Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Sept. 12, 2023, 7:47 a.m. | Sept. 12, 2023, 7:49 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\o0o0o0ooio0oio0io0i0oOIO0OI0OIO0OO0I0OIOI0O000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000O0OI0OI0O0ooo0i0o0io0%23%23%23%23%23%23%23%23%23%23%23%23%23%2300000000000.doc
800
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.67.53.18 |
uploaddeimagens.com.br | 172.67.215.45 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49162 -> 141.98.6.202:80 | 2022520 | ET POLICY Possible HTA Application Download | Potentially Bad Traffic |
TCP 192.168.56.103:49162 -> 141.98.6.202:80 | 2027261 | ET INFO Dotted Quad Host HTA Request | Potentially Bad Traffic |
TCP 192.168.56.103:49162 -> 141.98.6.202:80 | 2024449 | ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl | Attempted User Privilege Gain |
TCP 141.98.6.202:80 -> 192.168.56.103:49162 | 2024197 | ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) | A Network Trojan was detected |
TCP 192.168.56.103:49166 -> 104.21.45.138:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49166 104.21.45.138:443 |
C=US, O=Let's Encrypt, CN=E1 | CN=uploaddeimagens.com.br | 67:68:c4:e4:aa:54:e1:fd:f0:50:01:73:1e:da:cf:48:0c:17:0d:34 |
suspicious_features | Connection to IP address | suspicious_request | GET http://141.98.6.202/win/windows/WUDFHost.hta |
request | GET http://141.98.6.202/win/windows/WUDFHost.hta |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
file | C:\Users\test22\AppData\Local\Temp\~$o0o0ooio0oio0io0i0oOIO0OI0OIO0OO0I0OIOI0O000##############000O0OI0OI0O0ooo0i0o0io0##############00000000000.doc |
host | 141.98.6.202 |
MicroWorld-eScan | Exploit.RTF-ObfsObjDat.Gen |
FireEye | Exploit.RTF-ObfsObjDat.Gen |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
ALYac | Exploit.RTF-ObfsObjDat.Gen |
VIPRE | Exploit.RTF-ObfsObjDat.Gen |
Sangfor | Malware.Generic-RTF.Save.7ed7ea68 |
Arcabit | Exploit.RTF-ObfsObjDat.Gen |
Symantec | Exp.CVE-2017-11882!g5 |
ESET-NOD32 | multiple detections |
Cynet | Malicious (score: 99) |
Kaspersky | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
BitDefender | Exploit.RTF-ObfsObjDat.Gen |
NANO-Antivirus | Exploit.Rtf.Heuristic-rtf.dinbqn |
F-Secure | Heuristic.HEUR/Rtf.Malformed |
DrWeb | Exploit.CVE-2018-0798.4 |
TrendMicro | HEUR_RTFMALFORM |
Emsisoft | Exploit.RTF-ObfsObjDat.Gen (B) |
Ikarus | Exploit.CVE-2017-11882 |
Avira | HEUR/Rtf.Malformed |
Microsoft | Exploit:Win32/CVE-2017-11882!ml |
ZoneAlarm | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
GData | Exploit.RTF-ObfsObjDat.Gen |
Detected | |
AhnLab-V3 | RTF/Malform-A.Gen |
McAfee | RTFObfustream.c!5CEC67A92CED |
Zoner | Probably Heur.RTFBadHeader |
Rising | Exploit.CVE-2017-11882!1.E8F8 (CLASSIC) |
MAX | malware (ai score=88) |
Fortinet | MSOffice/CVE_2018_0798.BOR!exploit |