Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 13, 2021, 9:13 a.m. | April 13, 2021, 9:21 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\.............................................................dot
3332
IP Address | Status | Action |
---|---|---|
103.72.145.203 | Active | Moloch |
104.21.63.177 | Active | Moloch |
104.21.89.165 | Active | Moloch |
163.44.185.224 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.217.25.14 | Active | Moloch |
182.50.132.242 | Active | Moloch |
184.168.131.241 | Active | Moloch |
188.164.131.200 | Active | Moloch |
213.32.10.111 | Active | Moloch |
216.239.36.21 | Active | Moloch |
23.95.122.25 | Active | Moloch |
3.13.255.157 | Active | Moloch |
34.102.136.180 | Active | Moloch |
45.142.156.44 | Active | Moloch |
50.87.195.61 | Active | Moloch |
67.225.129.56 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
suspicious_features | Connection to IP address | suspicious_request | GET http://23.95.122.25/h/vbc.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.ueoxx.com/nnmd/?uZi0=tRQiX2tnIcR1+0C/rREkw+oZ8fYp7zrYt8/OoSFyZqkjizznZx3g6RXGoToit+qONbwCpa2o&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.vinegret.com/nnmd/?uZi0=vSTcV67Wsym0gjaMHw+BLsLDF404VwtlM2ZL2+kS2oryP3sG0sNRMddYy5XCOzyR+w1r1rN4&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.valid8.network/nnmd/?uZi0=CGq8FpRO0AiTL86OI7qyWUGcdnK3uFmp3WOqNHKk+zAOrlhHiWtpg/dTztC/+VOwDx9e6LJ8&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.7985699.com/nnmd/?uZi0=5eMcWOIRhRBDg7AFbH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV2U654U3C4UMb8hOzpd5&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.acernoxsas.com/nnmd/?uZi0=RIRhBHcBnpQFpzVEdm9Qn3YrBBK1OZbcUKpQDD4XzYml+x0kk9G8REWbCSESFdmiGdYULLFI&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.ekolucky.com/nnmd/?uZi0=2ELq5eNBSeN+85ZFfjQj/2xpbhe81hF7Lx3GgMrXOl3ZzRDKfjz/x0EKuhMKdwtM2WWmtAp6&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.elticrecruit.com/nnmd/?uZi0=kngYRuVfLuuPny+4CliufAMPT2DrkHQGtZ529sxu6AZ+mjDb8TOV5Kb0i+tB46tvYkYEaNVD&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.vr-club.site/nnmd/?uZi0=PWz62rtZjeojhOkFcCqBVXu8rEu/adWxBjkYhVKdUPhCPZNYbrsWWb643PkmL53QhEqlNSfQ&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.scott-re.online/nnmd/?uZi0=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.ikoyisland.net/nnmd/?uZi0=R5rKQMUlrwVeLoW0iVXTqsebTRUUATzeWiADp6t7RLnxNxiFJigPNlV+Rw7wnrX+JJ9AzRNR&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.vegrebel.com/nnmd/?uZi0=iedGY0/jFY2caMs7ufAPjCijJp09b4Pnd9J45dLvz29YUuAPrQ24EB7QdiStDbxe7UevWaqL&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.elpis-catering.com/nnmd/?uZi0=0Ts1VGxpsMxFhohnYcmQwyVTyV70cpoMLj6MACjr+zVW8ucMOFGWLmSRW6U63/nNCvV4KGuc&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.xn--v1bmo9dufsb.com/nnmd/?uZi0=cDaDwtSEh/5bc2FeeSIiUcUr+mpY/3xbz64LVgZ45maSnMiNTbYqd99xhwdI+uHxijdOlda1&Vnt4_=GTd0sn7PSL8x7PP | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.sorelaxedmassage.com/nnmd/?uZi0=ZSH2noI6NHAHn9QA8EACxsTwqFhF5NYts9vBJBihuNtX6Je+hj0P0cQ5PSooL6U0A47HLjeU&Vnt4_=GTd0sn7PSL8x7PP |
request | GET http://23.95.122.25/h/vbc.exe |
request | POST http://www.ueoxx.com/nnmd/ |
request | GET http://www.ueoxx.com/nnmd/?uZi0=tRQiX2tnIcR1+0C/rREkw+oZ8fYp7zrYt8/OoSFyZqkjizznZx3g6RXGoToit+qONbwCpa2o&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.vinegret.com/nnmd/ |
request | GET http://www.vinegret.com/nnmd/?uZi0=vSTcV67Wsym0gjaMHw+BLsLDF404VwtlM2ZL2+kS2oryP3sG0sNRMddYy5XCOzyR+w1r1rN4&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.valid8.network/nnmd/ |
request | GET http://www.valid8.network/nnmd/?uZi0=CGq8FpRO0AiTL86OI7qyWUGcdnK3uFmp3WOqNHKk+zAOrlhHiWtpg/dTztC/+VOwDx9e6LJ8&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.7985699.com/nnmd/ |
