Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6401	June 7, 2024, 11:53 p.m.	June 7, 2024, 11:57 p.m.

Archive Open-Audit-Classic-master/htdocs/openaudit/out/testipscan.xlsx @ Open-Audit-Classic-master.zip

Size	3.9KB
Type	Microsoft Excel 2007+
MD5	`62af5df60e921eb75e8a811735317410`
SHA1	`82d40c40e2f0341e5342c637710f893312674962`
SHA256	`8d0cd9f5b8b03aa5a3d4dd2900ea74bd498dbf633b4077c0f6e49e9e7aefb6f4`
SHA512	`e0e3f801872dca26b23743b0b20eb91917b0fddc565cf9d383cb528951f201e079c62240aa62680b97fdf42a515287c9ed476b7eb04f96fde3e529b17cde932b`
CRC32	`CA434FE3`
ssdeep	`48:0BgYjNQ5KIBgJD+CtPsWBnafSPgB5PrkpW9yQA7a0rbt++92hmP3Oke9jJts//Sk:03yBOOWBnmrUna0tiAP3OkeJq///v`
Yara	zip_file_format - ZIP file format

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Open-Audit-Classic-master/htdocs/openaudit/out/testipscan.xlsx
2704

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f5b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f60f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f60f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f711000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2024, 11:16 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f4b1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Open-Audit-Classic-master\htdocs\openaudit\out\~$testipscan.xlsx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 7, 2024, 11:16 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003a4 filepath: C:\Users\test22\AppData\Local\Temp\Open-Audit-Classic-master\htdocs\openaudit\out\~$testipscan.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\Open-Audit-Classic-master\htdocs\openaudit\out\~$testipscan.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Potentially malicious URLs were found in the process memory dump (40 events)

url	http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet
url	http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
url	http://ocsp.verisign.com0
url	http://schemas.openxmlformats.org/presentationml/2006/3/main
url	http://schemas.openxmlformats.org/officeDocument/2006/relationships/sharedStrings
url	http://crl.verisign.com/tss-ca.crl0
url	http://purl.org/dc/terms
url	http://schemas.openxmlformats.org/package/2006/metadata/core-properties
url	http://schemas.xmlsoap.org/wsdl/mime/
url	http://storage.msn.com/mydata/myspace/SpaceFolder/PhotoAlbums/My
url	http://office.microsoft.com
url	http://crl.verisign.com/ThawteTimestampingCA.crl0
url	http://schemas.xmlsoap.org/wsdl/http/
url	http://microsoft.com/wsdl/mime/textMatching/
url	http://purl.org/dc/elements/1.1/
url	http://schemas.xmlsoap.org/wsdl/soap/
url	http://microsoft.com/webservices/SharePointPortalServer/BDCClientWS/Resolve
url	http://www.blogger.com/feeds/default/blogs
url	http://schemas.xmlsoap.org/soap/envelope/
url	http://schemas.xmlsoap.org/wsdl/
url	http://schemas.openxmlformats.org/officeDocument/2006/relationships
url	http://schemas.openxmlformats.org/drawingml/2006/3/diagram
url	http://schemas.xmlsoap.org/soap/encoding/
url	http://purl.org/dc/elemenb
url	http://schemas.openxmlformats.org/drawingml/2006/3/main
url	http://schemas.openxmlformats.org/drawingml/2006/diagram
url	http://schemas.openxmlformats.org/drawingml/2006/3/spreadsheetDrawing
url	http://microsoft.com0
url	http://schemas.openxmlformats.org/package/2006/relationships
url	http://purl.org/dc/elements/1%
url	http://microsoft.com/webservices/SharePointPortalServer/BDCClientWS/
url	http://www.typepad.com/t/api
url	https://storage.msn.com/storageservice/MetaWeblog.rpc
url	http://schemas.openxmlformats.org/drawingml/2006/main
url	http://purl.org/dc/dcmitype/
url	http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles
url	http://purl.org/dc/terms/
url	http://schemas.openxmlformats.org/officeDocument/2006/extended-properties
url	http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
url	http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd

Yara rule detected in process memory (18 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Affect hook table	rule	win_hook
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger

Archive Open-Audit-Classic-master/htdocs/openaudit/out/testipscan.xlsx @ Open-Audit-Classic-master.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All