Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 17, 2021, 3:54 p.m.	June 17, 2021, 3:56 p.m.

Size	1013.3KB
Type	Microsoft Excel 2007+
MD5	`8497d30c5d723b20bd3d9e68364f0ecd`
SHA256	`07c245ffd8adf0483684c0c8f9369ea1f7c243dec02a1abf9ec85190dab5467b`
CRC32	`D22A019C`
ssdeep	`24576:Y6OXTidWVMmFYjk5M2otczWfAw4PKBJ+IVWslIzIsS9p9i:YWEoA23fAwVBUM9W`
Yara	None matched

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\請求書7442110.xlsx
1684

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
5.181.80.123	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 5.181.80.123:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 5.181.80.123:80 -> 192.168.56.101:49200	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 5.181.80.123:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.181.80.123:80 -> 192.168.56.101:49200	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 5.181.80.123:80 -> 192.168.56.101:49200	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

No Suricata TLS

suspicious_features

Connection to IP address

suspicious_request

GET http://5.181.80.123/dBP1DJiJKPecHih.exe

request

GET http://5.181.80.123/dBP1DJiJKPecHih.exe

Time & API	Arguments	Status
NtProtectVirtualMemory June 17, 2021, 3:54 p.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 3:54 p.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 3:54 p.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 3:54 p.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db81000 process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\~$請求書7442110.xlsx

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 17, 2021, 3:54 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003a4 filepath: C:\Users\test22\AppData\Local\Temp\~$請求書7442110.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$請求書7442110.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

host

5.181.80.123

MicroWorld-eScan	Exploit.CVE-2017-11882.Gen
McAfee	Exploit-GBT!4EFEACB578A9
Alibaba	Trojan:Win32/MalDoc.ali1000146
Arcabit	Exploit.CVE-2017-11882.Gen
Cyren	CVE-2017-11882.C.gen!Camelot
Symantec	Exp.CVE-2017-11882!g3
ESET-NOD32	probably a variant of Win32/Exploit.CVE-2017-11882.C
TrendMicro-HouseCall	TROJ_CVE20171182.SM
Avast	OLE:CVE-2017-11882-B [Expl]
Kaspersky	HEUR:Exploit.MSOffice.Generic
BitDefender	Exploit.CVE-2017-11882.Gen
TACHYON	Suspicious/XOX.CVE-2017-11882
DrWeb	W97M.DownLoader.2938
TrendMicro	TROJ_CVE20171182.SM
McAfee-GW-Edition	Exploit-GBT!4EFEACB578A9
FireEye	Exploit.CVE-2017-11882.Gen
Emsisoft	Exploit.CVE-2017-11882.Gen (B)
Ikarus	Exploit.CVE-2017-11882
GData	Exploit.CVE-2017-11882.Gen
Avira	EXP/CVE-2017-11882.Gen
Cynet	Malicious (score: 99)
MAX	malware (ai score=83)
Zoner	Probably Heur.W97NativeName
Yandex	Trojan.AvsMofer.bS6Sfn
SentinelOne	Static AI - Malicious OPENXML
Fortinet	MSExcel/CVE_2017_11882!exploit
AVG	OLE:CVE-2017-11882-B [Expl]

請求書7442110.xlsx