Edit tour

Windows Analysis Report
upd-documentos.docx

Overview

General Information

Sample name:	upd-documentos.docx
Analysis ID:	1546310
MD5:	0b8423f133b423737e0cf67913fdc5a6
SHA1:	abb81b39d46adf56a6474df1ff1584c0203cb488
SHA256:	a17c902231378ac916cf537adc45f48d0c465872fe7374bcceeb2f6caf7c1afd
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Contains an external reference to another file

Machine Learning detection for dropped file

Microsoft Office drops suspicious files

Office process drops PE file

Office viewer loads remote template

Sigma detected: File With Uncommon Extension Created By An Office Application

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

PE file contains sections with non-standard names

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3540 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3540, TargetFilename: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3540, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3540, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Avira: detection malicious, Label: HEUR/AGEN.1301814

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\auxiliary2.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6334A5D1.htm	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\report[1].htm	Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: auxiliary2.dll.0.dr

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88963551-976E-4B5A-A810-7267D6BA11EA}.tmp

Jump to behavior

Source: ~WRD0000.tmp.0.dr, 7629F907.png.0.dr, image3.png	String found in binary or memory: http://ns.attribution.com/ads/1.0/
Source: grupocgd.azureedge.net.url.0.dr	String found in binary or memory: https://grupocgd.azureedge.net/
Source: report.dotm.url.0.dr	String found in binary or memory: https://grupocgd.azureedge.net/report.dotm

System Summary

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\report.dotm.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\grupocgd.azureedge.net.url			Jump to behavior

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Jump to dropped file

Source: ~WRF{ED47C0D2-71DF-436E-B5E5-E072F32DFFD3}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: auxiliary2.dll.0.dr

Static PE information: Section: .data ZLIB complexity 0.992564588490099

Source: classification engine

Classification label: mal96.expl.evad.winDOCX@1/22@0/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$d-documentos.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR958A.tmp

Jump to behavior

Source: upd-documentos.docx	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: ~WRF{ED47C0D2-71DF-436E-B5E5-E072F32DFFD3}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{ED47C0D2-71DF-436E-B5E5-E072F32DFFD3}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{ED47C0D2-71DF-436E-B5E5-E072F32DFFD3}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: upd-documentos.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\upd-documentos.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: upd-documentos.docx

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: upd-documentos.docx

Initial sample: OLE indicators vbamacros = False

Source: auxiliary2.dll.0.dr

Static PE information: section name: _RDATA

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\grupocgd.azureedge.net@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\grupocgd.azureedge.net@SSL\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://grupocgd.azureedge.net/report.dotm

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\auxiliary2.dll	100%	Avira	HEUR/AGEN.1301814
C:\Users\user\AppData\Local\Temp\auxiliary2.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6334A5D1.htm	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\report[1].htm	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://ns.attribution.com/ads/1.0/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.attribution.com/ads/1.0/	~WRD0000.tmp.0.dr, 7629F907.png.0.dr, image3.png	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546310
Start date and time:	2024-10-31 18:59:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	upd-documentos.docx
Detection:	MAL
Classification:	mal96.expl.evad.winDOCX@1/22@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 152.199.19.161
Excluded domains from analysis (whitelisted): grupocgd.azureedge.net, grupocgd.ec.azureedge.net, cs9.wpc.v0cdn.net
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: upd-documentos.docx

