Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

biz-1431840176.xls

Downloader MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2021, 3:45 p.m.	Oct. 20, 2021, 3:49 p.m.

Size	243.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Tue Oct 19 14:34:36 2021, Security: 0
MD5	`b0cca0af3bbafeae72288f34a065de04`
SHA256	`a545ebca48d9f26e609c74fe8298850c1dae583d194793dcdd29c65d00ced0e8`
CRC32	`DC97F12E`
ssdeep	`6144:sKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgg9DWncZZttTq1JOL7gvOUPDElYvS3GHo7g:S9Dl7TmUL7gvjDa3HLvfX1mOC`
Yara	Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\biz-1431840176.xls
2500
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
  2172
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
  2128
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
  2764

Name	Response	Post-Analysis Lookup
meettrust.in	A 208.91.197.91	192.185.129.109
aqissarafood.com.my	A 103.27.74.73	103.27.74.73
radiocaca.top	A 103.221.220.15	103.221.220.15
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 104.76.75.146	104.74.211.103

IP Address	Status	Action
103.221.220.15	Active	Moloch
103.27.74.73	Active	Moloch
104.76.75.146	Active	Moloch
164.124.101.2	Active	Moloch
208.91.197.91	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 103.221.220.15:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 103.221.220.15:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 103.221.220.15:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 103.221.220.15:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
UDP 192.168.56.103:50665 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 103.221.220.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 208.91.197.91:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.221.220.15:443 -> 192.168.56.103:49174	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 103.221.220.15:443 -> 192.168.56.103:49174	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 103.221.220.15:443 -> 192.168.56.103:49172	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 103.221.220.15:443 -> 192.168.56.103:49172	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49173 -> 103.221.220.15:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49173 -> 103.221.220.15:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49173 -> 103.221.220.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 103.27.74.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.221.220.15:443 -> 192.168.56.103:49173	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 103.221.220.15:443 -> 192.168.56.103:49173	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 208.91.197.91:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.103:49169 103.27.74.73:443	C=US, O=Let's Encrypt, CN=R3	CN=*.anamuslimpreschool.com	31:f5:04:25:4c:24:41:84:cf:0d:b6:1f:75:76:e9:8f:23:f0:c9:ea

Performs some HTTP requests (1 event)

request

GET http://x1.i.lencr.org/

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 20, 2021, 3:45 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bf98000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 20, 2021, 3:45 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b152000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 20, 2021, 3:45 p.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c471000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 20, 2021, 3:45 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c471000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (6 events)

cmdline	regsvr32 C:\Datop\test.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
cmdline	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
cmdline	regsvr32 C:\Datop\test1.test
cmdline	regsvr32 C:\Datop\test2.test

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 20, 2021, 3:45 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW Oct. 20, 2021, 3:45 p.m.	url: https://meettrust.in/aMZID8gQ/u.html stack_pivoted: 0 filepath_r: C:\Datop\test.test filepath: C:\Datop\test.test		2148270105	0
URLDownloadToFileW Oct. 20, 2021, 3:45 p.m.	url: https://aqissarafood.com.my/eAu610rn3w8V/u.html stack_pivoted: 0 filepath_r: C:\Datop\test1.test filepath: C:\Datop\test1.test		2148270105	0
URLDownloadToFileW Oct. 20, 2021, 3:45 p.m.	url: https://radiocaca.top/RVDXQ4D7cWU6/u.html stack_pivoted: 0 filepath_r: C:\Datop\test2.test filepath: C:\Datop\test2.test		2148270085	0

One or more non-whitelisted processes were created (6 events)

parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
parent_process	excel.exe				martian_process	"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test1.test
parent_process	excel.exe				martian_process	regsvr32 C:\Datop\test2.test

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\regsvr32.exe