Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 16, 2022, 10:52 a.m.	Sept. 16, 2022, 10:54 a.m.

Size	2.7MB
Type	Microsoft OOXML
MD5	`e26725f34ebcc7fa9976dd07bfbbfba3`
SHA256	`290c2e4d0efbed23de0d41d1b821396f5f1003f6f123ee6160d6d5028d01b961`
CRC32	`A41AE760`
ssdeep	`49152:+ZCAH0K6fObu8VYibx27Oy3CmEo1ISs0ri4ZQr1FJB5Tzmtp6m82yDgpdivu3:szu8VRbxQ/l5xixr1Fb9mtp6wbX`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Global Brain Pitch Deck.docx"
2140

Name	Response	Post-Analysis Lookup
download.azure-service.com	A 204.11.56.48	204.11.56.48

IP Address	Status	Action
164.124.101.2	Active	Moloch
204.11.56.48	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 204.11.56.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 204.11.56.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49168 -> 204.11.56.48:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49176 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49183 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49162 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49172 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49185 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49181 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49180 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49168 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49175 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49178 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68
TLSv1 192.168.56.102:49177 204.11.56.48:443	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	C=US, ST=California, L=test, O=testexample, OU=testexample, CN=testexp	1a:42:b0:7f:5f:73:d2:53:5e:40:25:cc:97:6b:8e:88:ba:45:71:68

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 16, 2022, 10:53 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a SLClose-0x28e osppc+0x33cf @ 0x6aed33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6aee5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6aed3b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6aee2074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x692585c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 144044412 registers.edi: 144044576 registers.eax: 144044412 registers.ebp: 144044492 registers.edx: 0 registers.ebx: 144045628 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 16, 2022, 10:53 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a
SLClose-0x28e osppc+0x33cf @ 0x6aed33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6aee5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6aed3b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6aee2074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x692585c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x75d6b727
registers.esp: 144044412
registers.edi: 144044576
registers.eax: 144044412
registers.ebp: 144044492
registers.edx: 0
registers.ebx: 144045628
registers.esi: 2147942523
registers.ecx: 2147483648

Performs some HTTP requests (3 events)

request	OPTIONS https://download.azure-service.com/Jsh_kieSeQ4/itiflr82fj/DteCYSywiF/LBU0A2Xtq_/F%2BP9OQEh/
request	HEAD https://download.azure-service.com/Jsh_kieSeQ4/itiflr82fj/DteCYSywiF/LBU0A2Xtq_/F%2BP9OQEh/Wn7hg%3D%3D
request	GET https://download.azure-service.com/Jsh_kieSeQ4/itiflr82fj/DteCYSywiF/LBU0A2Xtq_/F%2BP9OQEh/Wn7hg%3D%3D

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 16, 2022, 10:52 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a52a000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 16, 2022, 10:53 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69874000 process_handle: 0xffffffff	1	0	0

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2140 crashed
__exception__ Sept. 16, 2022, 10:53 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a SLClose-0x28e osppc+0x33cf @ 0x6aed33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6aee5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6aed3b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6aee2074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x692585c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 144044412 registers.edi: 144044576 registers.eax: 144044412 registers.ebp: 144044492 registers.edx: 0 registers.ebx: 144045628 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 2140 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 16, 2022, 10:53 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a
SLClose-0x28e osppc+0x33cf @ 0x6aed33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6aee5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6aed3b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6aee2074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x692585c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$obal Brain Pitch Deck.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 16, 2022, 10:52 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000454 filepath: C:\Users\test22\AppData\Local\Temp\~$obal Brain Pitch Deck.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$obal Brain Pitch Deck.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.MSOffice.Agent.a!c
CAT-QuickHeal	XML.Trojan.43227
McAfee	Generic .ql
Arcabit	Trojan.Generic.D23853EA
Cyren	URL/CVE170199.R.gen!Eldorado
ESET-NOD32	DOC/TrojanDownloader.Agent.ARJ
TrendMicro-HouseCall	TROJ_FRS.0NA103K521
Avast	OLE:RemoteTemplateInj [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSOffice.Agent.gen
BitDefender	Trojan.GenericKD.37245930
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Trojan.GenericKD.37245930
Tencent	Trojan.Win32.Office_Dl.11007109
Ad-Aware	Trojan.GenericKD.37245930
Emsisoft	Trojan.GenericKD.37245930 (B)
TrendMicro	TROJ_FRS.0NA103K521
McAfee-GW-Edition	Generic trojan.ql
FireEye	Trojan.GenericKD.37245930
Sophos	Troj/DocDl-AERI
GData	Trojan.GenericKD.37245930
ViRobot	W97M.S.Downloader.2802218
ZoneAlarm	HEUR:Trojan-Downloader.MSOffice.Agent.gen
AhnLab-V3	Downloader/DOC.Generic
ALYac	Trojan.Downloader.DOC.Gen
MAX	malware (ai score=100)
AVG	OLE:RemoteTemplateInj [Trj]

Global Brain Pitch Deck.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All