Edit tour

Windows Analysis Report
PyrNUtAUkw.docx

Overview

General Information

Sample name:	PyrNUtAUkw.docx renamed because original name is a hash value
Original sample name:	89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e.docx
Analysis ID:	1574635
MD5:	8202209354ece5c53648c52bdbd064f0
SHA1:	683210af38ef15f1bacb67ddc42f085bee05cf35
SHA256:	89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e
Tags:	docxSideWinderuser-JAMESWT_MHT
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Contains an external reference to another file

Outdated Microsoft Office dropper detected

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Suspicious Office Outbound Connections

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3204 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
_rels\document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x92d:$olerel: relationships/oleObject 0x946:$target1: Target="http 0x989:$mode: TargetMode="External

Sigma Signatures

System Summary

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3204, Protocol: tcp, SourceIp: 15.197.130.221, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3204, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3204, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:34:15.984398+0100	2055136	1	A Network Trojan was detected	192.168.2.22	49163	15.197.130.221	443	TCP
2024-12-13T15:34:18.305944+0100	2055136	1	A Network Trojan was detected	192.168.2.22	49164	15.197.130.221	443	TCP

ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:34:11.519623+0100	2055106	1	A Network Trojan was detected	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T15:34:12.528566+0100	2055106	1	A Network Trojan was detected	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T15:34:13.541992+0100	2055106	1	A Network Trojan was detected	192.168.2.22	54562	8.8.8.8	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://president-gov-lk.donwloaded.net/a4884a53/file.rtf

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: PyrNUtAUkw.docx

ReversingLabs: Detection: 44%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 15.197.130.221:443 -> 192.168.2.22:49163 version: TLS 1.2

Source: global traffic	DNS query: name: president-gov-lk.donwloaded.net
Source: global traffic	DNS query: name: president-gov-lk.donwloaded.net
Source: global traffic	DNS query: name: president-gov-lk.donwloaded.net

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 15.197.130.221:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 15.197.130.221:443

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055106 - Severity 1 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net) : 192.168.2.22:54562 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2055136 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI) : 192.168.2.22:49163 -> 15.197.130.221:443
Source: Network traffic	Suricata IDS: 2055136 - Severity 1 - ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI) : 192.168.2.22:49164 -> 15.197.130.221:443

Outdated Microsoft Office dropper detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: president-gov-lk.donwloaded.net is down
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: president-gov-lk.donwloaded.net is down

Source: Joe Sandbox View

IP Address: 15.197.130.221 15.197.130.221

Source: Joe Sandbox View

ASN Name: TANDEMUS TANDEMUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF002987-24C9-4E73-9229-2CB3F164EF0B}.tmp

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: president-gov-lk.donwloaded.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenAlt-Svc: h3=":50559"; ma=2592000Content-Length: 146Content-Type: text/htmlDate: Fri, 13 Dec 2024 14:34:16 GMTServer: CaddyServer: nginxConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenAlt-Svc: h3=":50559"; ma=2592000Content-Length: 146Content-Type: text/htmlDate: Fri, 13 Dec 2024 14:34:18 GMTServer: CaddyServer: nginxConnection: close

Source: ~WRS{7AD94162-947F-4B76-A1FE-64233B9775A4}.tmp.0.dr

String found in binary or memory: https://president-gov-lk.donwloaded.net/a4884a53/file.rtf

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Source: unknown

HTTPS traffic detected: 15.197.130.221:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: _rels\document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: _rels\document.xml.rels, type: SAMPLE

Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Source: classification engine

Classification label: mal80.troj.evad.winDOCX@1/15@3/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rNUtAUkw.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR847A.tmp

Jump to behavior

Source: msoA94A.tmp.0.dr

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PyrNUtAUkw.docx

ReversingLabs: Detection: 44%

Source: PyrNUtAUkw.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\PyrNUtAUkw.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = word/media/image8.png
Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = word/media/image6.jpeg
Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = word/media/image9.png
Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = word/media/image10.png
Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = word/media/image11.png
Source: msoA94A.tmp.0.dr	Initial sample: OLE zip file path = word/media/image2.jpg

