File name:	30092463687563.docx
Full analysis:	https://app.any.run/tasks/b99480b0-3a3f-4691-bb0b-ee898abb031c
Verdict:	Malicious activity
Analysis date:	October 02, 2024, 11:41:54
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	DA3B3B9590907C35F64E830B2B244FFD
SHA1:	8393B61A2871BC1EA9CB2C22FA041790CE8FA5B1
SHA256:	97A4FE736DDD0955E218E7F7FB00D2FDDEE7896DB60AA90E175B4824C9192825
SSDEEP:	12288:I7HAhWYl6ZgmX1AYp5/buug1i0aGTTB26Ev43:I7HAh9qgmFAYp5/buug1i0a+TBuw3

.docx	\|	Word Microsoft Office Open XML Format document (52.2)
.zip	\|	Open Packaging Conventions container (38.8)
.zip	\|	ZIP compressed archive (8.8)

ZipRequiredVersion:	20
ZipBitFlag:	0x0002
ZipCompression:	Deflated
ZipModifyDate:	2024:10:02 09:05:08
ZipCRC:	0x3795fcdd
ZipCompressedSize:	341
ZipUncompressedSize:	1312
ZipFileName:	[Content_Types].xml

Template:	Normal.dotm
TotalEditTime:	2 minutes
Pages:	142
Words:	104861
Characters:	597712
Application:	Microsoft Office Word
DocSecurity:	None
Lines:	4980
Paragraphs:	1402
ScaleCrop:	No
Company:	-
LinksUpToDate:	No
CharactersWithSpaces:	701171
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	12
LastModifiedBy:	Modexcomm
RevisionNumber:	2
CreateDate:	2024:07:19 01:41:00Z
ModifyDate:	2024:09:24 15:24:00Z


(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete value	Name:	0
Value: ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7032
Operation:	write	Name:	0
Value: 0B0E1051988F9E43D39D4EAC32C33D0355F329230046CD97D6DB8198C5ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511F836D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(7032) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2

PID	Process	Filename		Type
7032	WINWORD.EXE	C:\Users\admin\Desktop\~$092463687563.docx		abr
		MD5:393526EA5371285186F7B73FB937124A	SHA256:F8EF9A6263BCB6B4F42EB9B62F2D686B8F64D90470D207AADA9FC8E1FC16613D
7032	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		abr
		MD5:B8651625E5705D175C1C9D934FD27887	SHA256:FE783AC7811DCA45D987632D61ACFEBD2A23F779CD671ED0F7B0DC04C17354AE
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\07fc2a8c43a1d1f16572d21e959a4847e306edae.temp		binary
		MD5:598DC862F4D058377D2A96BF6B654ED6	SHA256:D4EF89F40C423201F564EFF913236B4CEE9BE6CA6BFACA7D9C01315FC20CE204
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\data.json		binary
		MD5:598DC862F4D058377D2A96BF6B654ED6	SHA256:D4EF89F40C423201F564EFF913236B4CEE9BE6CA6BFACA7D9C01315FC20CE204
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\wealthzxcv[1].doc		text
		MD5:ADBFFCCBB78834FA492CC7CA8A676E52	SHA256:42D08DF15B74F7A598895DE1590DAB57CD973D1B4DD8531F88AC3150260F7E63
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{26669229-E70E-4C2E-9DB2-D36DF23F8ECE}.tmp		binary
		MD5:80CD5BC458DDE37989DDCCE38E94C5F8	SHA256:B4FBAFF23F19C882E4B2346C91D7CB8D800EA98D25A8830014205430E52644AD
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:22D1AC63C4154C9A9A5F4EEA9A3F6A67	SHA256:C7D297C093D7B8D78C76E1E8174D01A6309E43BF88BEF493207F553D6742C64A
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:D2E6FA3122632BCEFEA7EC69101CBF1F	SHA256:8B409671BA662613760D07F6614F980700DDB6079DB2D8396989FD6BC61EE483
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
7032	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A4841231-F928-4B6C-BB3E-94D0CB6638E2}.tmp		smt
		MD5:830FBF83999E052538EAF156AB6ECB17	SHA256:D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1120	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7032	WINWORD.EXE	OPTIONS	200	154.216.20.22:80	http://154.216.20.22/txt/	unknown	—	—	unknown
7032	WINWORD.EXE	OPTIONS	200	154.216.20.22:80	http://154.216.20.22/txt/	unknown	—	—	unknown
7032	WINWORD.EXE	HEAD	200	154.216.20.22:80	http://154.216.20.22/txt/wealthzxcv.doc	unknown	—	—	unknown
7032	WINWORD.EXE	GET	200	154.216.20.22:80	http://154.216.20.22/txt/wealthzxcv.doc	unknown	—	—	unknown
7032	WINWORD.EXE	HEAD	200	154.216.20.22:80	http://154.216.20.22/txt/wealthzxcv.doc	unknown	—	—	unknown
—	—	GET	200	52.109.76.240:443	https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3	unknown	xml	172 Kb	whitelisted
—	—	GET	200	23.48.23.30:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	52.111.246.1:443	https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B9E8F9851-D343-4E9D-AC32-C33D0355F329%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D	unknown	text	542 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1120	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1120	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7032	WINWORD.EXE	52.109.28.46:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	172.217.23.110	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
officeclient.microsoft.com	52.109.28.46	whitelisted
omex.cdn.office.net	2.19.126.160 2.19.126.151	whitelisted
ecs.office.com	52.113.194.132	whitelisted
messaging.lifecycle.office.com	52.111.246.1	whitelisted
self.events.data.microsoft.com	20.189.173.14	whitelisted
metadata.templates.cdn.office.net	95.101.111.168 95.101.111.179	whitelisted
binaries.templates.cdn.office.net	88.221.110.138 88.221.110.227	whitelisted

PID	Process	Class	Message
7032	WINWORD.EXE	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 24
7032	WINWORD.EXE	Potentially Bad Traffic	ET INFO Dotted Quad Host DOC Request
7032	WINWORD.EXE	Potentially Bad Traffic	ET INFO Dotted Quad Host DOC Request
7032	WINWORD.EXE	Potentially Bad Traffic	ET HUNTING Microsoft Office User-Agent Requesting A Doc File
7032	WINWORD.EXE	Potentially Bad Traffic	ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
7032	WINWORD.EXE	Potentially Bad Traffic	ET INFO Possible RTF File With Obfuscated Version Header
7032	WINWORD.EXE	Misc activity	ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
7032	WINWORD.EXE	Potentially Bad Traffic	ET INFO Dotted Quad Host DOC Request

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

30092463687563.docx

DA3B3B9590907C35F64E830B2B244FFD

8393B61A2871BC1EA9CB2C22FA041790CE8FA5B1

97A4FE736DDD0955E218E7F7FB00D2FDDEE7896DB60AA90E175B4824C9192825

12288:I7HAhWYl6ZgmX1AYp5/buug1i0aGTTB26Ev43:I7HAh9qgmFAYp5/buug1i0a+TBuw3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Connects to the server without a host name

INFO

Malware configuration

Static information

TRiD

EXIF

ZIP

XML

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings