Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Aug. 2, 2023, 4:56 p.m. | Aug. 2, 2023, 4:59 p.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\obizx.doc
2056
Name | Response | Post-Analysis Lookup |
---|---|---|
www.jaimesinstallglass.com |
CNAME
jaimesinstallglass.com
|
34.102.136.180 |
www.dhikaedwina.com |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49163 -> 2.59.254.18:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
TCP 2.59.254.18:80 -> 192.168.56.103:49163 | 2022050 | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 | A Network Trojan was detected |
TCP 2.59.254.18:80 -> 192.168.56.103:49163 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 2.59.254.18:80 -> 192.168.56.103:49163 | 2022051 | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 | A Network Trojan was detected |
TCP 2.59.254.18:80 -> 192.168.56.103:49163 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
suspicious_features | Connection to IP address | suspicious_request | GET http://2.59.254.18/_errorpages/obizx.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.jaimesinstallglass.com/oy30/?XrFHaDmP=samObAgc8fRSmgyt46cUeNvYftGh2TWlU43Ytmna9VgcgVwYxUKhDBM5jVUDC37CPtwfSBl2&Dzut_N=3fX0 |
request | GET http://2.59.254.18/_errorpages/obizx.exe |
request | GET http://www.jaimesinstallglass.com/oy30/?XrFHaDmP=samObAgc8fRSmgyt46cUeNvYftGh2TWlU43Ytmna9VgcgVwYxUKhDBM5jVUDC37CPtwfSBl2&Dzut_N=3fX0 |
file | C:\Users\test22\AppData\Local\Temp\~$obizx.doc |
filetype_details | Rich Text Format data, version 1, unknown character set | filename | obizx.doc |
host | 2.59.254.18 |
DrWeb | Exploit.CVE-2018-0798.4 |
FireEye | Exploit.RTF-ObfsObjDat.Gen |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
ALYac | Exploit.RTF-ObfsObjDat.Gen |
Sangfor | Malware.Generic-RTF.Save.8d852815 |
Arcabit | Exploit.RTF-ObfsObjDat.Gen |
Cyren | RTF/CVE-2017-11882.U.gen!Camelot |
Symantec | Exp.CVE-2017-11882!g5 |
Cynet | Malicious (score: 99) |
Kaspersky | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
BitDefender | Exploit.RTF-ObfsObjDat.Gen |
NANO-Antivirus | Exploit.Rtf.Heuristic-rtf.dinbqn |
MicroWorld-eScan | Exploit.RTF-ObfsObjDat.Gen |
Emsisoft | Exploit.RTF-ObfsObjDat.Gen (B) |
F-Secure | Heuristic.HEUR/Rtf.Malformed |
VIPRE | Exploit.RTF-ObfsObjDat.Gen |
TrendMicro | HEUR_RTFMALFORM |
McAfee-GW-Edition | BehavesLike.Trojan.px |
Ikarus | Win32.Outbreak |
Avira | HEUR/Rtf.Malformed |
Microsoft | Trojan:Script/Wacatac.B!ml |
ZoneAlarm | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
GData | Exploit.RTF-ObfsObjDat.Gen |
Detected | |
AhnLab-V3 | RTF/Malform-D.Gen |
McAfee | RTFObfustream.c!0CA8F60433AA |
Zoner | Probably Heur.RTFObfuscation |
Rising | Exploit.CVE-2017-11882!1.E8F8 (CLASSIC) |
MAX | malware (ai score=87) |
Fortinet | MSOffice/CVE_2018_0798.BOR!exploit |