Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | June 14, 2024, 9:15 a.m. | June 14, 2024, 9:17 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\bin2.doc
1268
Name | Response | Post-Analysis Lookup |
---|---|---|
dukeenergyltd.top | 172.67.134.136 | |
www.ybw73.top |
CNAME
ybw73.top
|
38.47.232.233 |
www.aritum.top | 203.161.55.102 | |
www.ay62m.top |
CNAME
ay62m.top
|
38.47.207.132 |
www.winnscce.com | 123.58.214.101 | |
www.carolinappttery.com | 123.58.214.101 | |
www.sjzsls.com | 154.212.44.122 | |
www.sqlite.org | 45.33.6.223 | |
www.w90dm.top |
CNAME
w90dm.top
|
38.47.232.178 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.103:50800 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
TCP 192.168.56.103:49163 -> 172.67.134.136:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
UDP 192.168.56.103:56613 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
TCP 192.168.56.103:49177 -> 38.47.232.178:80 | 2023882 | ET INFO HTTP Request to a *.top domain | Potentially Bad Traffic |
TCP 192.168.56.103:49186 -> 38.47.232.233:80 | 2023882 | ET INFO HTTP Request to a *.top domain | Potentially Bad Traffic |
UDP 192.168.56.103:53658 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49163 172.67.134.136:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=dukeenergyltd.top | dc:d1:cd:ef:25:8a:f4:08:21:69:c1:4e:19:c4:d8:e3:67:23:ee:f6 |
request | POST http://www.sjzsls.com/9ypd/ |
request | GET http://www.sjzsls.com/9ypd/?gSDpSqhg=Fp4YMLPzXpbUfY9ET0WH3a72p3fXf7YhU2uVF/1Su8SRdO97GHvogqvz+96x72oMEQq3eHyW0zw8RVfXjuFBE/DSpz5ZNszOE2hxgYcLkAt/YsxuqXlLrzOhs3BZhOu+6KXTzoA=&zd=lHTo3CucwT |
request | GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip |
request | GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip |
request | POST http://www.winnscce.com/xk70/ |
request | GET http://www.winnscce.com/xk70/?gSDpSqhg=E9dNAQXSau8gxD7ycO4dLfQfH5YRjq6/aXbIhWqdNKhuK+zum8oLAEgkUh6j+ec/Dsz5NNoJPY83q7uKVhR+kQSzALNmdhL2cm95N3pKuY1dSsInVS8QGD1t6OErSJExWBCOe4E=&zd=lHTo3CucwT |
request | POST http://www.w90dm.top/8ms4/ |
request | GET http://www.w90dm.top/8ms4/?gSDpSqhg=udGRhKSFzWywOShfg4LrArlkOSU57jdgfHHoAEODJUB2/fB/f7uvWahs0ChcgR3p3uHY1bC8mP+rUPbsneCLatPp1qyYsRzD0wOOKHTt4GdecEtntAcROmt09OnVjaXmhkctiwE=&zd=lHTo3CucwT |
request | POST http://www.ay62m.top/orwn/ |
request | GET http://www.ay62m.top/orwn/?gSDpSqhg=3cBNLJTm2SpTWV5+FkCnTYkROdg55TQjKQDEk1HDa97easJD35wZE2GMsxRselnzvm7j4PFdEanRmF1YrarFthUoWpYtpzXpGMx8vyWuQ49fEDOcUJzL6xCqo7J2o8DZINEYFF8=&zd=lHTo3CucwT |
request | POST http://www.carolinappttery.com/q380/ |
request | GET http://www.carolinappttery.com/q380/?gSDpSqhg=ehUrFCKl0QR4T29AJZh5dRT/ZDPm9qTvUW59H2BhLEsiO0kIW28uNcfa56DEKhzH0iD+lYFdD8RRxblUIft60LyxhWLZTQGF9CEZTcwXHMEEzcDS8bPwZbiqnYj5NbIEEA54k2w=&zd=lHTo3CucwT |