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: PyrNUtAUkw.docx

Static file information: File size 1651194 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: msoA94A.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: _rels\document.xml.rels

Extracted files from sample: https://president-gov-lk.donwloaded.net/a4884a53/file.rtf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PyrNUtAUkw.docx	45%	ReversingLabs	Document-Word.Trojan.Donoff

Source	Detection	Scanner	Label	Link
https://president-gov-lk.donwloaded.net/a4884a53/file.rtf	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
president-gov-lk.donwloaded.net	15.197.130.221	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://president-gov-lk.donwloaded.net/a4884a53/file.rtf	~WRS{7AD94162-947F-4B76-A1FE-64233B9775A4}.tmp.0.dr	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
15.197.130.221	president-gov-lk.donwloaded.net	United States		7430	TANDEMUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574635
Start date and time:	2024-12-13 15:33:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PyrNUtAUkw.docx renamed because original name is a hash value
Original Sample Name:	89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e.docx
Detection:	MAL
Classification:	mal80.troj.evad.winDOCX@1/15@3/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PyrNUtAUkw.docx

Input	Output
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "MINISTRY", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "MINISTRY", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Word found unreadable content in PyNUAUkw. Do you want to recover the contents of this document? If you trust the source of this document, click Yes.", "prominent_button_name": "Yes", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "The file FENIHOKN.CURQNKV cannot be opened because there are problems with the contents.", "prominent_button_name": "OK", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": [ "Ministry" ] }
	{ "brands": [ "Ministry" ] }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": [ "Ministry" ] }
	{ "brands": [ "Ministry" ] }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
15.197.130.221	uXK5hq53r7.exe	Get hash	malicious	Simda Stealer	Browse	bloodguiltiness.com/news.php
	2m7DLHWhxp.exe	Get hash	malicious	Simda Stealer	Browse	bloodguiltiness.com/news.php
	2w6qmU17rQ.exe	Get hash	malicious	Simda Stealer	Browse	bloodguiltiness.com/news.php
	E06V9T0WiQ.exe	Get hash	malicious	Simda Stealer	Browse	bloodguiltiness.com/news.php
	jYCuKbE5wl.exe	Get hash	malicious	Simda Stealer	Browse	bloodguiltiness.com/news.php
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.testingdomain.xyz/h209/?CR=_BZD&cr=BndsO5fZVJ/rxwsYKaY2EnP7vRSsvqYVYtXSbFNMOPpZLLVcBODKyfewiXlBLJbKY6jW
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	a994.uvuvu1.com/wordpress/wp-login.php
	http://shelp1.org/	Get hash	malicious	Unknown	Browse	shelp1.org/track.php?domain=shelp1.org&caf=1&toggle=answercheck&answer=yes&uid=MTcxODgwMDIwMy45Mjg6ZDAyZjU2Y2EwMjc3MmIzOTBhNmU0NTFkZjAwODA4ZmE1YjNiYTYzYjhhOTMwNGI3MTg2MmQxNDc5Mzc5N2M0NTo2NjcyY2Y0YmUyOTEx
	PR-ZWL 07364G49574(Revised PO).exe	Get hash	malicious	FormBook	Browse	www.drjoserizal.com/bnz5/
	PAYROLL.doc	Get hash	malicious	FormBook	Browse	www.drjoserizal.com/ro6r/?WnF4=YlbDSxW&dJqp=cUByiBYj1AgsU1h45uYtitSx8oj+oKPkK7EoFtiS/1wrqaoh282T8+hu+wxUfwBa0EvlMl91BX6QIj6y4CexZNkmnEc4OcCP4Yw5Bx8cczv0YppwbJV85bXXF4Or

