Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	May 18, 2021, 9:47 a.m.	May 18, 2021, 9:54 a.m.

Size	380.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: Operator, Last Saved By: vi-vi, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Mon May 17 08:33:52 2021, Security: 0
MD5	`3e58b8987074c6d6b6725e2cbdb0494d`
SHA256	`59f4e34e487efed39c297417fcd382c769518ad1c8d2b203d45b261158a682fd`
CRC32	`8178A744`
ssdeep	`6144:IcPiNQApW/89bK103eGvgZqr3h8GB3ckt6Uqa5DPdG9uS9QLn4z8yej:ut6Uqa5DPdG9uS9QLn4z8T`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files\Microsoft Office\Office12\EXCEL.EXE" C:\Users\ADMINI~1\AppData\Local\Temp\diagram-58392516.xls
3460
- rundll32.exe rundll32 ..\bubl.cmi,DllRegisterServer
  4684
- rundll32.exe rundll32 ..\bubl.cmi1,DllRegisterServer
  4496

Name	Response	Post-Analysis Lookup
www.microsoft.com	CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net CNAME e13678.dscb.akamaiedge.net A 23.201.37.168	23.201.37.168
incoming.telemetry.mozilla.org	A 44.226.235.191 A 44.240.8.189 A 44.231.216.202 CNAME telemetry-incoming.r53-2.services.mozilla.com A 44.227.195.220 CNAME pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com A 52.33.45.66 A 52.33.211.165 A 52.35.57.239 A 54.190.95.165	44.240.8.189
definitionupdates.microsoft.com	CNAME e3673.g.akamaiedge.net CNAME definitionupdates.microsoft.com.edgekey.net A 23.40.44.112	23.40.44.112
hermescomm.net	A 162.241.27.24	162.241.27.24

IP Address	Status	Action
162.241.27.24	Active	Moloch
164.124.101.2	Active	Moloch
23.201.37.168	Active	Moloch
23.40.44.112	Active	Moloch
52.33.45.66	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 162.241.27.24:443 -> 192.168.56.103:49603	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49598 -> 162.241.27.24:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49596 -> 162.241.27.24:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49602 -> 162.241.27.24:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49591 -> 52.33.45.66:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49612 -> 23.201.37.168:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.27.24:443 -> 192.168.56.103:49599	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49601 -> 162.241.27.24:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49613 -> 23.40.44.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49591 52.33.45.66:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=Mountain View, O=Mozilla Corporation, OU=Cloud Services, CN=*.telemetry.mozilla.org	6d:3c:6a:a4:5f:46:eb:8b:b6:fb:8f:08:44:02:01:61:a0:25:c3:c8
TLSv1 192.168.56.103:49612 23.201.37.168:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=www.microsoft.com	9b:2b:8a:e6:51:69:aa:47:7c:57:83:d6:48:0f:29:6e:f4:8c:f1:4d
TLSv1 192.168.56.103:49613 23.40.44.112:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=download.microsoft.com	e7:01:d1:e2:a1:0e:a1:84:0b:d0:c6:2e:a2:42:7a:f4:7b:40:91:c5

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2021, 9:47 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 18, 2021, 9:47 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x776ed08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x776e964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x776d4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x776d6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x776de825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x776d6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x776d5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x776d49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x776d5a20 RtlClearBits+0x2d8 TpCheckTerminateWorker-0x1a ntdll+0x5d700 @ 0x77aed700 LdrShutdownProcess+0x97 RtlSubtreePredecessor-0x503 ntdll+0x5e449 @ 0x77aee449 RtlExitUserProcess+0x74 RtlDetectHeapLeaks-0x4e ntdll+0x5e19f @ 0x77aee19f ExitProcess+0x15 TerminateThread-0x143 kernel32+0x52164 @ 0x762e2164 rundll32+0x135c @ 0x56135c rundll32+0x1901 @ 0x561901 BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x762e3c45 RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5 RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x77703ef4 registers.esp: 1833100 registers.edi: 0 registers.eax: 37330520 registers.ebp: 1833128 registers.edx: 1 registers.ebx: 0 registers.esi: 2941000 registers.ecx: 1936537052	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 18, 2021, 9:47 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x776ed08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x776e964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x776d4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x776d6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x776de825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x776d6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x776d5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x776d49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x776d5a20
RtlClearBits+0x2d8 TpCheckTerminateWorker-0x1a ntdll+0x5d700 @ 0x77aed700
LdrShutdownProcess+0x97 RtlSubtreePredecessor-0x503 ntdll+0x5e449 @ 0x77aee449
RtlExitUserProcess+0x74 RtlDetectHeapLeaks-0x4e ntdll+0x5e19f @ 0x77aee19f
ExitProcess+0x15 TerminateThread-0x143 kernel32+0x52164 @ 0x762e2164
rundll32+0x135c @ 0x56135c
rundll32+0x1901 @ 0x561901
BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x762e3c45
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x77703ef4
registers.esp: 1833100
registers.edi: 0
registers.eax: 37330520
registers.ebp: 1833128
registers.edx: 1
registers.ebx: 0
registers.esi: 2941000
registers.ecx: 1936537052

Performs some HTTP requests (3 events)

request	GET http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
request	GET https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
request	GET https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.339.927.0/x86/mpas-fe.exe

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b1c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b21f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b21f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77791000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75621000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71ca1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75301000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 9:47 a.m.	process_identifier: 3460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

MicroWorld-eScan	Trojan.DOC.Agent.AVP
FireEye	Trojan.DOC.Agent.AVP
K7AntiVirus	Trojan ( 0057936c1 )
K7GW	Trojan ( 0057936c1 )
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.WCO
Kaspersky	HEUR:Trojan.MSOffice.Generic
Ad-Aware	Trojan.DOC.Agent.AVP
Emsisoft	Trojan.DOC.Agent.AVP (B)
McAfee-GW-Edition	Artemis
Microsoft	TrojanDownloader:O97M/EncDoc.AST!MTB
AegisLab	Trojan.MSOffice.Generic.4!c
ZoneAlarm	HEUR:Trojan.Script.Generic
MAX	malware (ai score=81)
Ikarus	Win32.Outbreak
Fortinet	XF/Nastya.E86D!tr.dldr

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW May 18, 2021, 9:47 a.m.	url: https://hermescomm.net/x9NvrhL0/lena.html stack_pivoted: 0 filepath_r: ..\bubl.cmi filepath: C:\Users\Administrator\bubl.cmi		2148270088	0
URLDownloadToFileW May 18, 2021, 9:47 a.m.	url: https://hermescomm.net/x9NvrhL0/lena.html stack_pivoted: 0 filepath_r: ..\bubl.cmi1 filepath: C:\Users\Administrator\bubl.cmi1		2148270088	0

One or more non-whitelisted processes were created (2 events)

parent_process	excel.exe				martian_process	rundll32 ..\bubl.cmi1,DllRegisterServer
parent_process	excel.exe				martian_process	rundll32 ..\bubl.cmi,DllRegisterServer

diagram-58392516.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All