Play interactive tour

Edit tour

Analysis Report From Tutz Honeychurch.docx

Overview

General Information

Sample Name:	From Tutz Honeychurch.docx
Analysis ID:	350064
MD5:	a5258f370733334149b30ceae94fbe99
SHA1:	dd86e740f5e6205725a54d980bab465d5a6cb867
SHA256:	57e0592902153e996cc7c04c85bfffc866b7ebbd4d4bed7c12c02761f2181ad1
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2372 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Networking:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D19B70B1-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: document.xml

String found in binary or memory: https://pbs.twimg.com/profile_images/2312423523/wl3lq67gmx08ofzz84i5.jpeg

System Summary:

Source: classification engine

Classification label: clean0.winDOCX@1/10@0/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$om Tutz Honeychurch.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD900.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
From Tutz Honeychurch.docx	0%	Virustotal		Browse
From Tutz Honeychurch.docx	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pbs.twimg.com/profile_images/2312423523/wl3lq67gmx08ofzz84i5.jpeg	document.xml	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	350064
Start date:	08.02.2021
Start time:	17:59:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	From Tutz Honeychurch.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winDOCX@1/10@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13CD2BB0.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 735x735, frames 3
Category:	dropped
Size (bytes):	128726
Entropy (8bit):	7.988134230633984
Encrypted:	false
SSDEEP:	3072:M4zQd/ql2G5UttW0RAW+Mf/+rk4RixRXAS6oAVp7ntSK:TUdSk0UHWyf2wCS6RVZtSK
MD5:	A11C4F61D047C385DD958C376A2528B1
SHA1:	4B64D035D6D684F89C39F329E17F0B1B2E201592
SHA-256:	19C739772D9225218F2AF1064A6B130859F1189CEE6A0699089219BB67F72C28
SHA-512:	9790E0DDB747C8438C7D3E9C3B85F872FF66DC58B15075BBCEFB6CD1CCFF434236D6A3C8A1B0311505838376D878E79F00836633884D165D41AE3B3C993604EC
Malicious:	false
Reputation:	low
Preview:	......JFIF.....H.H.....C.....................................%...#... , #&'))..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((...........".................................................................................]...L..m@.lD....![.tM........^).M(..>.......+KX.&.V...Z.^JV.X.'/.......Dt...V..$......A .gE@..IB.P..g...D.....sW.^N.......u.0..m^..(.0.\.4..8"l0=mT....Z.k^.\.......-...E%...~R.R.F. ..b.P..~i..D...Z.J.\#.@.....UMJ....P.[.k..W.f_M./.....`.nG..(.v.....0V..QVY..4 .n..1F5..T!.a.,..."...O..P.A^....(4.2/R=,...y.Zv.<4!..8.y.~..Ta.e[K[.."l..\|....O.s.FA...i.MFe#%Tc.Y.......-Jsg.'M.H...m..;...!.Z.$...y......&H.W.]....:.jU....Q7K.2.-)..9....AE....i...X...&...{.+.S.F.W..l[:..N.j.p.7...$.MKF.~...........:0NZ~.....Z....X...o......f...S,Hd.D...@/..7....^GW.Hz......YBb3..#iPy%....3..6.m^.Z+zb8.>....A.*. #v.r.K.Cl.B.(`" ..N.....!.L.2[zR.."..v.X.w....ZQ&...%0......`.Q.S..W.UG5.......q?e.V!Q....v..c.piZD:M..`.B..9.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F06C5AB.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 489x493, frames 3