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TANDEMUS	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	15.197.148.33
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	15.197.152.159
	http://abercombie.com	Get hash	malicious	Unknown	Browse	15.197.193.217
	Recibos.exe	Get hash	malicious	FormBook	Browse	15.197.204.56
	https://auth.ball.com	Get hash	malicious	Unknown	Browse	15.197.181.212
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	15.219.134.31
	https://www.aarp.org/money/scams-fraud/info-2024/title-theft-real-estate-fraud.html	Get hash	malicious	HTMLPhisher	Browse	15.197.193.217
	jmhgeojeri.elf	Get hash	malicious	Unknown	Browse	15.196.176.217
	https://rebrand.ly/moe5eyg	Get hash	malicious	Unknown	Browse	15.197.137.111
	https://ness.wiktripfitness.com/ghjki9l-8765t4/3/er4t5y6u7jyhtgrfefrgthyjuyhtgdsarfedwsqa	Get hash	malicious	Unknown	Browse	15.197.193.217

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	SLNA_Updated_Medical_Grant_Application(1).docx	Get hash	malicious	Unknown	Browse	15.197.130.221
	CMR ART009.docx	Get hash	malicious	Unknown	Browse	15.197.130.221
	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	15.197.130.221
	Estado.de.cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	15.197.130.221
	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	15.197.130.221
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	15.197.130.221
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	15.197.130.221
	Document.xla	Get hash	malicious	Unknown	Browse	15.197.130.221
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	15.197.130.221
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	15.197.130.221

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02560473567918993
Encrypted:	false
SSDEEP:	6:I3DPc70vHvxggLRvkBetMQRXv//4tfnRujlw//+GtluJ/eRuj:I3DPRD/MMvYg3J/
MD5:	516CFCDE7BA912A7199F5B5A83163326
SHA1:	5D57AC05D7D32D5445544534378C6843B00D8053
SHA-256:	AA1FD2BD3DF7E9FF783EAACC4D83109111FE4620B3A5F1C583856A647BECF500
SHA-512:	3D98A6E7051122C5557A2054ACB5710F3C3A079E655B31940B078985CBF0022B83AFB221C3CC92FEDDB7D8B1953421C93686186945A9E9D6C1D5EC20AAD7C933
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z....o.;@.j.6..A8S,...X.F...Fa.q............................8.\|W..XB.=.O*..............D.8O..J..5......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\788B8F44.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 1646x2323, components 3
Category:	dropped
Size (bytes):	762688
Entropy (8bit):	7.733077518444723
Encrypted:	false
SSDEEP:	12288:j3fAZwjnJ0XmAyeq1B07yoybjLo/YII69KOm1S5vDgtf9j2DWQQTHs+g8AnhzBY6:jCw/A+1m7hybjLo/YR69KOVcf9jaxQrw
MD5:	E1B412B40BAE7EA21643FE23EE7DD469
SHA1:	AB8D06F769C6738E3F1C748A538CD447D12A42C3
SHA-256:	C07C9357CC2BF55D8C1711E73E4EC594C5E72FA401772503455FD7B584DBF5EC
SHA-512:	91013B9494142FC88579B0CFDA044BCD0B7838E2EA06B2D86B05EDEEFCBF0BA273F92B032732A5B3C0BBC1B3030BB81057AB5A407A5E2B04DB532ED061DCC60C
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`....."Exif..MM..........................C....................................................................C.........................................................................n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9144468F.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.46146788019945
Encrypted:	false
SSDEEP:	3:wcek9LRAlxkAMvtEKb:wJcexJC
MD5:	A471D39C02EE8428702B468C843C62E3
SHA1:	91E6F53C4DCE4D7822F120DA20A75113E5A7DCED
SHA-256:	0C9A8CE9516EDB686FAF2BEE4BD9DC3285207031FE5F2F742ACCF4A525518D8E
SHA-512:	806DD530CE299B765554BB6AE827506D63B9D8A24294DF4E827CA8B808894C2B8845009239F80282F522177DE483D95099E74EF797E6F3B15A2B54F92DFFC03B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<Default Extension="jpg" ContentType="image/jpg"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E20B1B46.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.46146788019945
Encrypted:	false
SSDEEP:	3:wcek9LRAlxkAMvtEKb:wJcexJC
MD5:	A471D39C02EE8428702B468C843C62E3
SHA1:	91E6F53C4DCE4D7822F120DA20A75113E5A7DCED
SHA-256:	0C9A8CE9516EDB686FAF2BEE4BD9DC3285207031FE5F2F742ACCF4A525518D8E
SHA-512:	806DD530CE299B765554BB6AE827506D63B9D8A24294DF4E827CA8B808894C2B8845009239F80282F522177DE483D95099E74EF797E6F3B15A2B54F92DFFC03B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<Default Extension="jpg" ContentType="image/jpg"/>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoA94A.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	1659104
Entropy (8bit):	7.999019556563278
Encrypted:	true
SSDEEP:	24576:HjedF7qYB1oelzSaakAdbvaGSeTqrZH72tFoEUrlFjJt0WkEiMaqWae1PUs:Hj2FmYB1D9A1vaeTWH7goEYlFXCyV2PV
MD5:	0F172196BD8F526BB118FC2DF2F46A2A
SHA1:	B8EF2DC765CD98B65DCF5F7A9F41D49B012BA10E
SHA-256:	5BF991CDB6555116797901FD9F643A40CA218FF769D39F47925591FBAF7BEAFC
SHA-512:	90F37E7159B7CA8CCFD76D9A76FE9954D25629457F3767D43FBBE48350E1303BDA6DEF33158AE09C19A246F10759D5213CF328901DB9BB4622EB5EC122ABF6AE
Malicious:	false
Reputation:	low
Preview:	PK..........!....u....6.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..7.......1....K%...v.Fq=.-....p..`".f..~...`..e...V).'=...:..H...%.'..Le...R..GF...dm.E.V.%S.....OA2.h..wrm%..j.j..b...^.r.<(...A..'.......7N.H..9..R"d..u...h.T.....k.0cJ...>.Be.,.O.....7...`..........q3s<......1...I,.f...6..Dr\.%..s..9..g.@.E.Yl......yT.k.......s.<]...W4.._j...7]..u`.98..N..Y2.....G..d.>.....`.......;{.{.j.n.~].%.T.....~@.g....N.%\|._..........o.......PK..........!..U~............._rel