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025636015170386446
Encrypted:	false
SSDEEP:	6:I3DPcJCjlMvxggLRTGtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPYd0vYg3J/
MD5:	82E6E58C24F6FF524EBE85C30028A051
SHA1:	2D777216EA7305C5172DE37A77F433F35D9EB603
SHA-256:	DDF6F112946E6B44B2AB9A6B2968406218A3F1893D29F8CE93501407859E9E22
SHA-512:	F60D145C024A37C3587C324B259A6D0DA6B72BEED4594314E74CB0E2418686BDEC42DDC947C54B6E90F5F0308C262D787FE1A274557215E0346790A39AD29A80
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z..7/W..G...BW..jS,...X.F...Fa.q...............................3.Y.G..4.............H.#.k.G...6Nhs......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\report[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	2712963
Entropy (8bit):	7.979615155849807
Encrypted:	false
SSDEEP:	49152:WIoNKCVfHSYE4r6QEXuuhk+Kbmt0bw8KYLdeAtgzGI/Tu:WZKCVfHyQElSb40c8KqvaG1
MD5:	35A633E3AF1B8C470FF7CE422744D3C0
SHA1:	138209F1F5730C4274DEDBB4EF72A3D27CBB3F36
SHA-256:	05D0EDB00846FD9A6B37D0300F522E2E68234F592250D3FD090D849E4E247546
SHA-512:	7BE4A54C8A53C41CCBA37D072546DD14E78E759FD2AF74F1D4E6725A787E24FBD4769841324A4409FCF241F5462300AEB1926A10869AE7CE2E3284B3284C4418
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	PK..........!.\|..\|............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-.]X ......J..p.Ik......=.&-...(.D.=..;.3.....9.d.+.).....i.......J.e...l..].....e.........I....}.G;..V"...R=.)..^.\(....X3.?.R.T..,h.I21.e.M]mU0.Be.D..s..M./K...'r...(d.[X.u.>G......43!.P...zg.A...s.FC6........KJ...v]K8......*..''.....q.[]..../L[E'9....So...4jV.^AJt.m..n.= ....Zrg.W.<.,..xg..\|.......tg......t..+..K..q........~.......[.q$...A=U4.o..j..........PK..........!.........N......._rels

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3526B19E.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1240x169, components 3
Category:	dropped
Size (bytes):	5457
Entropy (8bit):	5.857023200063407
Encrypted:	false
SSDEEP:	48:D9YMOFuERASSHtddddddddddddddddddddddddddddddddddddddddddddddddd5:RhOMEmkR1Q8PlW6o0W9h
MD5:	3CB48B84910A3B80DA5754CF0CF8D0FA
SHA1:	383A004D36B69F439F930EAAC8443B39AEBF0CEC
SHA-256:	AD320B4D7900F39C1035EE916DB5DAD88FB8FEE02DB986A6106978CE25E89E00
SHA-512:	45B174F274966B4760145AD0D84B7A38E48D1DFEBCC74BFBB375FDCF09881B8AA2FD393985D8FEE7B7D6155387731B65E3115E44F0DD27DDA873D6FEB5EA22F7
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6334A5D1.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	2712963
Entropy (8bit):	7.979615155849807
Encrypted:	false
SSDEEP:	49152:WIoNKCVfHSYE4r6QEXuuhk+Kbmt0bw8KYLdeAtgzGI/Tu:WZKCVfHyQElSb40c8KqvaG1
MD5:	35A633E3AF1B8C470FF7CE422744D3C0
SHA1:	138209F1F5730C4274DEDBB4EF72A3D27CBB3F36
SHA-256:	05D0EDB00846FD9A6B37D0300F522E2E68234F592250D3FD090D849E4E247546
SHA-512:	7BE4A54C8A53C41CCBA37D072546DD14E78E759FD2AF74F1D4E6725A787E24FBD4769841324A4409FCF241F5462300AEB1926A10869AE7CE2E3284B3284C4418
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	PK..........!.\|..\|............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-.]X ......J..p.Ik......=.&-...(.D.=..;.3.....9.d.+.).....i.......J.e...l..].....e.........I....}.G;..V"...R=.)..^.\(....X3.?.R.T..,h.I21.e.M]mU0.Be.D..s..M./K...'r...(d.[X.u.>G......43!.P...zg.A...s.FC6........KJ...v]K8......*..''.....q.[]..../L[E'9....So...4jV.^AJt.m..n.= ....Zrg.W.<.,..xg..\|.......tg......t..+..K..q........~.......[.q$...A=U4.o..j..........PK..........!.........N......._rels