Category:	dropped
Size (bytes):	82738
Entropy (8bit):	7.8782581515028065
Encrypted:	false
SSDEEP:	1536:ko+aUDAnF1zQ257Wd9jUMZmOG9qLHRBcSbBT8poopxizty359yyUQBb1+c:nz2M25UMZmOGiHzcSbBTWa4T
MD5:	C8113494B60EDCB3FFA7C4A237CDEBEA
SHA1:	25C07C78D37E5E4E2BAE55590519324283516997
SHA-256:	8BF1DE9DA9D00A3EC7D24941A2B9EEA0A5C10F54C30406817BBA139F62AF7BB5
SHA-512:	3C7DDCA778F9AE398903EBD1CC340253ABCC6496936AA5FA0825EF8DCBD6AD182DC1D7066A482214B0A0BD2ED3E4AF517D5F155B16BFF56BCECEEF327C022006
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(..4T7WP.....&.....3...j..?.'.......,....U..o..$...}.....=.;.......<%{...?....\.T.uk..\.e.4...EzX..3..Rr]._{.8qy....z.>]~...E~._...._........<..,.$2jWr?.p.?....eo.//.%.r......N.._Y..I....{.U..I...95.b8K<.S......8h..W....;.........:.2=k...........1\|W..~.[.......;..J.E...@.w..f\..~E.N.......^%../../,n...-\|(.X$RC#......J.+...6....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1F5FD602-8896-489B-B9A3-040AAE90EE14}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A8A4CE1A-920F-4984-A01A-83E80CBA7966}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2610
Entropy (8bit):	2.9623738146637613
Encrypted:	false
SSDEEP:	48:UcbMGb6MM8JQgl1FkkZKoO6Nd3htI0YHoO5cl:HbbmX8JQ49gL6Nd3htI0YHVCl
MD5:	BAA32DA7849E8208BF81790241C7312E
SHA1:	2A6379C4A6CEB7695327312E97834B9D0A0D21E7
SHA-256:	7C66E7A37338B323909098FF671EE3595C81C7BEF37C32493C7B2D70BC0CE5FB
SHA-512:	BB405BCA5E17D91712AF28F470A254C1F8ACD73D7547B7BA38F9E5E33D14B741664E3C044C55A208FD6D1DB68C0BC92F8E95D10FD73E44FF313E65D306EC0320
Malicious:	false
Reputation:	low
Preview:	....N.o.t.e.s.,. .0.1./.0.7./.2.0.1.0...F.r.o.m. .T.u.t.z. .H.o.n.e.y.c.h.u.r.c.h. .. I. .h.a.v.e. .1.0. .m.i.n.u.t.e.s. .a.v.a.i.l.a.b.l.e. .t.o.d.a.y. .o.n. .t.h.e. .1.h.r. .l.i.b.r.a.r.y. .c.o.m.p.u.t.e.r. .l.i.m.i.t. .n.e.w. .t.o.d.a.y.. ....I. .s.i.g.n.e.d. .u.p. .f.o.r. .M.a.c.y.s.,. .c.a.s.h.i.e.r. .$.1.0. .a.n. .h.o.u.r.,. .d.o.w.n. .t.h.e. .s.t.r.e.e.t.& & ..a.n.d. .o.n.l.y. .S.e.a.r.s. .n.e.x.t.d.o.o.r.............................................................................................................(...........f...h...j...............0.......................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D19B70B1-551E-40AF-9919-E039C2A6E74E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\From Tutz Honeychurch.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Tue Feb 9 01:00:40 2021, length=224704, window=hide
Category:	dropped
Size (bytes):	2148
Entropy (8bit):	4.5828627200781975
Encrypted:	false
SSDEEP:	48:8e/XT0jkvPzfSD+Qh2e/XT0jkvPzfSD+Q/:8e/XojkvPjk+Qh2e/XojkvPjk+Q/
MD5:	A917F264113230029105911749C8CCEE
SHA1:	EE83ED598ED323969F78FD15E9C6DCC7EC6AB4E6
SHA-256:	5CEA00BF5B4DAAEF0190FAE9D7DFD9633DD2AA0F63D31F28D493990A63C2A8B3
SHA-512:	A49B3B331FA362061D2C169D4AC4212C42D8600507E5FC57FF759284BA72250E8104B43CC211E7657B7CBAA581BA162F8769D8A7B4682618566FA0C3E4FB243F
