Cuckoo Sandbox

File mnTvoEggkb.doc

Summary
Download Resubmit sample

Size	7.5KB
Type	Unicode text, UTF-8 text, with very long lines (856), with CRLF line terminators
MD5	`0ef2df4e668cbc43a51531873057495d`
SHA1	`7edd950c819ef30b71a38eeca8485f0b34d559e7`
SHA256	`27dae329fc4bb62bd03359161123ec5cd43125a794b9d9bd8dbabeab68f22cca`
SHA512	`ef4d3aa40355b6027a411859fc6fbcd4735a7b70e8304f50d3daad06ab269809482eb1d818915cbf099ab2050aa1c1bf8a416dbccd41d92200af29ac1cf140b5`
CRC32	`EED866B8`
ssdeep	`None`
Yara	None matched

Score

This file appears fairly benign with a score of 0.7 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	May 5, 2025, 6:46 a.m.	May 5, 2025, 6:53 a.m.	405 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-05-01 10:01:22,046 [analyzer] DEBUG: Starting analyzer from: C:\tmpqqrt4a
2025-05-01 10:01:22,078 [analyzer] DEBUG: Pipe server name: \??\PIPE\EALIebPFCIFJuarxpNXpz
2025-05-01 10:01:22,078 [analyzer] DEBUG: Log pipe server name: \??\PIPE\fbojWwQRngjbkOWYPxZUgcbyTPqETa
2025-05-01 10:01:22,078 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-05-01 10:01:22,078 [analyzer] INFO: Automatically selected analysis package "doc"
2025-05-01 10:01:22,640 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-01 10:01:22,640 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-01 10:01:23,265 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-01 10:01:23,483 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-05-01 10:01:23,483 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-01 10:01:23,483 [analyzer] DEBUG: Started auxiliary module Human
2025-05-01 10:01:23,483 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-01 10:01:23,483 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-01 10:01:23,578 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-01 10:01:23,578 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-01 10:01:23,578 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-01 10:01:23,578 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-01 10:01:23,733 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\mnTvoEggkb.doc'] and pid 1100
2025-05-01 10:01:23,858 [analyzer] DEBUG: Loaded monitor into process with pid 1100
2025-05-01 10:01:27,765 [analyzer] INFO: Added new file to list with pid 1100 and path C:\Users\Administrator\AppData\Roaming\Microsoft\Office\MSO1033.acl
2025-05-01 10:01:29,625 [analyzer] INFO: Added new file to list with pid 1100 and path C:\Users\Administrator\AppData\Local\Temp\~$TvoEggkb.doc
2025-05-01 10:01:52,733 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-05-01 10:01:53,217 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-01 10:01:53,217 [lib.api.process] INFO: Successfully terminated process with pid 1100.
2025-05-01 10:01:53,233 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-05 06:46:58,501 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:46:59,526 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:00,550 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:01,571 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:02,598 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:03,626 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:04,653 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:05,688 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:06,714 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:07,742 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:08,788 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:09,829 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:10,850 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:11,875 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:12,901 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:13,921 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:14,949 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:15,971 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:16,994 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:18,017 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:19,044 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:20,069 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:21,093 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:22,118 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:23,146 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:24,252 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:25,286 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:26,309 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:27,328 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:28,352 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:29,374 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:30,478 [cuckoo.core.scheduler] DEBUG: Task #6393068: no machine available yet
2025-05-05 06:47:31,573 [cuckoo.core.scheduler] INFO: Task #6393068: acquired machine win7x6428 (label=win7x6428)
2025-05-05 06:47:31,575 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.228 for task #6393068
2025-05-05 06:47:31,805 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2626587 (interface=vboxnet0, host=192.168.168.228)
2025-05-05 06:47:32,046 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6428
2025-05-05 06:47:32,519 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6428 to vmcloak
2025-05-05 06:50:41,501 [cuckoo.core.guest] INFO: Starting analysis #6393068 on guest (id=win7x6428, ip=192.168.168.228)
2025-05-05 06:50:42,508 [cuckoo.core.guest] DEBUG: win7x6428: not ready yet