request | POST http://www.ybw73.top/zfmd/ |
request | GET http://www.ybw73.top/zfmd/?gSDpSqhg=Wy9Xy0arXTA/u2vvBYrKIOUBpzUpOEWJyNtxnnOaFAzOmZ+G/QUaP7IPedalQRfZTnOTlfhQhpBKLAk/X9K39OImH5VRArdmcUQpro/j/mKcwsNXkqPqNRMPQWcketlQaFqDwMQ=&zd=lHTo3CucwT |
request | POST http://www.aritum.top/f2qc/ |
request | GET http://www.aritum.top/f2qc/?gSDpSqhg=+PlbwI8tNruUpga2nartzvIoOczIwOvbU1ANxXfMuvMQEzSRrWQM3cmspk1IFvcCMV40t1yig50Ax37YShWjrdIjOvIEgJJROzqkte3OBXYcjah0B7lnBY2SKVXOZr2cpq5/qwU=&zd=lHTo3CucwT |
request | GET https://dukeenergyltd.top/bin2.scr |
request | POST http://www.sjzsls.com/9ypd/ |
request | POST http://www.winnscce.com/xk70/ |
request | POST http://www.w90dm.top/8ms4/ |
request | POST http://www.ay62m.top/orwn/ |
request | POST http://www.carolinappttery.com/q380/ |
request | POST http://www.ybw73.top/zfmd/ |
request | POST http://www.aritum.top/f2qc/ |
domain | www.aritum.top | description | Generic top level domain TLD | ||||||
domain | www.ay62m.top | description | Generic top level domain TLD | ||||||
domain | www.ybw73.top | description | Generic top level domain TLD | ||||||
domain | www.w90dm.top | description | Generic top level domain TLD |
file | C:\Users\test22\AppData\Local\Temp\~$bin2.doc |
filetype_details | Rich Text Format data, version 1, unknown character set | filename | bin2.doc |
Lionic | Trojan.MSOffice.ObfsObjDat.3!c |
Cynet | Malicious (score: 99) |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
Skyhigh | BehavesLike.Trojan.hx |
ALYac | Exploit.RTF-ObfsObjDat.Gen |
VIPRE | Exploit.RTF-ObfsObjDat.Gen |
Sangfor | Malware.Generic-RTF.Save.1688859d |
Arcabit | Exploit.RTF-ObfsObjDat.Gen |
Symantec | Exp.CVE-2017-11882!g6 |
McAfee | RTFObfustream.c!118072ABACA5 |
Avast | RTF:Obfuscated-gen [Trj] |
Kaspersky | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
BitDefender | Exploit.RTF-ObfsObjDat.Gen |
MicroWorld-eScan | Exploit.RTF-ObfsObjDat.Gen |
Rising | Exploit.Generic!1.EB5C (CLASSIC) |
Emsisoft | Exploit.RTF-ObfsObjDat.Gen (B) |
F-Secure | Trojan.TR/AVF.Obfuscated.tferp |
DrWeb | Exploit.CVE-2018-0798.4 |
TrendMicro | HEUR_RTFMALFORM |
FireEye | Exploit.RTF-ObfsObjDat.Gen |
Ikarus | Exploit.CVE-2017-11882 |
Detected | |
Avira | TR/AVF.Obfuscated.tferp |
Kingsoft | Win32.Infected.AutoInfector.a |
Microsoft | Exploit:O97M/CVE-2018-0802!MTB |
ZoneAlarm | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
GData | Exploit.RTF-ObfsObjDat.Gen |
Varist | RTF/ABRisk.POUB-9 |
AhnLab-V3 | OLE/Cve-2018-0798.Gen |
Zoner | Probably Heur.RTFObfuscation |
MAX | malware (ai score=85) |
Fortinet | MSOffice/CVE_2018_0798.BOR!exploit |
AVG | RTF:Obfuscated-gen [Trj] |