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....d..{...d..{...l.].....m...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2..m..IR.. .FROMTU~1.DOC..b.......Q.y.Q.y...8.....................F.r.o.m. .T.u.t.z. .H.o.n.e.y.c.h.u.r.c.h...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop\From Tutz Honeychurch.docx.1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.F.r.o.m. .T.u.t.z. .H.o.n.e.y.c.h.u.r.c.h...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......377142....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.638478959462503
Encrypted:	false
SSDEEP:	3:HoXTYRXrS7MRXrSmxWoXTYRXrSv:Hufuj
MD5:	431D6DB9E35E85D4176797B3712A85E2
SHA1:	DEBEF3FFCEA54154B4C4B6FF958072E20042DFDC
SHA-256:	8012B10A8FEF9E9D271F1F367A6F2DFFD070921FE5C2DB8F4357676A7FAF6D47
SHA-512:	7BDE74952D7C726A4F0323E09F4888E69CAA2D478658729454692F3A7D2D77252FF16579374770F8B4E80B27CB1F6835120006E8B406E9772DA593797D4D2E98
Malicious:	false
Reputation:	low
Preview:	[misc]..From Tutz Honeychurch.LNK=0..From Tutz Honeychurch.LNK=0..[misc]..From Tutz Honeychurch.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyBKbFNHlMw2imqilfln:vdsCkWtLbFNHlrHidl
MD5:	7F5B0CCA5E1550964CDCCA68149D5D0D
SHA1:	996C99E1AA101CAC6ED37A0FA9B0A64FC97173D6
SHA-256:	F84D176CF962EBB0437C718CD9249496DA1FE4FCEE2B18E258BC847472878D13
SHA-512:	0F108B39E61109601D967DFF5B541AC31FA74AC5ACD79E6D37691A340B6371825D393589BF667B57BB6A36B5392269E249FF8B0A0A6726F56310D9B321A138FD
Malicious:	false
Reputation:	low
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\Desktop\~$om Tutz Honeychurch.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyBKbFNHlMw2imqilfln:vdsCkWtLbFNHlrHidl
MD5:	7F5B0CCA5E1550964CDCCA68149D5D0D
SHA1:	996C99E1AA101CAC6ED37A0FA9B0A64FC97173D6
SHA-256:	F84D176CF962EBB0437C718CD9249496DA1FE4FCEE2B18E258BC847472878D13
SHA-512:	0F108B39E61109601D967DFF5B541AC31FA74AC5ACD79E6D37691A340B6371825D393589BF667B57BB6A36B5392269E249FF8B0A0A6726F56310D9B321A138FD
Malicious:	false
Reputation:	low
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.956740805548689
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	From Tutz Honeychurch.docx
File size:	224704
MD5:	a5258f370733334149b30ceae94fbe99
SHA1:	dd86e740f5e6205725a54d980bab465d5a6cb867
SHA256:	57e0592902153e996cc7c04c85bfffc866b7ebbd4d4bed7c12c02761f2181ad1
SHA512:	838c84a6295f26423ed601680c8b94e448714973f1bac87274252ba10e6dd89ae006bb94a618a9f77402110e86822c9735d9930993e94da7e1b4c80ed22b2068
SSDEEP:	6144:nQSW/RGijT9ZUdSk0UHWyf2wCS6RVZtSphH:nQJP9sSkf2wWT8nH
File Content Preview:	PK..........!..A..f...T.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: WINWORD.EXE PID: 2372 Parent PID: 584

General

Start time:	18:00:40
Start date:	08/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f8e0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Created

File Deleted

File Written

File Read

Show Windows behavior

Registry Activities

Key Created

Key Value Created

Key Value Modified

Disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report From Tutz Honeychurch.docx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: WINWORD.EXE PID: 2372 Parent PID: 584

General

File Activities

File Created

File Deleted

File Moved

File Written

File Read

Registry Activities

Key Created

Key Value Created

Key Value Modified

Disassembly