Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 11, 2022, 10:51 a.m.	April 11, 2022, 10:53 a.m.

Size	1.2MB
Type	Microsoft Excel 2007+
MD5	`7857df89687a6cb68a40efbef69039c8`
SHA256	`2d8a44752203e8e4b35ee553b4af8f87ea610b654da0d365ef59e19f3d7b2cf4`
CRC32	`41956A65`
ssdeep	`24576:IRDb86nFSv/iMkSrriSo+fTAdriSo+fTA0riSo+fTANriSo+fTAYriSo+fTAs:IR384SniMkSrS+fOS+fhS+fCS+fnS+fX`
Yara	xlsb - Excel Binary Workbook file format detection

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\R-1690355177.xlsb
2188
- regsvr32.exe regsvr32 C:\Uduw\coit1.dll
  2436
- regsvr32.exe regsvr32 C:\Uduw\coit2.dll
  1676
- regsvr32.exe regsvr32 C:\Uduw\coit3.dll
  2564

Name	Response	Post-Analysis Lookup
rangopurnews.com	A 107.167.95.30	107.167.95.30
sankalpnurshinghome.com	A 162.241.148.33	162.241.148.33
cruzandsons.co.za	A 192.185.16.131	192.185.16.131

IP Address	Status	Action
107.167.95.30	Active	Moloch
162.241.148.33	Active	Moloch
164.124.101.2	Active	Moloch
192.185.16.131	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49173 -> 162.241.148.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 107.167.95.30:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49167 -> 107.167.95.30:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49167 -> 107.167.95.30:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 107.167.95.30:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49179 -> 192.185.16.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 107.167.95.30:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49166 -> 107.167.95.30:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.148.33:443 -> 192.168.56.102:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 107.167.95.30:443 -> 192.168.56.102:49167	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 107.167.95.30:443 -> 192.168.56.102:49167	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 192.185.16.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.167.95.30:443 -> 192.168.56.102:49166	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 107.167.95.30:443 -> 192.168.56.102:49166	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.185.16.131:443 -> 192.168.56.102:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49168 -> 107.167.95.30:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49168 -> 107.167.95.30:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49172 -> 162.241.148.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.167.95.30:443 -> 192.168.56.102:49168	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 107.167.95.30:443 -> 192.168.56.102:49168	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 11, 2022, 10:51 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 11, 2022, 10:51 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75260000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2022, 10:52 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00618000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2022, 10:51 a.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2022, 10:51 a.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b193000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2022, 10:51 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2022, 10:51 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b193000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2022, 10:51 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2022, 10:51 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b193000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Uduw\coit2.dll
file	C:\Uduw\coit3.dll
file	C:\Uduw\coit1.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 11, 2022, 10:51 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000410 filepath: C:\Users\test22\AppData\Local\Temp\~$R-1690355177.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$R-1690355177.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (3 events)

cmdline	regsvr32 C:\Uduw\coit2.dll
cmdline	regsvr32 C:\Uduw\coit3.dll
cmdline	regsvr32 C:\Uduw\coit1.dll

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Return
URLDownloadToFileW April 11, 2022, 10:51 a.m.	url: https://rangopurnews.com/RKAbVv4T/Fbvh.png stack_pivoted: 0 filepath_r: C:\Uduw\coit1.dll filepath: C:\Uduw\coit1.dll	2148270085
URLDownloadToFileW April 11, 2022, 10:51 a.m.	url: https://sankalpnurshinghome.com/GW3scFGGHZp1/Fbvh.png stack_pivoted: 0 filepath_r: C:\Uduw\coit2.dll filepath: C:\Uduw\coit2.dll	2148270085
URLDownloadToFileW April 11, 2022, 10:51 a.m.	url: https://cruzandsons.co.za/Rgqc8er6ma4/Fbvh.png stack_pivoted: 0 filepath_r: C:\Uduw\coit3.dll filepath: C:\Uduw\coit3.dll	2148270085

One or more non-whitelisted processes were created (3 events)

parent_process	excel.exe	martian_process	regsvr32 C:\Uduw\coit2.dll
parent_process	excel.exe	martian_process	regsvr32 C:\Uduw\coit3.dll
parent_process	excel.exe	martian_process	regsvr32 C:\Uduw\coit1.dll

R-1690355177.xlsb

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All