Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 18, 2021, 10:33 a.m.	April 18, 2021, 10:35 a.m.

Size	155.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: programming Dynamic Refined Cotton Computer Outdoors, Music & Health real-time eyeballs indexing pixel redundant Chief Web Station THX bandwidth, Author: Nathan Fontaine, Template: Normal.dotm, Last Saved By: Alicia Guyot, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Dec 30 13:16:00 2020, Last Saved Time/Date: Wed Dec 30 13:16:00 2020, Number of Pages: 1, Number of Words: 2595, Number of Characters: 14796, Security: 8
MD5	`a58394937da9d3adb33e948058fde4e9`
SHA256	`a268e9e152c260a0e80431aa8d6df187d9f24a1b6be71328ea14320436083f51`
CRC32	`00CEC7B3`
ssdeep	`3072:2ISPO2TNqU+PRGfFz9ufstRUUKSns8T00JSHUgteMJ8qMD7gAUh:Ct+P6z9ufsfgIf0pLAC`
Yara	Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\a268e9e152c260a0e80431aa8d6df187d9f24a1b6be71328ea14320436083f51.doc
1896

Name	Response	Post-Analysis Lookup
pattayastore.com	A 202.183.165.89	202.183.165.89
sureoptimize.com	A 142.93.247.242	142.93.247.242
tenmoney.business	A 104.21.8.30 A 172.67.156.186	104.21.8.30
rsimadinah.com	A 66.96.230.225	66.96.230.225
littleindiadirectory.com	A 18.141.196.101	18.141.196.101
blogs.g2gtechnologies.com	A 208.91.199.15	208.91.199.15
insvat.com	A 185.42.104.77	185.42.104.77

IP Address	Status	Action
142.93.247.242	Active	Moloch
164.124.101.2	Active	Moloch
172.67.156.186	Active	Moloch
18.141.196.101	Active	Moloch
185.42.104.77	Active	Moloch
202.183.165.89	Active	Moloch
208.91.199.15	Active	Moloch
66.96.230.225	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49202 -> 185.42.104.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 202.183.165.89:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 172.67.156.186:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 142.93.247.242:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 185.42.104.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 202.183.165.89:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 142.93.247.242:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49213 172.67.156.186:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7a:ec:df:cb:b4:34:de:9d:1d:9a:a4:12:f7:9c:24:22:7c:64:f6:ae

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://insvat.com/wp-admin/Dw/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://blogs.g2gtechnologies.com/blogs/v/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://pattayastore.com/visio-network-1hmpp/j5/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://rsimadinah.com/wp-content/16qT/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://tenmoney.business/wp-content/nhW/

Performs some HTTP requests (5 events)

request	GET http://insvat.com/wp-admin/Dw/
request	GET http://blogs.g2gtechnologies.com/blogs/v/
request	GET http://pattayastore.com/visio-network-1hmpp/j5/
request	GET http://rsimadinah.com/wp-content/16qT/
request	GET https://tenmoney.business/wp-content/nhW/

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c581000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c3d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c425000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c3c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c2c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c2c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$68e9e152c260a0e80431aa8d6df187d9f24a1b6be71328ea14320436083f51.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 18, 2021, 10:33 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$68e9e152c260a0e80431aa8d6df187d9f24a1b6be71328ea14320436083f51.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$68e9e152c260a0e80431aa8d6df187d9f24a1b6be71328ea14320436083f51.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

18.141.196.101:80

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.3532
FireEye	VB:Trojan.Valyria.3532
CAT-QuickHeal	OLE.Downloader.40547
McAfee	X97M/Downloader.gh
VIPRE	Trojan-Downloader.W97M.Agent.jc (v)
Sangfor	Trojan.Generic-VBS.Save.d59154b2
K7AntiVirus	Trojan ( 005722491 )
K7GW	Trojan ( 005722491 )
Arcabit	HEUR.VBA.C.2
Cyren	W97M/Agent.AF
Symantec	W97M.Downloader
TrendMicro-HouseCall	Trojan.W97M.EMOTET.SMJB1
Avast	Script:SNH-gen [Trj]
ClamAV	Doc.Dropper.EmotetRed1220-9816007-0
Kaspersky	HEUR:Trojan-Downloader.VBS.Agent.gen
BitDefender	VB:Trojan.Valyria.3532
NANO-Antivirus	Trojan.Script.Agent.ijcgra
AegisLab	Trojan.MSOffice.SAgent.4!c
Rising	Malware.ObfusVBA@ML.99 (VBA)
Ad-Aware	VB:Trojan.Valyria.3532
Sophos	Troj/DocDl-ABVG
Comodo	Malware@#3ijl0yjz6x7pg
F-Secure	Malware.W2000M/Agent.4750123
DrWeb	W97M.DownLoader.5057
TrendMicro	Trojan.W97M.EMOTET.SMJB1
McAfee-GW-Edition	X97M/Downloader.gh
Emsisoft	Trojan-Downloader.Macro.Generic.BQ (A)
SentinelOne	Static AI - Malicious OLE
Avira	W2000M/Agent.4750123
MAX	malware (ai score=99)
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent.ldi
Gridinsoft	Trojan.U.Emotet.lu
Microsoft	TrojanDownloader:O97M/Emotet.CSK!MTB
ViRobot	DOC.Z.Agent.159283
ZoneAlarm	HEUR:Trojan-Downloader.VBS.Agent.gen
GData	Macro.Trojan.Agent.AWN
Cynet	Malicious (score: 85)
AhnLab-V3	Downloader/MSOffice.Generic
ALYac	Trojan.Downloader.DOC.Gen
TACHYON	Suspicious/W97M.Obfus.Gen.8
VBA32	TrojanDownloader.O97M.Emotet.CSK
Zoner	Probably Heur.W97Obfuscated
ESET-NOD32	VBA/TrojanDownloader.Agent.VGC
Tencent	Heur.Macro.Generic.h.71d1b951
Ikarus	Trojan-Downloader.VBA.Emotet
Fortinet	VBA/Agent.VGC!tr.dldr
AVG	Script:SNH-gen [Trj]
Panda	W97M/Downloader.DDE
Qihoo-360	virus.office.qexvmc.1065

a268e9e152c260a0e80431aa8d6df187d9f24a1b6be71328ea14320436083f51.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All