Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe

Latest News
11.18 01:11
에듀피디, ‘알기 쉽게 풀어쓴 산업위생관...
11.18 12:11
KISA, 사이버보안 인재 양성 프로젝트...
11.18 12:11
Completing the UE1’s P...
11.18 12:11
ISC Stormcast For Mond...
11.18 12:11
IT Sicherheitsnews stü...
11.18 11:11
Report on DDoSia Malwa...
11.18 11:11
전통 공예의 새로운 접근, 'M-ART(...
11.18 11:11
Die Schattenseiten des...
11.18 10:11
호텔식 샤브샤브 뷔페 '샤브올데이', 동...
11.18 10:11
창원 노인주간보호센터 '수주간보호센터 창...

Summary | ZeroBOX

diagram_1318555547.xls

MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 8, 2021, 5:21 p.m.	Oct. 8, 2021, 5:25 p.m.

Size	263.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Mon Sep 20 10:25:13 2021, Security: 0
MD5	`764987da4271d3dd9d7d9f8f78c897e5`
SHA256	`fe73fd3955380212aaecb045e92353f9684af4e89e4d1c183dd84a0b7271230b`
CRC32	`107685BE`
ssdeep	`6144:mKpb8rGYrMPe3q7Q0XV5xtuE8vG8UM+Onfb7I6+tqDWcwnoRZzlj+oSGpGvhmmmk:Gj7CqScwoRZ9bSXkh/nLKH`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\diagram_1318555547.xls
2364
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
  2696
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
  2756
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
  2972

Name	Response	Post-Analysis Lookup
cortinastelasytrazos.com	A 108.167.165.249	108.167.165.249
orquideavallenata.com	A 108.167.165.249	108.167.165.249
fundacionverdaderosheroes.com	A 108.167.165.249	108.167.165.249

IP Address	Status	Action
108.167.165.249	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 108.167.165.249:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 108.167.165.249:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 108.167.165.249:443 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 108.167.165.249:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 108.167.165.249:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 108.167.165.249:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 108.167.165.249:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 108.167.165.249:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 108.167.165.249:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 8, 2021, 5:21 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bf98000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 8, 2021, 5:21 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b252000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 8, 2021, 5:21 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c471000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 8, 2021, 5:21 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c471000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 8, 2021, 5:21 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c471000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (6 events)

cmdline	regsvr32 C:\Datop\test.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
cmdline	regsvr32 C:\Datop\test1.test
cmdline	regsvr32 C:\Datop\test2.test

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 8, 2021, 5:21 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

CAT-QuickHeal	Excel4.Downloader.44317
Sangfor	Malware.Generic-XLM.Save.ma29
K7AntiVirus	Trojan ( 00568efb1 )
K7GW	Trojan ( 00568efb1 )
Symantec	Trojan.Gen.2
ESET-NOD32	DOC/TrojanDownloader.Agent.DIY
ClamAV	Xls.Downloader.SquirrelWaffle20921-9895790-0
Kaspersky	HEUR:Trojan.MSOffice.Generic
Tencent	Trojan.MsOffice.Macro40.11013976
DrWeb	X97M.DownLoader.714
McAfee-GW-Edition	X97M/Downloader.lg
Ikarus	Trojan-Downloader.Office.Crypt
Microsoft	TrojanDownloader:O97M/EncDoc.RQ!MTB
McAfee	X97M/Downloader.lg
Zoner	Probably Heur.W97ShellB
Fortinet	XF/Agent.AF!tr.dldr

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW Oct. 8, 2021, 5:21 p.m.	url: https://cortinastelasytrazos.com/Yro6Atvj/sec.html stack_pivoted: 0 filepath_r: C:\Datop\test.test filepath: C:\Datop\test.test		2148270085	0
URLDownloadToFileW Oct. 8, 2021, 5:21 p.m.	url: https://orquideavallenata.com/4jmDb0s9sg/sec.html stack_pivoted: 0 filepath_r: C:\Datop\test1.test filepath: C:\Datop\test1.test		2148270085	0
URLDownloadToFileW Oct. 8, 2021, 5:21 p.m.	url: https://fundacionverdaderosheroes.com/gY0Op5Jkht/sec.html stack_pivoted: 0 filepath_r: C:\Datop\test2.test filepath: C:\Datop\test2.test		2148270085	0

One or more non-whitelisted processes were created (6 events)

parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test1.test
parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test2.test

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\regsvr32.exe