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F32AC025-AD1D-4C6B-A7A9-961C0D3E1881}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{64FC5AF0-179B-4CF4-8EAD-4A0F8F1D79C4}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.14506762849621524
Encrypted:	false
SSDEEP:	3:JlXll/lIhtUlxlG:W8C
MD5:	1B1BC6AE8B076AE49FC27052A5FA43D0
SHA1:	D6E6A01F91DEBB6D12C15787B6425BB6C807AD84
SHA-256:	824F313932B596035A6A3E4F7D5298EB09B69D2E85E70A0EE6D3FDE8C4533599
SHA-512:	7ABAFB8C7DD3AB0A83034DCF20106BA50BE1B4470150DABB27BE2A4203D7064A9727EE5AFBFE48D4A4C4D4060EC2C3534F984BEB2CB0F86F5CBF3F7AA95849BA
Malicious:	false
Preview:	D...D.d......................$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7AD94162-947F-4B76-A1FE-64233B9775A4}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2246
Entropy (8bit):	2.7680015664332442
Encrypted:	false
SSDEEP:	12:Q5Z3ob2xZHc+QozVtJlh5CllgG2zSAKBBs95mZxDtJWkwAJUOZBc8IRW8Acm01t6:QRtDGlncZkkETtOA+Q7IRjAey
MD5:	F2FB750D53A46E7C32CECC3FC37EFF55
SHA1:	D3B7A2945AD33FD155ED8B80F3BA675DF3BF5A05
SHA-256:	D2702B3953B75D8D89BBE6C6E4F74362472E2CC6368BCB8658DA4B3D4C15C749
SHA-512:	FB673D494F13A5C3743A26CEA072AE3F79C254E55DCEA25CA4FAF9CF7578304D276FD56371E57BEB8DD33110D5DFA0B780584F4B09AFDC24647C85E012ED4119
Malicious:	false
Preview:	../....0...\|. ..A!..."...#.P.$......../.....\|. ..A!..."...#...$......./.....\|. ..A!..."...#...$......./.....\|. ..A!..."...#...$......./.....\|. ..A!..."...#.$.$......./.....\|. ..A!..."...#...$......./.....\|. ..A!..."...#...$......./.....\|. ..A!..."...#...$......./.....\|. ..A!..."...#...$......./.....\|. ..A!..."...#...$......./.................................................................................................................................................................................................$...&...D...F...d...f...........................................$...&...D...F.........................................................................................................................................................................................................................................................................................................................]...^.........(.^.(....... .^. .......'.^.'.......=.^.=.........^.............=.]...^.=...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF002987-24C9-4E73-9229-2CB3F164EF0B}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{231111E1-28D9-417A-A193-6016543C7183}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02562107562555587
Encrypted:	false
SSDEEP:	6:I3DPcKipa9vxggLRLL3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPDZRnLRvYg3J/
MD5:	3C9725CA212EB433927E664CADDDE098
SHA1:	62C455A068A96A369C79566862341DC4D641EEA8
SHA-256:	6A763ECFF69972840ED46C89D01BB0CDD9AB3896B9D1FEB4D4D204A79F4F96E1
SHA-512:	399BC1FAB58736941AE7075AE4865E7A1E36A47C4F620A947CA8E443290E54EE4760E359D7B8B5FE26418ED53246825241AACA591422B14E3DC741B95A932572
Malicious:	false
Preview:	......M.eFy...z...Gm..N...Ke..^S,...X.F...Fa.q.................................6 B..#..............P....A.4M..s.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{8D78C03A-FE66-4C06-BFF0-3B305B2A2557}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02560473567918993
