popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

document_set_20210208_T6253773.docx

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 4, 2021, 12:24 p.m. Aug. 4, 2021, 12:26 p.m.
Size 10.1KB
Type Microsoft Word 2007+
MD5 c2747012f95b22cb9b627a16bd62a7e6
SHA256 7108ce3a07aa75b30ad993af8be72fda1f4974b734bf7901073442b03c95b511
CRC32 9A6F94EC
ssdeep 192:ScIMmtPZG/bEpOKIgEamWBXpK0ydJb3F0Dt:SPXEEpOdNoEP7b8
Yara None matched

Name Response Post-Analysis Lookup
longurl.in
A 76.76.21.21
76.76.21.21
IP Address Status Action
164.124.101.2 Active Moloch
76.76.21.21 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49162 -> 76.76.21.21:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 76.76.21.21:443 -> 192.168.56.103:49164 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a466000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a364000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a292000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x69f21000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$cument_set_20210208_T6253773.docx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000488
filepath: C:\Users\test22\AppData\Local\Temp\~$cument_set_20210208_T6253773.docx
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$cument_set_20210208_T6253773.docx
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef60000
process_handle: 0xffffffff
1 0 0
FireEye Trojan.Groooboor.Gen.31
Cyren XML/Agent.DF
Symantec W97M.Downloader
ESET-NOD32 DOC/TrojanDownloader.Agent.AWB
TrendMicro-HouseCall TROJ_FRS.VSNTH221
BitDefender Trojan.Groooboor.Gen.31
NANO-Antivirus Exploit.Xml.CVE-2017-0199.equmby
Emsisoft Trojan.Groooboor.Gen.31 (B)
DrWeb W97M.DownLoader.2692
TrendMicro TROJ_FRS.VSNTH221
McAfee-GW-Edition Artemis!Trojan
Microsoft Exploit:O97M/CVE-2017-0199.BKMK!MTB
GData Trojan.Groooboor.Gen.31
Zoner Probably Heur.W97OleLink
Fortinet MSOffice/Agent.AWB!tr.dldr