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7629F907.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 628 x 434, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	42624
Entropy (8bit):	7.954955580887962
Encrypted:	false
SSDEEP:	768:Pmko0I7bjH4L3HSIRU/8UsOMT0Gg3xlzojZBmgiWyyAIZfLLOO/1bxKbq4BPu:Pmk2XE3S0LUsORGwxytN77OaS8
MD5:	A2BEDCD204E51468D965572A75E09573
SHA1:	5EE8F7CF28FE6DABD8F91AD99481BBCF87B031C5
SHA-256:	4945F0BFBCD796BE43277ADE81B5CFFDAF1A588F28F6F709D4D878A71760EA8C
SHA-512:	79DA1A27468A88230EEA9600B6C1553BFB06B3BFC4FECD8645956EA0517D30388F7F37ED2B12DEE5CD7C8BACEADE78E33D4B88D9B53D5A8056DC529F2F21101A
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...t.........m0Y.....pHYs..........+......iTXtXML:com.adobe.xmp.....<x:xmpmeta xmlns:x='adobe:ns:meta/'>. <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang='x-default'>Untitled design - 1</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:Attrib='http://ns.attribution.com/ads/1.0/'>. <Attrib:Ads>. <rdf:Seq>. <rdf:li rdf:parseType='Resource'>. <Attrib:Created>2024-10-17</Attrib:Created>. <Attrib:ExtId>7c9b3bf3-302c-4d2d-ac9e-efbef03ebff5</Attrib:ExtId>. <Attrib:FbId>525265914179580</Attrib:FbId>. <Attrib:TouchType>2</Attrib:TouchType>. </rdf:li>. </rdf:Seq>. </Attrib:Ads>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:pd

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B096F5C.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 438 x 248, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	20826
Entropy (8bit):	7.945179408026097
Encrypted:	false
SSDEEP:	384:wjmRcBP7ifyTqjUJN2UBCMDjdMo/8Mcqsw06tgi/wX:zR2P7C/UeUAOMfM06tgSy
MD5:	EC55032CED0916164385EDF88908C317
SHA1:	CFCB4C0BA3B8D49DF7C6B6DE3C5D428BB7C9CEB6
SHA-256:	F356DE16EAE68AA71140453464DEA36CE73422F95C20128E7D120EB2BB3F309A
SHA-512:	9D5EF6BE49E077EB9FB06A11C664B97828F256C50E2F5F780FD0AA9F8137C004228242D31AF144FB07E436DA67DF41385C89A6A641A8B381648BEB837610A3F7
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............,......sRGB.........gAMA......a.....pHYs..........(J...P.IDATx^....U.....~[z.....I......D:....C>......."v....R.H.Q. ...B.IH...$.l......w.f..$..y..3;s.3gf.3.i..r..... ....B........C.....)..(.).G........@.hH.9.......L.h.U....>._../.GQ.d.D.5.u....\|.....e.L..%..2(........W...%HQ.E.^0. K.....~P.<..F..]z....{.gH..Y..Q...s.......,D.\..@..uEQ.e...'....Am.....P.}...Zo.f.{..Y........X.N..G+..:1...h#............(.v.g..(f.[..P......N..f.+x.S....aT..4.\%.$.bb..(..]..dU4...`..`..U"t...b.`%z-l.....^..+pF..Q...hl.c....'.(....3.r.g..&.....L...1..6W.L-.....0...fYl.W7...[Eid.8O...k..d....(..lWP.L...1.<=aS.....!.q.../..J.6C..dr..0"..$D.r....p0.;.......%!y..I.$..L.x...(..H..E......B8.+.A.F8.....L...Ea.B.........ma.~.N..Z..5.8.Y.....-.....a....Q$."n..$.BT.....O...$T.)..(.'VH. ;g4!...v.$s..E...q.h.,.m..9.....&faH.3j...,..@.....Xm.@.....5-....-F6.E@.0....1.8..(.....l..x..I..D.2..1~.N.4...B..."n..._...M..JlFU$.r.V.0-...$6.[./.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ED47C0D2-71DF-436E-B5E5-E072F32DFFD3}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	10420224
Entropy (8bit):	5.226416620241029
Encrypted:	false
SSDEEP:	49152:tR8nCxwIqyGLQSnQuiUMnfqojl2So8LMbFIAOYSieoT09fkXv9PQs+8Xlj+OeKUH:oQDjlPhqZlQDjlPQqZ
MD5:	E150CE91E668E76290E54CC3460518B1
SHA1:	E771EB7213149E88AC4A9EBBD0407CD3C0E8ACB5
SHA-256:	31844AF6F958353196C2F4673BBC00640D87F2C44CB7FBE604DB62C59384F27E
SHA-512:	419167C9EA7C55C158C21C341FA896ADE246B51E6D447095888E6E6AF43372DEEF1A552031C7239ADFADC6D9EE1FFC2B98137A3F167D497353DDCC5E269B0FEB
Malicious:	false
Preview:	......................>............................................'.................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4....................................................................................................................................................................................'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...'...........'..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{27637708-9243-4467-9726-DEB7A05CDD64}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2742
Entropy (8bit):	3.3979845610936255
Encrypted:	false
SSDEEP:	24:elsCobOKrq3mgegG8xkUm46hk12e1iqoDKbuP93UPm/m/J/HZ9sfqJvjsZL:lCob9QNck151Datd/SRZcqBIZL
MD5:	7D4CD9F3D8FCD0BB5453A4CC27534917
SHA1:	A2BEACFBE0855DE65296853B7BE3C6D9B3C61279
SHA-256:	AD6E17B9385296A4C1781DEB6FBABD845AB6AAAD4F4C3C3CE971C00888D8FA25
SHA-512:	BA7911F8B5972115879B44C534275F51F7FB794DC299816DD89957F2B84F09AFCD5976C53552FFB9E5A3FF089EA17FFBB380D0E9F0AB11A2E74FEADFAB2AFD32
Malicious:	false
Preview:	../...I.D.:. .3.7.5.0.9.6.,.....D.a.t.a. .d.e. .e.m.i.s.s...o.:. .1.7.-.1.0.-.2.0.2.4. .0.9.:.2.8.,.....P...g.i.n.a. .1./.1.....C.o.m.p.r.o.v.a.t.i.v.o. .d.e. .O.p.e.r.a.....o. .C.a.i.x.a.d.i.r.e.c.t.a. .E.m.p.r.e.s.a.s......././.......C.a.i.x.a.d.i.r.e.c.t.a. .E.m.p.r.e.s.a.s.....P.a.r.a. .t.o.d.o.s. .e. .p.a.r.a. .c.a.d.a. .u.m...........................................C.a.i.x.a. .G.e.r.a.l. .d.e. .D.e.p...s.i.t.o.s.,. .S...A... .-. .S.e.d.e. .S.o.c.i.a.l.:. .A.v... .J.o...o. .X.X.I.,. .n... .6.3.,. ..................... ...f...h...~.......................................P...R...T...V...X...Z...\....................................................................................................................................................................................................................................................................................................................dV...gd{]...........$..d....a$.gd{].......d....gd{].......d....gd{]...........d....^...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88963551-976E-4B5A-A810-7267D6BA11EA}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ED1DA7CB-08C3-434A-A4AE-5B255B8264DF}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\auxiliary2.dll