Encrypted:	false
SSDEEP:	6:I3DPc70vHvxggLRvkBetMQRXv//4tfnRujlw//+GtluJ/eRuj:I3DPRD/MMvYg3J/
MD5:	516CFCDE7BA912A7199F5B5A83163326
SHA1:	5D57AC05D7D32D5445544534378C6843B00D8053
SHA-256:	AA1FD2BD3DF7E9FF783EAACC4D83109111FE4620B3A5F1C583856A647BECF500
SHA-512:	3D98A6E7051122C5557A2054ACB5710F3C3A079E655B31940B078985CBF0022B83AFB221C3CC92FEDDB7D8B1953421C93686186945A9E9D6C1D5EC20AAD7C933
Malicious:	false
Preview:	......M.eFy...z....o.;@.j.6..A8S,...X.F...Fa.q............................8.\|W..XB.=.O*..............D.8O..J..5......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PyrNUtAUkw.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Fri Dec 13 13:33:59 2024, length=1651194, window=hide
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	4.563136999764086
Encrypted:	false
SSDEEP:	12:8w9NXH680gXg/XAlCPCHaXgBnB/BGFX+W4doN11xS0juicvbk0uJ047xSmNDtZ3L:8wXk/XTQhbk+dWzSgNeiJ5SCDv3qx57u
MD5:	820D93AD9F885F1608B0D620F02999B6
SHA1:	E0F9566570C19DFAB4D1E132D28420CE27B61725
SHA-256:	6CB9763F84B2A3226ED2E49BF25652F91A47A1F8675AF23FF8A36C8707A8F4BD
SHA-512:	561716CE0D03F7D3F91A4F569E708314CCE7730EC892880D47E9C2B9DDAA40C59AF7C2C8A9E4005DE6C36ABBA9C0B60C2AC96C4782B9BC948E331E5F74439182
Malicious:	false
Preview:	L..................F.... ....._.r....._.r....q..lM...1...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Y<t..user.8......QK.X.Y<t...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..1...Y@t .PYRNUT~1.DOC..L.......WD..WD..........................P.y.r.N.U.t.A.U.k.w...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\675052\Users.user\Desktop\PyrNUtAUkw.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.y.r.N.U.t.A.U.k.w...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......675052..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.603998122576232
Encrypted:	false
SSDEEP:	3:H+Qkru4om4uBkru4ov:H4Nky
MD5:	2EC71E888FE8E79583B34F033734D857
SHA1:	C40880DA9AC08BC69131F6CD5ACD0ED6BB5A17FD
SHA-256:	B39ECF63802B9A7A40808E2C612DD10E1A9CA2BD733323EE199D47B78AAA2C01
SHA-512:	E77BCDDE7EB38A43786E59CB074DB3DC85BAB3EE2AC2DDE91372950B5AA7D25D3E38CE548710F40C2E97923B1CD98ADD1ABE1A438F77E7B2FD4746F3EEBA5ED9
Malicious:	false
Preview:	[misc]..PyrNUtAUkw.LNK=0..[folders]..PyrNUtAUkw.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~$rNUtAUkw.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Microsoft OOXML
Entropy (8bit):	7.99865971160728
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	PyrNUtAUkw.docx
File size:	1'651'194 bytes
MD5:	8202209354ece5c53648c52bdbd064f0
SHA1:	683210af38ef15f1bacb67ddc42f085bee05cf35
SHA256:	89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e
SHA512:	df8d1aaf4798541f25797c2928db9c90f03f534f5a326d05e160ae4f293fd0abd68b5e4ac9468da7a6af82a5b6eb2a79395367b2cdb514b57c76e5bb958cb47a
SSDEEP:	49152:JJb+67s4Y+WJ9UhMQzTDdwPaQx3fNdK1HAgCclqDhDAy:/f2mhMQ3DEaG3eHAgCclgEy
TLSH:	3A7533EA1EA95A60D5953038D4021E5FE8C01DB7E7B15DEACBC8ED78A804F6A43FD1D0
File Content Preview:	PK........O=$X.U~............._rels/.rels..MK.1.....!..;."..^D.Md..C2.........(......3y..3C.....+.4xW..(A........yX..JB....Wp.....b..#InJ.......E..b.=[J....M..%...a .B...,o0.f@=a... n........o.A...;.N.<...v.."...e....b.R...1..R.EF..7Z.n...hY...j.y..#1'.

