Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | June 9, 2023, 4:15 p.m. | June 9, 2023, 4:18 p.m. |
-
EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\SOA-0438.xlsx
3056
Name | Response | Post-Analysis Lookup |
---|---|---|
geoplugin.net | 178.237.33.50 | |
gdyhjjdhbvxgsfe.gotdns.ch | 45.81.39.214 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49163 -> 109.206.240.64:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
TCP 192.168.56.102:49172 -> 109.206.240.64:80 | 2018752 | ET MALWARE Generic .bin download from Dotted Quad | A Network Trojan was detected |
UDP 192.168.56.102:63709 -> 164.124.101.2:53 | 2042740 | ET INFO DYNAMIC_DNS Query to a *.gotdns .ch Domain | Potentially Bad Traffic |
TCP 192.168.56.102:49173 -> 45.81.39.214:2718 | 2036594 | ET JA3 Hash - Remcos 3.x TLS Connection | Malware Command and Control Activity Detected |
TCP 109.206.240.64:80 -> 192.168.56.102:49163 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 109.206.240.64:80 -> 192.168.56.102:49163 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
TCP 109.206.240.64:80 -> 192.168.56.102:49163 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.102:49173 45.81.39.214:2718 |
None | None | None |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://109.206.240.64/HBZ.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://109.206.240.64/tl/ZriAIHCKuK34.bin | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://geoplugin.net/json.gp |
request | GET http://109.206.240.64/HBZ.exe |
request | GET http://109.206.240.64/tl/ZriAIHCKuK34.bin |
request | GET http://geoplugin.net/json.gp |
file | C:\Users\test22\AppData\Local\Temp\~$SOA-0438.xlsx |
host | 109.206.240.64 |
Lionic | Trojan.MSExcel.Generic.4!c |
DrWeb | W97M.DownLoader.2938 |
FireEye | Exploit.MathType-Obfs.Gen |
Sangfor | Exploit.Doc.CVE-2017-11882.b |
Alibaba | Exploit:Office97/CVE-2017-11882.4c6e177b |
Arcabit | Exploit.MathType-Obfs.Gen |
VirIT | W97M.Downloader.CEH |
Cyren | CVE-2017-11882.C.gen!Camelot |
Symantec | Exp.CVE-2017-11882!g3 |
ESET-NOD32 | probably a variant of Win32/Exploit.CVE-2017-11882.C |
TrendMicro-HouseCall | TROJ_CVE20171182.SM |
Avast | OLE:CVE-2017-11882-B [Expl] |
Cynet | Malicious (score: 99) |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | Exploit.MathType-Obfs.Gen |
Tencent | Exp.Ole.CVE-2017-11882.a |
TACHYON | Suspicious/XOX.CVE-2017-11882 |
Emsisoft | Exploit.MathType-Obfs.Gen (B) |
F-Secure | Exploit.EXP/CVE-2017-11882.Gen |
VIPRE | Exploit.MathType-Obfs.Gen |
TrendMicro | TROJ_CVE20171182.SM |
McAfee-GW-Edition | Exploit-GBT!B950B053314E |
Sophos | Exp/20180802-B |
GData | Exploit.MathType-Obfs.Gen |
Avira | EXP/CVE-2017-11882.Gen |
Antiy-AVL | Trojan[Exploit]/Win32.CVE-2017-11882 |
Microsoft | Exploit:O97M/CVE-2017-11882!KZH |
ZoneAlarm | HEUR:Exploit.MSOffice.Generic |
Detected | |
AhnLab-V3 | OLE/Cve-2017-11882.Gen |
McAfee | Exploit-GBT!B950B053314E |
MAX | malware (ai score=88) |
Zoner | Probably Heur.W97ShellO |
Yandex | Trojan.AvsMofer.bYFDMn |
Ikarus | Exploit.CVE-2017-11882 |
Fortinet | MSExcel/GenericKD.39744597!tr |
AVG | OLE:CVE-2017-11882-B [Expl] |