Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 17, 2021, 1:33 p.m.	June 17, 2021, 1:43 p.m.

Size	222.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: sourdeline scallywag, Subject: frumpiness ergographs, Author: magnetite distinction, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Wed Apr 21 12:08:24 2010, Create Time/Date: Thu Apr 13 21:48:14 2000, Last Saved Time/Date: Wed Jun 16 11:47:50 2021, Security: 0
MD5	`c64202fc6e89fc1c49cde536894ed99d`
SHA256	`1e993ef7ee5f21b9f815ebf853b0bd40d3328a1bd6d680ffc3ace55e4bf73a89`
CRC32	`B119EF88`
ssdeep	`6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnWxuX+Fayp3oITIvuTUFSW3EUvNx:wlFaMYITITIW06Nx`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Document%202519711.xls
996
- rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Roaming\64828.dll",StartW
  1160

Name	Response	Post-Analysis Lookup
monarchmedical.co.uk	A 18.136.132.202	18.136.132.202
fitzgeraldstreet.com	A 162.253.125.64	162.253.125.64
es.e-m2.net	A 94.124.84.11	94.124.84.11
teste.sitiodoastronauta.com.br	A 138.68.235.11	138.68.235.11
dev1.whoatemylunch.org	A 70.39.250.160	70.39.250.160
courieradmin.phebsoft-team.com	A 144.91.77.124	144.91.77.124
consultadom.e-m2.net	A 94.124.84.11	94.124.84.11
ahdmsport.com	A 104.255.169.179	104.255.169.179
adamjeecommodities.com	A 18.136.132.202	18.136.132.202
santorinitravel.naturalgraphic.hu	A 87.229.72.45	87.229.72.45

IP Address	Status	Action
104.255.169.179	Active	Moloch
138.68.235.11	Active	Moloch
144.91.77.124	Active	Moloch
162.253.125.64	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
18.136.132.202	Active	Moloch
70.39.250.160	Active	Moloch
87.229.72.45	Active	Moloch
94.124.84.11	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 162.253.125.64:443 -> 192.168.56.102:49816	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 162.253.125.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 138.68.235.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 138.68.235.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49828 -> 87.229.72.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.229.72.45:443 -> 192.168.56.102:49829	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49845 -> 144.91.77.124:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49811 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49835 -> 104.255.169.179:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49835 -> 104.255.169.179:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49835 -> 104.255.169.179:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49823 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49836 -> 104.255.169.179:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49836 -> 104.255.169.179:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49836 -> 104.255.169.179:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.255.169.179:443 -> 192.168.56.102:49836	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 104.255.169.179:443 -> 192.168.56.102:49836	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 94.124.84.11:443 -> 192.168.56.102:49812	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49826 -> 70.39.250.160:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 18.136.132.202:443 -> 192.168.56.102:49824	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49831 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49844 -> 144.91.77.124:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 18.136.132.202:443 -> 192.168.56.102:49842	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.255.169.179:443 -> 192.168.56.102:49835	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 104.255.169.179:443 -> 192.168.56.102:49835	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49837 -> 104.255.169.179:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49837 -> 104.255.169.179:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 104.255.169.179:443 -> 192.168.56.102:49837	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 104.255.169.179:443 -> 192.168.56.102:49837	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49840 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 162.253.125.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 138.68.235.11:443 -> 192.168.56.102:49820	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49822 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49827 -> 87.229.72.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49832 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.124.84.11:443 -> 192.168.56.102:49833	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49841 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 144.91.77.124:443 -> 192.168.56.102:49846	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49826 70.39.250.160:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=dev1.whoatemylunch.org	89:a5:e5:57:f0:d4:a4:c5:3b:74:aa:2d:ef:de:b8:b3:df:7c:16:01

Performs some HTTP requests (1 event)

request

GET https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 1:33 p.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Creates suspicious VBA object (1 event)

com_class

MSXML2.XMLHTTP

May attempt to connect to the outside world

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

"C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Roaming\64828.dll",StartW

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
FireEye	VB:Trojan.Valyria.4710
McAfee	RDN/GenericM
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
Cyren	X97M/Agent.WF.gen!Eldorado
BitDefender	VB:Trojan.Valyria.4710
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
AegisLab	Trojan.MSExcel.Valyria.4!c
MicroWorld-eScan	VB:Trojan.Valyria.4710
Ad-Aware	VB:Trojan.Valyria.4710
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.db
Emsisoft	VB:Trojan.Valyria.4710 (B)
SentinelOne	Static AI - Malicious OLE
GData	VB:Trojan.Valyria.4710
MAX	malware (ai score=80)
Microsoft	Trojan:Win32/Dridex!ml
ALYac	VB:Trojan.Valyria.4710
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.f (CLASSIC)
Fortinet	VBA/Agent.WCP!tr.dldr

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://es.e-m2.net/wp-includes/js/tinymce/themes/inlite/8S7qnln7.php

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\rundll32.exe

Document%202519711.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All