Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2023, 8:56 a.m.	Aug. 4, 2023, 9:19 a.m.

Size	15.8KB
Type	Microsoft Word 2007+
MD5	`9932fab98f2c021632045d04966db4fd`
SHA256	`db1185f24c56cadec1c85a33b0efeb2d803ff00abf4c9df1e00d860683068415`
CRC32	`342166D7`
ssdeep	`192:nmz+IH1eQyUwHpj0w1sPbxbnb25bv/0PdvwOfw5Ie9e8ebWqgj:+BVeTHpwCsDRbSGwmw5IX86tq`
Yara	zip_file_format - ZIP file format docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx
2560

Name	Response	Post-Analysis Lookup
huskidkifklaoksikfkfijsju.blogspot.com	CNAME blogspot.l.googleusercontent.com A 142.250.199.65	142.250.206.193

IP Address	Status	Action
142.250.199.65	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 142.250.199.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49165 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49172 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49170 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49166 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49177 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49175 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49164 142.250.199.65:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=misc-sni.blogspot.com	78:9f:da:34:a6:28:ba:26:5e:6f:1d:9f:e6:7d:3c:b2:53:7a:29:70
TLSv1 192.168.56.101:49174 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49173 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49163 142.250.199.65:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.googleusercontent.com	1e:bf:42:27:86:d6:60:5e:34:a8:a7:bc:2c:ea:7e:78:19:df:f0:4b
TLSv1 192.168.56.101:49168 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49171 142.250.199.65:443	None	None	None
TLSv1 192.168.56.101:49176 142.250.199.65:443	None	None	None

Performs some HTTP requests (2 events)

request	OPTIONS https://huskidkifklaoksikfkfijsju.blogspot.com/
request	GET https://huskidkifklaoksikfkfijsju.blogspot.com/atom.xml

Allocates read-write-execute memory (usually to unpack itself) (35 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e0f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e0b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e091000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:56 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6de71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:57 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df71000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 4, 2023, 8:56 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.MSWord.Dotmer.4!c
MicroWorld-eScan	Trojan.GenericKD.65597668
FireEye	Trojan.GenericKD.65597668
Arcabit	Trojan.Generic.D3E8F0E4
Baidu	Win32.Trojan-Downloader.Agent.kl
Cyren	DOCX/CVE-2017-0199!Camelot
Symantec	W97M.Downloader
ESET-NOD32	VBA/Subdoc.B
TrendMicro-HouseCall	TROJ_FRS.0NA104EM23
Avast	OLE:RemoteTemplateInj [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSOffice.Dotmer.gen
BitDefender	Trojan.GenericKD.65597668
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
Tencent	Trojan.Win32.Office_Dl.11025945
Sophos	Troj/DocDl-AGYV
VIPRE	Trojan.GenericKD.65597668
TrendMicro	TROJ_FRS.0NA104EM23
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.65597668 (B)
MAX	malware (ai score=87)
Antiy-AVL	Trojan/MSOffice.Embed.oleurl
Microsoft	Exploit:O97M/CVE-2017-0199.PRCA!MTB
ViRobot	DOC.Z.Agent.16193
ZoneAlarm	HEUR:Trojan-Downloader.MSOffice.Dotmer.gen
GData	Trojan.GenericKD.65597668
Google	Detected
AhnLab-V3	Downloader/DOC.External
Zoner	Probably Heur.W97OleLink
AVG	OLE:RemoteTemplateInj [Trj]

73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All