22.949636+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:22.949636+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:23.957927+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:23.957927+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T13:15:27.997658+0100	2055190	ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)	1	192.168.2.22	49165	114.55.89.54	443	TCP
2024-12-13T13:15:32.076387+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:32.076387+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:33.083694+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:33.083694+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	52917	8.8.8.8	53	UDP
2024-12-13T13:15:33.423167+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:33.423167+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:34.424771+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:34.424771+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	62751	8.8.8.8	53	UDP
2024-12-13T13:15:40.949381+0100	2055190	ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)	1	192.168.2.22	49166	114.55.89.54	443	TCP
2024-12-13T13:15:43.885790+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:43.885790+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:44.892281+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:44.892281+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	57893	8.8.8.8	53	UDP
2024-12-13T13:15:45.253546+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	54821	8.8.8.8	53	UDP
2024-12-13T13:15:45.253546+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	54821	8.8.8.8	53	UDP
2024-12-13T13:15:48.773400+0100	2055190	ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)	1	192.168.2.22	49168	114.55.89.54	443	TCP
2024-12-13T13:15:54.087126+0100	2055190	ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)	1	192.168.2.22	49170	114.55.89.54	443	TCP
2024-12-13T13:15:54.713140+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	54719	8.8.8.8	53	UDP
2024-12-13T13:15:54.713140+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	54719	8.8.8.8	53	UDP
2024-12-13T13:15:54.855339+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	49881	8.8.8.8	53	UDP
2024-12-13T13:15:54.855339+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	49881	8.8.8.8	53	UDP
2024-12-13T13:15:58.583414+0100	2055190	ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)	1	192.168.2.22	49171	114.55.89.54	443	TCP
2024-12-13T13:16:00.518052+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	54998	8.8.8.8	53	UDP
2024-12-13T13:16:00.518052+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	54998	8.8.8.8	53	UDP
2024-12-13T13:16:00.642918+0100	2038860	ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com)	1	192.168.2.22	52781	8.8.8.8	53	UDP
2024-12-13T13:16:00.642918+0100	2055162	ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com)	1	192.168.2.22	52781	8.8.8.8	53	UDP
2024-12-13T13:16:05.155417+0100	2055190	ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)	1	192.168.2.22	49173	114.55.89.54	443	TCP
2024-12-13T13:16:10.225575+0100	2055190	ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI)	1	192.168.2.22	49175	114.55.89.54	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 13:15:24.251415014 CET	49165	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:24.251472950 CET	443	49165	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:24.251564026 CET	49165	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:24.257750988 CET	49165	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:24.257783890 CET	443	49165	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:27.997565031 CET	443	49165	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:27.997658014 CET	49165	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:27.997737885 CET	49165	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:27.997781992 CET	443	49165	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:34.560092926 CET	49166	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:34.560162067 CET	443	49166	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:34.560246944 CET	49166	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:34.561026096 CET	49166	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:34.561043024 CET	443	49166	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:40.949264050 CET	443	49166	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:40.949381113 CET	49166	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:40.949434042 CET	49166	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:40.949456930 CET	443	49166	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:40.949652910 CET	49167	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:40.949711084 CET	443	49167	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:40.949824095 CET	49167	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:40.950022936 CET	49167	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:40.950041056 CET	443	49167	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:43.493388891 CET	443	49167	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:43.493504047 CET	443	49167	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:43.493649006 CET	49167	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:43.493649006 CET	49167	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:43.800357103 CET	49167	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:43.800432920 CET	443	49167	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:45.389153004 CET	49168	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:45.389209032 CET	443	49168	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:45.389291048 CET	49168	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:45.389671087 CET	49168	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:45.389688969 CET	443	49168	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:48.773225069 CET	443	49168	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:48.773400068 CET	49168	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:48.773468971 CET	49168	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:48.773483038 CET	443	49168	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:48.773767948 CET	49169	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:48.773803949 CET	443	49169	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:48.773868084 CET	49169	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:48.774207115 CET	49169	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:48.774219990 CET	443	49169	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:50.547193050 CET	443	49169	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:50.547355890 CET	443	49169	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:50.547563076 CET	49169	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:50.547564030 CET	49169	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:50.713382959 CET	49170	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:50.713423967 CET	443	49170	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:50.713630915 CET	49170	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:50.713809013 CET	49170	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:50.713823080 CET	443	49170	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:50.851452112 CET	49169	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:50.851488113 CET	443	49169	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:54.086935043 CET	443	49170	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:54.087126017 CET	49170	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:54.087291956 CET	49170	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:54.087321043 CET	443	49170	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:54.990497112 CET	49171	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:54.990551949 CET	443	49171	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:54.990626097 CET	49171	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:54.991436958 CET	49171	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:54.991473913 CET	443	49171	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:58.373867989 CET	443	49171	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:58.583343029 CET	443	49171	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:58.583414078 CET	49171	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:58.619772911 CET	49171	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:58.619818926 CET	443	49171	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:58.658907890 CET	443	49171	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:58.658987999 CET	49171	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:58.659085035 CET	49171	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:58.659133911 CET	443	49171	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:58.659265041 CET	49172	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:58.659354925 CET	443	49172	114.55.89.54	192.168.2.22