2025-05-05 06:50:47,612 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6428, ip=192.168.168.228)
2025-05-05 06:50:47,786 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6428, ip=192.168.168.228, monitor=latest, size=6660546)
2025-05-05 06:50:51,692 [cuckoo.core.resultserver] DEBUG: Task #6393068: live log analysis.log initialized.
2025-05-05 06:50:53,120 [cuckoo.core.resultserver] DEBUG: Task #6393068 is sending a BSON stream
2025-05-05 06:50:53,495 [cuckoo.core.resultserver] DEBUG: Task #6393068 is sending a BSON stream
2025-05-05 06:50:54,382 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0001.jpg'
2025-05-05 06:50:54,404 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 133474
2025-05-05 06:50:57,582 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0002.jpg'
2025-05-05 06:50:57,592 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 124109
2025-05-05 06:50:58,686 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0003.jpg'
2025-05-05 06:50:58,696 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 123925
2025-05-05 06:50:59,834 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0004.jpg'
2025-05-05 06:50:59,844 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 123696
2025-05-05 06:51:00,941 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0005.jpg'
2025-05-05 06:51:00,952 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 123762
2025-05-05 06:51:02,030 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0006.jpg'
2025-05-05 06:51:02,032 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 41113
2025-05-05 06:51:03,114 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0007.jpg'
2025-05-05 06:51:03,131 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 99944
2025-05-05 06:51:06,031 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6393068 still processing
2025-05-05 06:51:21,180 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6393068 still processing
2025-05-05 06:51:22,623 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'curtain/1746086512.92.curtain.log'
2025-05-05 06:51:22,626 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 36
2025-05-05 06:51:22,859 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'sysmon/1746086513.12.sysmon.xml'
2025-05-05 06:51:22,922 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 1734156
2025-05-05 06:51:22,932 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'files/76e4ba4f8554b625_mso1033.acl'
2025-05-05 06:51:22,935 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 37762
2025-05-05 06:51:22,937 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'files/7aea3ff1bfd57255_~$tvoeggkb.doc'
2025-05-05 06:51:22,938 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 162
2025-05-05 06:51:23,659 [cuckoo.core.resultserver] DEBUG: Task #6393068: File upload for 'shots/0008.jpg'
2025-05-05 06:51:23,672 [cuckoo.core.resultserver] DEBUG: Task #6393068 uploaded file length: 133474
2025-05-05 06:51:23,686 [cuckoo.core.resultserver] DEBUG: Task #6393068 had connection reset for <Context for LOG>
2025-05-05 06:51:24,285 [cuckoo.core.guest] INFO: win7x6428: analysis completed successfully
2025-05-05 06:51:24,297 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-05 06:51:24,321 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-05 06:51:24,978 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6428 to path /srv/cuckoo/cwd/storage/analyses/6393068/memory.dmp
2025-05-05 06:51:24,979 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6428
2025-05-05 06:53:43,428 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.228 for task #6393068
2025-05-05 06:53:43,861 [cuckoo.core.scheduler] DEBUG: Released database task #6393068
2025-05-05 06:53:43,884 [cuckoo.core.scheduler] INFO: Task #6393068: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3948000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef47ed000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef394c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef32cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef32c8000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef47ed000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef32cc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef394d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7905000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef58c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7905000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef47ed000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef47e9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3948000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef390d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef394c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef47ed000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef32c8000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef394d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef32cc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 1, 2025, 11:01 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef47ed000 process_handle: 0xffffffffffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\~$TvoEggkb.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 1, 2025, 11:01 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000000003b8 filepath: C:\Users\Administrator\AppData\Local\Temp\~$TvoEggkb.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\ADMINI~1\AppData\Local\Temp\~$TvoEggkb.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0