Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 15, 2021, 9:26 p.m.	June 15, 2021, 9:28 p.m.

Size	788.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: tutors leaver, Subject: uplands bristles, Author: shamefacednesses glaciating, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jun 14 10:44:34 2021, Last Saved Time/Date: Mon Jun 14 13:56:06 2021, Security: 0
MD5	`d65c8d73d13ed5d4f2973631101c4b34`
SHA256	`35f32786d4cef03729a8702bee05910c8cb7682cf6b2370f911d437ad0df1644`
CRC32	`1ECEDA61`
ssdeep	`24576:TiOvq0l6lWl5lhYJ+elPxB0jE0JvoX92FR1TkNKbQ:tzl6lWl5lhKhlPxmjDmEmNKbQ`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\Document 81161221.xls"
7132

Name	Response	Post-Analysis Lookup
highend.pk	A 18.136.132.202	18.136.132.202
dev1.naturalgraphic.hu	A 87.229.72.45	87.229.72.45
mobile-landing.ishr.co.in	A 164.52.201.122	164.52.201.122
goodiesmariage.e-m2.net	A 94.124.84.11	94.124.84.11
test.amarcampus24.com	A 95.216.103.165	95.216.103.165
ibnbatutta.pk	A 18.136.132.202	18.136.132.202
event.cyberwoodz.site	A 119.18.54.94	119.18.54.94
zankzakartigosesportivos.com.br	A 191.252.106.110	191.252.106.110
indusautomobile.com	A 18.136.132.202	18.136.132.202
ptti.dexsandbox.com	A 70.32.93.146	70.32.93.146

IP Address	Status	Action
119.18.54.94	Active	Moloch
164.124.101.2	Active	Moloch
164.52.201.122	Active	Moloch
172.217.25.14	Active	Moloch
18.136.132.202	Active	Moloch
191.252.106.110	Active	Moloch
70.32.93.146	Active	Moloch
87.229.72.45	Active	Moloch
94.124.84.11	Active	Moloch
95.216.103.165	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49809 -> 70.32.93.146:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49828 -> 164.52.201.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 18.136.132.202:443 -> 192.168.56.102:49813	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 18.136.132.202:443 -> 192.168.56.102:49822	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49811 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49820 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49812 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49824 -> 87.229.72.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49825 -> 87.229.72.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49843 -> 95.216.103.165:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49843 -> 95.216.103.165:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49843 -> 95.216.103.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49833 -> 119.18.54.94:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 95.216.103.165:443 -> 192.168.56.102:49843	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49843	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49839 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49842 -> 95.216.103.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.124.84.11:443 -> 192.168.56.102:49817	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 95.216.103.165:443 -> 192.168.56.102:49842	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49842	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49821 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49842 -> 95.216.103.165:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49842 -> 95.216.103.165:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49816 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 164.52.201.122:443 -> 192.168.56.102:49830	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49834 -> 119.18.54.94:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 191.252.106.110:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49838 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 18.136.132.202:443 -> 192.168.56.102:49840	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 87.229.72.45:443 -> 192.168.56.102:49826	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49829 -> 164.52.201.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 119.18.54.94:443 -> 192.168.56.102:49836	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49844 -> 95.216.103.165:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49844 -> 95.216.103.165:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49844	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49844	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49809 70.32.93.146:443	C=US, O=Let's Encrypt, CN=R3	CN=ptti.dexsandbox.com	9f:6b:ae:4a:9f:f4:39:99:00:ad:93:f3:17:74:9c:f4:ab:52:d6:81
TLSv1 192.168.56.102:49819 191.252.106.110:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=zankzakartigosesportivos.com.br	80:2b:d5:13:8d:9e:2b:40:62:20:db:fd:cb:44:74:17:48:54:58:22

Performs some HTTP requests (2 events)

request	GET https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php
request	GET https://zankzakartigosesportivos.com.br/loja/wp-includes/SimplePie/Content/Type/3sLExhiYtVuTS.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:26 p.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4710
FireEye	VB:Trojan.Valyria.4710
ALYac	VB:Trojan.Valyria.4710
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
Cyren	X97M/Agent.WF.gen!Eldorado
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBA/TrojanDownloader.Agent.WGM
Avast	VBA:Crypt-AB [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
BitDefender	VB:Trojan.Valyria.4710
AegisLab	Trojan.MSExcel.Valyria.4!c
Ad-Aware	VB:Trojan.Valyria.4710
TACHYON	Suspicious/X97M.Downloader.Gen
Emsisoft	VB:Trojan.Valyria.4710 (B)
DrWeb	Exploit.Siggen3.17880
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.bb
Ikarus	Trojan-Downloader.VBA.Agent
Avira	VBA/Dldr.Agent.raxyq
Microsoft	TrojanDownloader:O97M/Dridex.BVG!MTB
Arcabit	HEUR.VBA.Trojan.d
ViRobot	XLS.Z.Agent.806912
GData	VB:Trojan.Valyria.4710
MAX	malware (ai score=87)
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.f (CLASSIC)
SentinelOne	Static AI - Suspicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBA:Crypt-AB [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php

Document 81161221.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All