Dec 13, 2024 13:15:58.659408092 CET	49172	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:58.659617901 CET	49172	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:15:58.659636021 CET	443	49172	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:00.336965084 CET	443	49172	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:00.337105989 CET	443	49172	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:00.337165117 CET	49172	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:00.337368011 CET	49172	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:00.337419987 CET	443	49172	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:00.779515982 CET	49173	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:00.779552937 CET	443	49173	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:00.779625893 CET	49173	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:00.779939890 CET	49173	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:00.779952049 CET	443	49173	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:05.155319929 CET	443	49173	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:05.155416965 CET	49173	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:05.155450106 CET	49173	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:05.155467987 CET	443	49173	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:05.155730963 CET	49174	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:05.155772924 CET	443	49174	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:05.155822992 CET	49174	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:05.156075954 CET	49174	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:05.156085968 CET	443	49174	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:06.847140074 CET	443	49174	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:06.847235918 CET	443	49174	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:06.847317934 CET	49174	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:06.847475052 CET	49174	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:06.847496033 CET	443	49174	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:06.858315945 CET	49175	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:06.858350992 CET	443	49175	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:06.858407021 CET	49175	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:06.858732939 CET	49175	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:06.858740091 CET	443	49175	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:10.224920034 CET	443	49175	114.55.89.54	192.168.2.22
Dec 13, 2024 13:16:10.225574970 CET	49175	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:10.225610018 CET	49175	443	192.168.2.22	114.55.89.54
Dec 13, 2024 13:16:10.225620985 CET	443	49175	114.55.89.54	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 13:15:22.949635983 CET	54562	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:23.957926989 CET	54562	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:24.247908115 CET	53	54562	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:24.247925043 CET	53	54562	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:32.076386929 CET	52917	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:33.083693981 CET	52917	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:33.415826082 CET	53	52917	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:33.423166990 CET	62751	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:34.424771070 CET	62751	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:34.477454901 CET	53	52917	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:34.559338093 CET	53	62751	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:34.893647909 CET	53	62751	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:43.885790110 CET	57893	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:44.892281055 CET	57893	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:45.251075983 CET	53	57893	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:45.253546000 CET	54821	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:45.388587952 CET	53	54821	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:45.551455975 CET	53	57893	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:54.713140011 CET	54719	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:54.847537041 CET	53	54719	8.8.8.8	192.168.2.22
Dec 13, 2024 13:15:54.855339050 CET	49881	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:15:54.989563942 CET	53	49881	8.8.8.8	192.168.2.22
Dec 13, 2024 13:16:00.518052101 CET	54998	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:16:00.641829014 CET	53	54998	8.8.8.8	192.168.2.22
Dec 13, 2024 13:16:00.642918110 CET	52781	53	192.168.2.22	8.8.8.8
Dec 13, 2024 13:16:00.779010057 CET	53	52781	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 13, 2024 13:15:34.477556944 CET	192.168.2.22	8.8.8.8	d01f	(Port unreachable)	Destination Unreachable
Dec 13, 2024 13:15:45.551800013 CET	192.168.2.22	8.8.8.8	d01f	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 13:15:22.949635983 CET	192.168.2.22	8.8.8.8	0x13a2	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:23.957926989 CET	192.168.2.22	8.8.8.8	0x13a2	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:32.076386929 CET	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:33.083693981 CET	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:33.423166990 CET	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:34.424771070 CET	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:43.885790110 CET	192.168.2.22	8.8.8.8	0xb6ec	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:44.892281055 CET	192.168.2.22	8.8.8.8	0xb6ec	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:45.253546000 CET	192.168.2.22	8.8.8.8	0xd97e	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:54.713140011 CET	192.168.2.22	8.8.8.8	0x9c5b	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:54.855339050 CET	192.168.2.22	8.8.8.8	0x4189	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:16:00.518052101 CET	192.168.2.22	8.8.8.8	0x2383	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:16:00.642918110 CET	192.168.2.22	8.8.8.8	0x1185	Standard query (0)	mofadividion.ptcl-gov.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 13:15:24.247908115 CET	8.8.8.8	192.168.2.22	0x13a2	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:24.247925043 CET	8.8.8.8	192.168.2.22	0x13a2	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:33.415826082 CET	8.8.8.8	192.168.2.22	0x1100	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:34.477454901 CET	8.8.8.8	192.168.2.22	0x1100	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:34.559338093 CET	8.8.8.8	192.168.2.22	0x2664	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:34.893647909 CET	8.8.8.8	192.168.2.22	0x2664	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:45.251075983 CET	8.8.8.8	192.168.2.22	0xb6ec	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:45.388587952 CET	8.8.8.8	192.168.2.22	0xd97e	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:45.551455975 CET	8.8.8.8	192.168.2.22	0xb6ec	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:54.847537041 CET	8.8.8.8	192.168.2.22	0x9c5b	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:15:54.989563942 CET	8.8.8.8	192.168.2.22	0x4189	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:16:00.641829014 CET	8.8.8.8	192.168.2.22	0x2383	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:16:00.779010057 CET	8.8.8.8	192.168.2.22	0x1185	No error (0)	mofadividion.ptcl-gov.com	114.55.89.54	A (IP address)	IN (0x0001)	false