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	428544
Entropy (8bit):	7.694031092097202
Encrypted:	false
SSDEEP:	6144:fwtealvos26PD9w3Pp9S9x6WIGnCVjUW+jDvPyN9PkRagZy+P66rhRvPhRPKpY:YtdlHPD9G9qGfjU7vPyvMRr6QR/
MD5:	03F41D9A824961681A7D1AF740062A9C
SHA1:	A278256DCA45C03AFE9FF3EFD2C8567DDC593C46
SHA-256:	AB486CECB7A6FA2D05DBEFFCAB77A821AB15FA2F27DECFB797D2E4050E4F21DA
SHA-512:	C60786B53152C6733EEA236B62D5817D92FD3B34ADFE6F6E1333EE65EA208962964775A2B6C0024C1C951325DAC3AA55A1123FDBAF17AC7640DCCB451A952EB6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J..J..J.uN..J.uI..J.uO.$.J..kN..J..kI..J.uL..J.uK..J..K...J..kO..J.tkO..J.tkJ..J.tkH..J.Rich..J.........................PE..d...8. g.........." ................@8....................................................`.............................................H.......................................X...0...............................P...8............ ..P............................text............................... ..`.rdata..F.... ......................@..@.data...............................@....pdata...............n..............@..@_RDATA..............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{C758B56C-1FA4-408C-AA96-A30FCE3798A0}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025636015170386446
Encrypted:	false
SSDEEP:	6:I3DPcJCjlMvxggLRTGtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPYd0vYg3J/
MD5:	82E6E58C24F6FF524EBE85C30028A051
SHA1:	2D777216EA7305C5172DE37A77F433F35D9EB603
SHA-256:	DDF6F112946E6B44B2AB9A6B2968406218A3F1893D29F8CE93501407859E9E22
SHA-512:	F60D145C024A37C3587C324B259A6D0DA6B72BEED4594314E74CB0E2418686BDEC42DDC947C54B6E90F5F0308C262D787FE1A274557215E0346790A39AD29A80
Malicious:	false
Preview:	......M.eFy...z..7/W..G...BW..jS,...X.F...Fa.q...............................3.Y.G..4.............H.#.k.G...6Nhs......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D989912A-175C-4CD0-95B6-E8546DD65323}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025657033294029664
Encrypted:	false
SSDEEP:	6:I3DPcYqPyn2J9vxggLRZfAEgecB3RXv//4tfnRujlw//+GtluJ/eRuj:I3DP+PyuRFfAEgeGRvYg3J/
MD5:	6F936031857EAA4DEEEA87089C6D2D08
SHA1:	3E20B528AD86E81251BD98413081776D7BA3A862
SHA-256:	742799C80822F8484A8515C837A8ED4931B46A7B94CE9AE70101636F7A95125D
SHA-512:	36B77EDE571094322DD09B94100321838F247350211523CBE3C76E0A2CB63552343D3AE232C3D0119CB5C3004B8E9E0BECF17696613570968EA7F59884582436
Malicious:	false
Preview:	......M.eFy...z.;4...#H.~....K.S,...X.F...Fa.q.............................mN..eMA..".............{.!....H.<a.j?6......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\grupocgd.azureedge.net.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://grupocgd.azureedge.net/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.461296865614146
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2feQDCBLEfCcDn:HRYFVm4eDLETn
MD5:	933B642DC4B8E879F5A4A95CA95CA409
SHA1:	3582C2BCA6FF133F43E120A808576DFEDAB9F4A0
SHA-256:	3792136FB93A7AE076D4886C52849FE27FBDE8208D50FACBE6845A65177CA4AE
SHA-512:	33660E5EAD0615DA470700C1D3E3989FE69DE2D793403F5991F0F086B343AEADDE384954E67218CF52EB9DA989E93C9ABC892212CE9C2368CB3C0B1B7ED1EDFE
Malicious:	true
Preview:	[InternetShortcut]..URL=https://grupocgd.azureedge.net/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.555597583679144
Encrypted:	false
SSDEEP:	3:HcAgBLAnJ407uRZUlm4cdBLEfCceS07uRZUlv:HxVnS0iDDLEuS0iS
MD5:	0C63F6CC46F1EC08DA57410159A78A58
SHA1:	0B1E0C0A8087638361414E9FA4FB12FFED940AE5
SHA-256:	0F29DE29EBF91B96809F4CA394F554A383D906E7E687FE4BEECFCC6D1DBD2E6B
SHA-512:	45CFA867A0883FE5248DBBF443E45437A139420016CE816C78E425D36744453FCA3A796600EFFBFDE4645463B10D0E887F2DA4A026DDBBDE54486857A10A2826
Malicious:	false
Preview:	[misc]..report.dotm.url=0..upd-documentos.LNK=0..[folders]..grupocgd.azureedge.net.url=0..upd-documentos.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\report.dotm.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://grupocgd.azureedge.net/report.dotm>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.4260687679142325
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2feQDCBLEfCcCAVvn:HRYFVm4eDLEPVvn
MD5:	BA62BA7A2B10A086858E46BFFC2104CE
SHA1:	E3128942C69D1B8017406C7C0A974F06BF6D0269
SHA-256:	1F3BE47E5D9BA4C3639BD4EE9C4A8C6A5A5F06E405329121D5AD59B181F3307A
SHA-512:	43EDF3C6575166DB660CBFDD90E3CD8A1CE6BDB9695EA52400DE4E7DE31EB4304074031BE59690B5AF1B78A2F79D0C4879C1E88EF3C88A0393412C4B1CC5D47D
Malicious:	true
Preview:	[InternetShortcut]..URL=https://grupocgd.azureedge.net/report.dotm..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\upd-documentos.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:11 2023, mtime=Fri Aug 11 15:42:11 2023, atime=Thu Oct 31 17:00:53 2024, length=77155, window=hide
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	4.528114580433167
Encrypted:	false
SSDEEP:	12:8z5cpRgXg/XAlCPCHaXHBWB/Pr+X+WI2lCNX/iCicvbILwa47INDtZ3YilMMEpxg:8lCn/XTX8siUJe9abDv3qsw57u
MD5:	0ECA576AC6985AF77D2E0690A2F4B12B
SHA1:	9752F42FFDD265BA711B1FB46FFC912C82254F85
SHA-256:	084043D2593648ED7F165859C71B7542C68776876DCAB70F7C295138A2CF9819
SHA-512:	BCC30427A57CC6975D023D1192738DD4E380829A50CFA2AADF1F5A95C985EA91027C1988F99978E8F566DAAFECD9837A6095AE221081491EB115CCF7B015FFDA
Malicious:	false
Preview:	L..................F.... ...>...r...>...r...3...+..c-...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1....._Y....user.8......QK.X_Y.....&=....U...............A.l.b.u.s.....z.1......WH...Desktop.d......QK.X.WH...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.c-.._Y.. .UPD-DO~1.DOC..T.......WF..WF..........................u.p.d.-.d.o.c.u.m.e.n.t.o.s...d.o.c.x.......}...............-...8...[............?J......C:\Users\..#...................\\878411\Users.user\Desktop\upd-documentos.docx.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.u.p.d.-.d.o.c.u.m.e.n.t.o.s...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......878411..........D_....3N...W...9..W.e8...8...

