popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Quranic Arabic Language Course.docx

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 17, 2021, 10:17 a.m. Aug. 17, 2021, 10:20 a.m.
Size 27.1KB
Type Microsoft OOXML
MD5 6af2470805fe10cf881871a6babf9986
SHA256 66ddbdfe9328d6a3f49abbb814252617fce0e05934ceeef9813e8bd30385fe50
CRC32 3AFACACA
ssdeep 768:B5KuMwE7M7AGpDn+Rqo4g1e+yn0lKpZwnbm7:B5KuMwEkDeqo4Ee+ynVpOnm
Yara None matched

Name Response Post-Analysis Lookup
behr.ppinewsagency.live
A 185.163.45.63
185.163.45.63
IP Address Status Action
164.124.101.2 Active Moloch
185.163.45.63 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49170 -> 185.163.45.63:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49168 -> 185.163.45.63:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49170
185.163.45.63:443 		C=US, O=Let's Encrypt, CN=R3 CN=*.ppinewsagency.live 5f:a9:0f:b1:7a:0b:eb:b9:5c:49:77:31:c1:4f:66:4c:b5:81:b5:6e
TLSv1
192.168.56.103:49168
185.163.45.63:443 		C=US, O=Let's Encrypt, CN=R3 CN=*.ppinewsagency.live 5f:a9:0f:b1:7a:0b:eb:b9:5c:49:77:31:c1:4f:66:4c:b5:81:b5:6e

request OPTIONS https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/files-3607001e/
request HEAD https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/files-3607001e/file.rtf
request OPTIONS https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/
request GET https://behr.ppinewsagency.live/5098/1/1069/2/0/0/0/m/files-3607001e/file.rtf
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a176000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a074000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x69fa2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x69c31000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$ranic Arabic Language Course.docx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000490
filepath: C:\Users\test22\AppData\Local\Temp\~$ranic Arabic Language Course.docx
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ranic Arabic Language Course.docx
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
NANO-Antivirus Exploit.Xml.CVE-2017-0199.equmby
Zoner Probably Heur.W97OleLink
Qihoo-360 susp.exp.20170199
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef40000
process_handle: 0xffffffff
1 0 0