popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

taxve_710451_20210816_93407095_353985987.xlsm

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 23, 2021, 6:55 p.m. Aug. 23, 2021, 6:57 p.m.
Size 308.5KB
Type Microsoft Excel 2007+
MD5 9a812ebcc070d2a63465ebb416ba8b95
SHA256 5335f80d6710c813429b45a7a9dd460c1d9a4ffd460a4fa42088b35e71534f9d
CRC32 E0D33C72
ssdeep 6144:ScNSLcq+YXEsIGJWFXkpMQfmnoM0G1TY+Z6WysSIS:/PYXEshasMumZ0aT7KrH
Yara None matched

Name Response Post-Analysis Lookup
investtomontenegro.com
A 34.94.136.184
34.94.136.184
lamisionerafm.com
A 51.222.42.168
51.222.42.168
cdn.discordapp.com
A 162.159.135.233
A 162.159.134.233
A 162.159.129.233
A 162.159.130.233
A 162.159.133.233
162.159.129.233
IP Address Status Action
162.159.130.233 Active Moloch
164.124.101.2 Active Moloch
34.94.136.184 Active Moloch
51.222.42.168 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49171 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49173 -> 34.94.136.184:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49174 -> 51.222.42.168:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 51.222.42.168:443 -> 192.168.56.103:49176 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 51.222.42.168:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49171
162.159.130.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.103:49173
34.94.136.184:443 		C=US, O=Let's Encrypt, CN=R3 CN=investtomontenegro.com 48:5a:fd:95:f4:1a:2d:dd:aa:b3:d6:d0:74:b2:a8:55:b2:c5:d2:5b

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET https://cdn.discordapp.com/attachments/876792192524501045/876837913906774076/1.dll
request GET https://cdn.discordapp.com/attachments/876792192524501045/876837688651681843/1.dll
request GET https://cdn.discordapp.com/attachments/876792192524501045/876837576193998848/1.dll
request GET https://investtomontenegro.com/wp-content/plugins/wordpress-seo/lib/migrations/8dXd8jlaax.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bfa2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a2000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$taxve_710451_20210816_93407095_353985987.xlsm
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000474
filepath: C:\Users\test22\AppData\Local\Temp\~$taxve_710451_20210816_93407095_353985987.xlsm
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$taxve_710451_20210816_93407095_353985987.xlsm
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline MSHTA C:\ProgramData\HRwsQXbWwX.sct
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
parent_process excel.exe martian_process MSHTA C:\ProgramData\HRwsQXbWwX.sct
Lionic Trojan.Script.Generic.4!c
MicroWorld-eScan Trojan.GenericKDZ.77215
CAT-QuickHeal XLS4.IcedID.42146
Alibaba TrojanDownloader:VBA/MalDoc.ali1000101
Arcabit Trojan.Generic.D12D9F
Cyren XLSM/Agent.YP.gen!Camelot
Symantec Trojan.Gen.NPE
ESET-NOD32 DOC/TrojanDropper.Agent.VM
Avast Other:Malware-gen [Trj]
Kaspersky HEUR:Trojan.Script.Generic
BitDefender Trojan.GenericKDZ.77215
Ad-Aware Trojan.GenericKDZ.77215
DrWeb X97M.DownLoader.697
McAfee-GW-Edition Downloader-FCEV!55FED51C8C44
FireEye Trojan.GenericKDZ.77215
Emsisoft Trojan.GenericKDZ.77215 (B)
Ikarus Trojan-Dropper.DOC.Agent
GData Trojan.GenericKDZ.77215
Avira W97M/Dldr.IcedId.AL
Microsoft Trojan:Script/Woreflint.A!cl
Cynet Malicious (score: 99)
McAfee Downloader-FCEV!55FED51C8C44
MAX malware (ai score=83)
Zoner Probably Heur.W97ShellN
Tencent Trojan.Win32.XmlMacroSheet.11008470
Fortinet MSExcel/Icedld.AL!tr
AVG Other:Malware-gen [Trj]