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAHpAyYQGcWX2xKbylln:vdsCkWtpHS9VX/b+l
MD5:	A604235065D4B469AB30855D5048A3E8
SHA1:	618636A10771F211931A9D26063A08A50BFA4BDF
SHA-256:	1C8E0165A83CCBF2B47064503AD0A7FF81C1573538A3E451534DB7BC99FB34D8
SHA-512:	639ADFFD0E4AE6A86E49FB706E412887694804CB96C6E4C5C59F8194983957326C124CCB14AD7D56B63D401762633EAECE5C1EB3FF2A7878F1C1E4796E0CE523
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\upd-documentos.docx (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	85214
Entropy (8bit):	7.881913506340887
Encrypted:	false
SSDEEP:	1536:JW5g2UwRaG5DNujmk2XE3S0LUsORGwxytN77OaSPWnG0h:JkuwRa6hujGCRL+Rw9ZG0h
MD5:	C9B541D73A8692E7AE9B78DCE593FA81
SHA1:	869DE534AEA52F0D416575AB46DD39FD3ACC21C2
SHA-256:	7C0D26AD84089ACD8EDF0FE93329D20CB5D7BC8E5EA9431A7C52B73E43402E8E
SHA-512:	A1264855E154497E54090057BE821048FF87D6B865C9D54574655C607BB9C8FB8883031050C6BA7F312B2BE8BAEA77C6D6432E9ECA5B2383FBFDE0BA6D1EEE94
Malicious:	false
Preview:	PK..........!................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T;O.0.....W..0 ..2...."f.\ZC.....sN.TiS(,....:.7.....GeM.N..K.H[(3......`..a.QY.9[......p.p.....l..........:0T).."..p'..?....&..i..l4..R\|T!...r...K..}QgJG\|\.7.....P.p.RR.....b#K.....S....nq.+.s..,q.t.^..<.........V~h.T....-K%..G6..D:Y]emE.eV.........E........IW......:k$..j..5i....=.k:..{-\|....X#.5R............R...4U....}.4.$.e<z...E.........#...4....q..Pth.zf.........PK..........!.........N...