request | GET http://www.7985699.com/nnmd/?uZi0=5eMcWOIRhRBDg7AFbH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV2U654U3C4UMb8hOzpd5&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.acernoxsas.com/nnmd/ |
request | GET http://www.acernoxsas.com/nnmd/?uZi0=RIRhBHcBnpQFpzVEdm9Qn3YrBBK1OZbcUKpQDD4XzYml+x0kk9G8REWbCSESFdmiGdYULLFI&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.ekolucky.com/nnmd/ |
request | GET http://www.ekolucky.com/nnmd/?uZi0=2ELq5eNBSeN+85ZFfjQj/2xpbhe81hF7Lx3GgMrXOl3ZzRDKfjz/x0EKuhMKdwtM2WWmtAp6&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.elticrecruit.com/nnmd/ |
request | GET http://www.elticrecruit.com/nnmd/?uZi0=kngYRuVfLuuPny+4CliufAMPT2DrkHQGtZ529sxu6AZ+mjDb8TOV5Kb0i+tB46tvYkYEaNVD&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.vr-club.site/nnmd/ |
request | GET http://www.vr-club.site/nnmd/?uZi0=PWz62rtZjeojhOkFcCqBVXu8rEu/adWxBjkYhVKdUPhCPZNYbrsWWb643PkmL53QhEqlNSfQ&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.scott-re.online/nnmd/ |
request | GET http://www.scott-re.online/nnmd/?uZi0=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.ikoyisland.net/nnmd/ |
request | GET http://www.ikoyisland.net/nnmd/?uZi0=R5rKQMUlrwVeLoW0iVXTqsebTRUUATzeWiADp6t7RLnxNxiFJigPNlV+Rw7wnrX+JJ9AzRNR&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.vegrebel.com/nnmd/ |
request | GET http://www.vegrebel.com/nnmd/?uZi0=iedGY0/jFY2caMs7ufAPjCijJp09b4Pnd9J45dLvz29YUuAPrQ24EB7QdiStDbxe7UevWaqL&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.elpis-catering.com/nnmd/ |
request | GET http://www.elpis-catering.com/nnmd/?uZi0=0Ts1VGxpsMxFhohnYcmQwyVTyV70cpoMLj6MACjr+zVW8ucMOFGWLmSRW6U63/nNCvV4KGuc&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.xn--v1bmo9dufsb.com/nnmd/ |
request | GET http://www.xn--v1bmo9dufsb.com/nnmd/?uZi0=cDaDwtSEh/5bc2FeeSIiUcUr+mpY/3xbz64LVgZ45maSnMiNTbYqd99xhwdI+uHxijdOlda1&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.sorelaxedmassage.com/nnmd/ |
request | GET http://www.sorelaxedmassage.com/nnmd/?uZi0=ZSH2noI6NHAHn9QA8EACxsTwqFhF5NYts9vBJBihuNtX6Je+hj0P0cQ5PSooL6U0A47HLjeU&Vnt4_=GTd0sn7PSL8x7PP |
request | POST http://www.ueoxx.com/nnmd/ |
request | POST http://www.vinegret.com/nnmd/ |
request | POST http://www.valid8.network/nnmd/ |
request | POST http://www.7985699.com/nnmd/ |
request | POST http://www.acernoxsas.com/nnmd/ |
request | POST http://www.ekolucky.com/nnmd/ |
request | POST http://www.elticrecruit.com/nnmd/ |
request | POST http://www.vr-club.site/nnmd/ |
request | POST http://www.scott-re.online/nnmd/ |
request | POST http://www.ikoyisland.net/nnmd/ |
request | POST http://www.vegrebel.com/nnmd/ |
request | POST http://www.elpis-catering.com/nnmd/ |
request | POST http://www.xn--v1bmo9dufsb.com/nnmd/ |
request | POST http://www.sorelaxedmassage.com/nnmd/ |
filetype_details | Rich Text Format data, unknown version | filename | .............................................................dot |
host | 172.217.25.14 | |||
host | 23.95.122.25 |
MicroWorld-eScan | Exploit.RTF-ObfsObjDat.Gen |
FireEye | Exploit.RTF-ObfsObjDat.Gen |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
McAfee | Exploit-CVE2017-11882.bw |
Arcabit | Exploit.RTF-ObfsObjDat.Gen |
Symantec | Trojan.Gen.MBT |
ESET-NOD32 | a variant of DOC/Abnormal.A |
BitDefender | Exploit.RTF-ObfsObjDat.Gen |
NANO-Antivirus | Exploit.Rtf.Heuristic-rtf.dinbqn |
Ad-Aware | Exploit.RTF-ObfsObjDat.Gen |
Emsisoft | Exploit.RTF-ObfsObjDat.Gen (B) |
TrendMicro | HEUR_RTFMALFORM |
McAfee-GW-Edition | Exploit-CVE2017-11882.bw |
Ikarus | Win32.Outbreak |
Avira | HEUR/Rtf.Malformed |
GData | Exploit.RTF-ObfsObjDat.Gen |
Cynet | Malicious (score: 99) |
AhnLab-V3 | RTF/Malform-A.Gen |
ALYac | Exploit.RTF-ObfsObjDat.Gen |
MAX | malware (ai score=83) |
Zoner | Probably Heur.RTFBadVersion |
TACHYON | Trojan-Exploit/RTF.CVE-2017-11882 |
Fortinet | RTF/CoinMiner.N!tr |