File Icon


Icon Hash:	65e6a3a3afb7bdbf

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T15:34:11.519623+0100	2055106	ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)	1	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T15:34:12.528566+0100	2055106	ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)	1	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T15:34:13.541992+0100	2055106	ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)	1	192.168.2.22	54562	8.8.8.8	53	UDP
2024-12-13T15:34:15.984398+0100	2055136	ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI)	1	192.168.2.22	49163	15.197.130.221	443	TCP
2024-12-13T15:34:18.305944+0100	2055136	ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI)	1	192.168.2.22	49164	15.197.130.221	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 15:34:14.563298941 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:14.563342094 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:14.563411951 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:14.570461035 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:14.570477009 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:15.984323025 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:15.984397888 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:15.991708994 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:15.991741896 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:15.992191076 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:15.992243052 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.071352959 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.119338989 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:16.549633980 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:16.549705029 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.549740076 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:16.549761057 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:16.549886942 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.549887896 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.551450968 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.551486969 CET	443	49163	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:16.551502943 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.551536083 CET	49163	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.874943972 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.874994993 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:16.875070095 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.875464916 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:16.875478029 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.305612087 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.305943966 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.308039904 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.308060884 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.315458059 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.315470934 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.884414911 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.884572983 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.884603977 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.884635925 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.884686947 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.884713888 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.885092020 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.885111094 CET	443	49164	15.197.130.221	192.168.2.22
Dec 13, 2024 15:34:18.885119915 CET	49164	443	192.168.2.22	15.197.130.221
Dec 13, 2024 15:34:18.885166883 CET	49164	443	192.168.2.22	15.197.130.221