C:\Users\user\Desktop\~$d-documentos.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAHpAyYQGcWX2xKbylln:vdsCkWtpHS9VX/b+l
MD5:	A604235065D4B469AB30855D5048A3E8
SHA1:	618636A10771F211931A9D26063A08A50BFA4BDF
SHA-256:	1C8E0165A83CCBF2B47064503AD0A7FF81C1573538A3E451534DB7BC99FB34D8
SHA-512:	639ADFFD0E4AE6A86E49FB706E412887694804CB96C6E4C5C59F8194983957326C124CCB14AD7D56B63D401762633EAECE5C1EB3FF2A7878F1C1E4796E0CE523
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	85214
Entropy (8bit):	7.881913506340887
Encrypted:	false
SSDEEP:	1536:JW5g2UwRaG5DNujmk2XE3S0LUsORGwxytN77OaSPWnG0h:JkuwRa6hujGCRL+Rw9ZG0h
MD5:	C9B541D73A8692E7AE9B78DCE593FA81
SHA1:	869DE534AEA52F0D416575AB46DD39FD3ACC21C2
SHA-256:	7C0D26AD84089ACD8EDF0FE93329D20CB5D7BC8E5EA9431A7C52B73E43402E8E
SHA-512:	A1264855E154497E54090057BE821048FF87D6B865C9D54574655C607BB9C8FB8883031050C6BA7F312B2BE8BAEA77C6D6432E9ECA5B2383FBFDE0BA6D1EEE94
Malicious:	false
Preview:	PK..........!................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T;O.0.....W..0 ..2...."f.\ZC.....sN.TiS(,....:.7.....GeM.N..K.H[(3......`..a.QY.9[......p.p.....l..........:0T).."..p'..?....&..i..l4..R\|T!...r...K..}QgJG\|\.7.....P.p.RR.....b#K.....S....nq.+.s..,q.t.^..<.........V~h.T....-K%..G6..D:Y]emE.eV.........E........IW......:k$..j..5i....=.k:..{-\|....X#.5R............R...4U....}.4.$.e<z...E.........#...4....q..Pth.zf.........PK..........!.........N...

