Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 23, 2023, 1:02 p.m.	March 23, 2023, 1:14 p.m.

Size	10.2KB
Type	Microsoft Word 2007+
MD5	`cd265d216aa729b1051f8631185f3520`
SHA256	`546549325cb53f665f2bc3bfd65e4ed77ca1edb80b349a54f1f68d11ed91ef25`
CRC32	`623989DA`
ssdeep	`192:VOWmcDKb6QuB7L5bv/02UZ4Z9hCfC3nVCj9knEI7QaX0e:VDA6Qu74ZgOfonnlXX0e`
Yara	zip_file_format - ZIP file format docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\529f38_9aa2021e548e4d6ea92f285b00a07eb4.docx
2556

Name	Response	Post-Analysis Lookup
files.catbox.moe	A 107.160.74.134	107.160.74.134
urlcallinghta6.blogspot.com	CNAME blogspot.l.googleusercontent.com A 142.250.207.65	142.250.76.129

IP Address	Status	Action
107.160.74.134	Active	Moloch
142.250.207.65	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 142.250.207.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.160.74.134:443 -> 192.168.56.101:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 107.160.74.134:443 -> 192.168.56.101:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 107.160.74.134:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 107.160.74.134:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 142.250.207.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 142.250.207.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 107.160.74.134:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 107.160.74.134:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 142.250.207.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 142.250.207.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 107.160.74.134:443	2038639	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49163 142.250.207.65:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.googleusercontent.com	b8:87:cf:d2:6d:98:e2:2e:5b:44:7a:3f:3e:38:c3:f0:33:eb:ce:ec
TLSv1 192.168.56.101:49165 142.250.207.65:443	None	None	None
TLSv1 192.168.56.101:49166 142.250.207.65:443	None	None	None
TLSv1 192.168.56.101:49172 142.250.207.65:443	None	None	None
TLSv1 192.168.56.101:49173 142.250.207.65:443	None	None	None
TLSv1 192.168.56.101:49164 142.250.207.65:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=misc-sni.blogspot.com	e1:6e:2e:f1:e8:5e:50:35:06:ff:b0:c5:0b:a8:d8:8e:d7:46:a3:3b

Performs some HTTP requests (2 events)

request	OPTIONS https://urlcallinghta6.blogspot.com/
request	GET https://urlcallinghta6.blogspot.com/atom.xml

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e0f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e0b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e091000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2023, 1:02 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df71000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$9f38_9aa2021e548e4d6ea92f285b00a07eb4.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 23, 2023, 1:02 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$9f38_9aa2021e548e4d6ea92f285b00a07eb4.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$9f38_9aa2021e548e4d6ea92f285b00a07eb4.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Sangfor	Exploit.Win32-Doc.Save.CVE-2022-30190
Symantec	W97M.Downloader
ESET-NOD32	VBA/Subdoc.B
Avast	OLE:RemoteTemplateInj [Trj]
BitDefender	Trojan.Agent.GDRN
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Trojan.Agent.GDRN
Baidu	Win32.Trojan-Downloader.Agent.kl
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.Agent.GDRN
GData	Trojan.Agent.GDRN
MAX	malware (ai score=83)
Antiy-AVL	Trojan/MSOffice.Embed.oleurl
Zoner	Probably Heur.W97OleLink
Tencent	Win32.Trojan.Malware.Mcnw
AVG	OLE:RemoteTemplateInj [Trj]

529f38_9aa2021e548e4d6ea92f285b00a07eb4.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All