Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | July 4, 2024, 4:54 p.m. | July 4, 2024, 5:01 p.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\uh.uh.uhuhuh.uu.uh.doc
1000
Name | Response | Post-Analysis Lookup |
---|---|---|
uploaddeimagens.com.br | 172.67.215.45 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 91.92.254.29:80 -> 192.168.56.103:49164 | 2400012 | ET DROP Spamhaus DROP Listed Traffic Inbound group 13 | Misc Attack |
TCP 91.92.254.29:80 -> 192.168.56.103:49164 | 2049038 | ET MALWARE Malicious Base64 Encoded Payload In Image | A Network Trojan was detected |
TCP 192.168.56.103:49167 -> 172.67.215.45:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 91.92.254.29:80 -> 192.168.56.103:49164 | 2012325 | ET WEB_CLIENT Obfuscated Javascript // ptth | Potentially Bad Traffic |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49167 172.67.215.45:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=uploaddeimagens.com.br | 73:a9:e0:a5:b1:5f:db:89:38:94:4f:97:4d:68:78:e4:59:c5:9f:a5 |
suspicious_features | Connection to IP address | suspicious_request | GET http://198.46.178.139/33144/creatingfollowerswithflowereseverytime.gif | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://91.92.254.29/Users_API/syscore/file_ygeik543.xh0.txt | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 |
request | GET http://198.46.178.139/33144/creatingfollowerswithflowereseverytime.gif |
request | GET http://91.92.254.29/Users_API/syscore/file_ygeik543.xh0.txt |
request | GET https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 |
file | C:\Users\test22\AppData\Local\Temp\~$.uh.uhuhuh.uu.uh.doc |
filetype_details | Rich Text Format data, version 1, unknown character set | filename | uh.uh.uhuhuh.uu.uh.doc |
host | 198.46.178.139 | |||
host | 91.92.254.29 |
Lionic | Trojan.MSOffice.ObfsStrm.4!c |
Cynet | Malicious (score: 99) |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
Skyhigh | BehavesLike.Trojan.cx |
VIPRE | Exploit.RTF-ObfsStrm.Gen |
Sangfor | Malware.Generic-RTF.Save.ecfa366c |
Arcabit | Exploit.RTF-ObfsStrm.Gen |
Symantec | Exp.CVE-2017-11882!g2 |
ESET-NOD32 | multiple detections |
McAfee | RTFObfustream.c!2065F134F209 |
Avast | OLE:CVE-2017-11882-B [Expl] |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | Exploit.RTF-ObfsStrm.Gen |
NANO-Antivirus | Exploit.Rtf.Heuristic-rtf.dinbqn |
MicroWorld-eScan | Exploit.RTF-ObfsStrm.Gen |
Rising | Exploit.Generic!1.EB5C (CLASSIC) |
Emsisoft | Exploit.RTF-ObfsStrm.Gen (B) |
F-Secure | Exploit.EXP/AVF.CVE.csjuh |
DrWeb | Exploit.ShellCode.69 |
TrendMicro | HEUR_RTFMALFORM |
FireEye | Exploit.RTF-ObfsStrm.Gen |
Sophos | Troj/RtfExp-EQ |
Ikarus | Exploit.CVE-2017-11882 |
Avira | EXP/AVF.CVE.csjuh |
Antiy-AVL | Trojan[Exploit]/OLE2.CVE-2017-11882 |
ZoneAlarm | HEUR:Exploit.MSOffice.Generic |
GData | Exploit.RTF-ObfsStrm.Gen |
Varist | CVE-2017-11882.D.gen!Camelot |
AhnLab-V3 | RTF/Malform-A.Gen |
Zoner | Probably Heur.RTFObfuscation |
Tencent | Exp.Office.CVE-2017-11882.a |
MAX | malware (ai score=81) |
Fortinet | MSOffice/CVE_2017_11882.B!exploit |
AVG | OLE:CVE-2017-11882-B [Expl] |