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.976914461654912
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	upd-documentos.docx
File size:	77'155 bytes
MD5:	0b8423f133b423737e0cf67913fdc5a6
SHA1:	abb81b39d46adf56a6474df1ff1584c0203cb488
SHA256:	a17c902231378ac916cf537adc45f48d0c465872fe7374bcceeb2f6caf7c1afd
SHA512:	b4f0cb09bb9e111071b5eefb9248653b53aa35b00f1f962fd8c85aa799dc3ee998f71b1d3a86e6ee4aad63a1897a34c9dc61eeb3ad2388ec34c4c2aa908f1ab7
SSDEEP:	1536:vv29q9TB0RtVM6SeVZgJo4gYracHIqMiv+F82YMo9dR+NPScTEUlZ70J:FOt5SggG4j2mMbFIL9dR+NPSczZ70J
TLSH:	0673F1F9C8D20A59E1866570C2720343FCC65FBA6885F35C2A5DA108CCDE6FE9F17A48
File Content Preview:	PK..........QY................docProps/PK..........!..c5.............docProps/app.xml.RMO.0.....!..q.J......8.@j..eO....l.Q~=.F.@..i.........`.w.Q;.....3..)m.U.....y...J.gq.o1.W...x..cH.cF.6..>%..X.=.".T.Ti].D.4t....x..f@.X]......B5...\|b.\|O.%UN...K.......

File Icon


Icon Hash:	65e6a3a3afb7bdbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "upd-documentos.docx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Target ID:	0
Start time:	14:00:54
Start date:	31/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f140000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report upd-documentos.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\report[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3526B19E.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6334A5D1.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7629F907.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B096F5C.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ED47C0D2-71DF-436E-B5E5-E072F32DFFD3}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{27637708-9243-4467-9726-DEB7A05CDD64}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88963551-976E-4B5A-A810-7267D6BA11EA}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ED1DA7CB-08C3-434A-A4AE-5B255B8264DF}.tmp

C:\Users\user\AppData\Local\Temp\auxiliary2.dll

C:\Users\user\AppData\Local\Temp\{C758B56C-1FA4-408C-AA96-A30FCE3798A0}

C:\Users\user\AppData\Local\Temp\{D989912A-175C-4CD0-95B6-E8546DD65323}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\grupocgd.azureedge.net.url

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\report.dotm.url

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\upd-documentos.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\upd-documentos.docx (copy)

C:\Users\user\Desktop\~$d-documentos.docx

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
upd-documentos.docx