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 13, 2024 13:15:58.373867989 CET	114.55.89.54	443	192.168.2.22	49171	CN=10.10.49.172, OU=MyServer, O=MyRootServer, L=BJ, ST=BJ, C=CN	CN=CA, OU=MyCA, O=MyRootCA, L=BJ, ST=BJ, C=CN	Tue Aug 27 12:34:59 CEST 2024	Fri Aug 25 12:34:59 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d

Target ID:	0
Start time:	07:15:10
Start date:	13/12/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f9d0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rcNDmdah2W.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D3603C.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3115AF98.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43C4F166.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C2D6A64.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E309212.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B46D7B31.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA763F15.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE5D5567.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D06DC77E.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D66C96EB.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4984BF0.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoA5D6.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BDAC67AA-44FA-4D88-AB02-BCE04AC508ED}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7637A8B-232A-4C9D-AD88-33F77F399EE9}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C538C006-CC9B-485B-874D-E099D08C4F56}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D93DC156-D199-441C-8DD5-23C2B5414610}.tmp

C:\Users\user\AppData\Local\Temp\{14040535-94F4-4528-9198-BFE9646EF006}

C:\Users\user\AppData\Local\Temp\{EF027490-99CF-4BDC-B846-F101521095EC}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\rcNDmdah2W.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$NDmdah2W.doc

Static File Info

General

Windows Analysis Report
rcNDmdah2W.doc