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 15:34:11.519623041 CET	54562	53	192.168.2.22	8.8.8.8
Dec 13, 2024 15:34:12.528565884 CET	54562	53	192.168.2.22	8.8.8.8
Dec 13, 2024 15:34:13.541991949 CET	54562	53	192.168.2.22	8.8.8.8
Dec 13, 2024 15:34:14.558722973 CET	53	54562	8.8.8.8	192.168.2.22
Dec 13, 2024 15:34:16.800775051 CET	53	54562	8.8.8.8	192.168.2.22
Dec 13, 2024 15:34:17.654922962 CET	53	54562	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 13, 2024 15:34:16.800853014 CET	192.168.2.22	8.8.8.8	d015	(Port unreachable)	Destination Unreachable
Dec 13, 2024 15:34:17.655050039 CET	192.168.2.22	8.8.8.8	d015	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 15:34:11.519623041 CET	192.168.2.22	8.8.8.8	0xaa6d	Standard query (0)	president-gov-lk.donwloaded.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:34:12.528565884 CET	192.168.2.22	8.8.8.8	0xaa6d	Standard query (0)	president-gov-lk.donwloaded.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:34:13.541991949 CET	192.168.2.22	8.8.8.8	0xaa6d	Standard query (0)	president-gov-lk.donwloaded.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 15:34:14.558722973 CET	8.8.8.8	192.168.2.22	0xaa6d	No error (0)	president-gov-lk.donwloaded.net		15.197.130.221	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:34:16.800775051 CET	8.8.8.8	192.168.2.22	0xaa6d	Server failure (2)	president-gov-lk.donwloaded.net	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:34:17.654922962 CET	8.8.8.8	192.168.2.22	0xaa6d	Server failure (2)	president-gov-lk.donwloaded.net	none	none	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	15.197.130.221	443	3204	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-12-13 14:34:16 UTC	162	OUT	OPTIONS /a4884a53/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: president-gov-lk.donwloaded.net Content-Length: 0 Connection: Keep-Alive
2024-12-13 14:34:16 UTC	192	IN	HTTP/1.1 403 Forbidden Alt-Svc: h3=":50559"; ma=2592000 Content-Length: 146 Content-Type: text/html Date: Fri, 13 Dec 2024 14:34:16 GMT Server: Caddy Server: nginx Connection: close
2024-12-13 14:34:16 UTC	146	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	15.197.130.221	443	3204	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-12-13 14:34:18 UTC	162	OUT	OPTIONS /a4884a53/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: president-gov-lk.donwloaded.net Content-Length: 0 Connection: Keep-Alive
2024-12-13 14:34:18 UTC	192	IN	HTTP/1.1 403 Forbidden Alt-Svc: h3=":50559"; ma=2592000 Content-Length: 146 Content-Type: text/html Date: Fri, 13 Dec 2024 14:34:18 GMT Server: Caddy Server: nginx Connection: close
2024-12-13 14:34:18 UTC	146	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	09:33:59
Start date:	13/12/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f8e0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PyrNUtAUkw.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\788B8F44.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9144468F.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E20B1B46.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoA94A.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F32AC025-AD1D-4C6B-A7A9-961C0D3E1881}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{64FC5AF0-179B-4CF4-8EAD-4A0F8F1D79C4}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7AD94162-947F-4B76-A1FE-64233B9775A4}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF002987-24C9-4E73-9229-2CB3F164EF0B}.tmp

C:\Users\user\AppData\Local\Temp\{231111E1-28D9-417A-A193-6016543C7183}

C:\Users\user\AppData\Local\Temp\{8D78C03A-FE66-4C06-BFF0-3B305B2A2557}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PyrNUtAUkw.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$rNUtAUkw.docx

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Windows Analysis Report
PyrNUtAUkw.docx