Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6401	Sept. 28, 2021, 9:52 p.m.	Sept. 28, 2021, 9:54 p.m.

Archive recital-1498700469.xls @ non.zip

Size	229.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Tue Sep 28 07:33:26 2021, Security: 0
MD5	`1f57d735aef14bf0f9609035c44d1187`
SHA1	`0713456f2a3a8e013b6f605742786612d3c0b1d0`
SHA256	`8d57a9a18262a702a326cf69da1173d9ab70b58a6811d55457b39ed6c0231861`
SHA512	`42156383a5c854fbc6dc1299a63e798479490b619944f2730098c49c6fd72deab8558484edafab4a655baafe5f242ad941eea7a417b13dda0b1132dcb640aa75`
CRC32	`FC3DD573`
ssdeep	`6144:CKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgI9jWXcZZRBTq1BOzTwvOsPDslAvS32vI74:M9jVzTmszTwvTDy33LvfP1OWq`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\recital-1498700469.xls
2216
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
  2196
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
  2760
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
  1452

Name	Response	Post-Analysis Lookup
dharmasasthatrust.com	A 204.11.59.34	204.11.59.34
shalsa3d.com	A 162.222.225.246	162.222.225.246
haroldhallroofing.net	A 192.185.36.115	192.185.36.115

IP Address	Status	Action
162.222.225.246	Active	Moloch
164.124.101.2	Active	Moloch
192.185.36.115	Active	Moloch
204.11.59.34	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49210 -> 192.185.36.115:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 204.11.59.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 204.11.59.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 192.185.36.115:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 204.11.59.34:443 -> 192.168.56.101:49203	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 162.222.225.246:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.222.225.246:443 -> 192.168.56.101:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 162.222.225.246:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.36.115:443 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 28, 2021, 9:52 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 9:52 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db51000 process_handle: 0xffffffff	1

Creates a suspicious process (6 events)

cmdline	regsvr32 C:\Datop\test.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
cmdline	regsvr32 C:\Datop\test1.test
cmdline	regsvr32 C:\Datop\test2.test

Potentially malicious URLs were found in the process memory dump (50 out of 1276 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com
url	http://ns.adobe.com/xap/1.0/rights/
url	http://purl.org/dc/elements/1.1/
url	http://ns.adobe.com/tiff/1.0/
url	http://ns.adobe.com/xap/1.0/
url	https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://find.joins.com/
url	http://uk.ask.com/favicon.ico
url	https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
url	http://google.com/
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url	http://search.yahoo.co.jp
url	http://www.iask.com/favicon.ico
url	https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg
url	http://www.najdi.si/
url	http://www.merlin.com.pl/favicon.ico
url	http://www.cnet.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://search.naver.com/search.naver?sm=tab_hty.top
url	http://www.snee.com/xml/xslt/sample.doc
url	http://recherche.linternaute.com/
url	http://www.yceml.net/0559/10408495-1499411010011
url	http://p.zhongsou.com/
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	http://ns.adobe.com/exif/1.0/
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url	http://www.etmall.com.tw/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	http://schemas.xmlsoap.org/wsdl/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico

Yara rule detected in process memory (50 out of 118 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Return
URLDownloadToFileW Sept. 28, 2021, 9:52 p.m.	url: https://dharmasasthatrust.com/cEJYcStqlAf/hr.html stack_pivoted: 0 filepath_r: C:\Datop\test.test filepath: C:\Datop\test.test	2148270085
URLDownloadToFileW Sept. 28, 2021, 9:52 p.m.	url: https://shalsa3d.com/UGqWNCLT/hr.html stack_pivoted: 0 filepath_r: C:\Datop\test1.test filepath: C:\Datop\test1.test	2148270085
URLDownloadToFileW Sept. 28, 2021, 9:52 p.m.	url: https://haroldhallroofing.net/pAz8O63Gn/hr.html stack_pivoted: 0 filepath_r: C:\Datop\test2.test filepath: C:\Datop\test2.test	2148270085

One or more non-whitelisted processes were created (6 events)

parent_process	excel.exe	martian_process	regsvr32 C:\Datop\test.test
parent_process	excel.exe	martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
parent_process	excel.exe	martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
parent_process	excel.exe	martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
parent_process	excel.exe	martian_process	regsvr32 C:\Datop\test1.test
parent_process	excel.exe	martian_process	regsvr32 C:\Datop\test2.test

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\regsvr32.exe

Archive recital-1498700469.xls @ non.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All