Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
08.01 03:08
lasjdflakdsjf.pdf.exe
08.01 03:08
Microsoft_AntiSpam_Ext...
08.01 03:08
hacrvidth vibev.exe
08.01 02:08
vhcrvdh iobv.exe
08.01 02:08
faultrep2.dll
08.01 02:08
faultrep.dll
08.01 02:08
MichelinNight.lnk
08.01 02:08
【算法工程师】李子豪.lnk
08.01 11:08
random.exe
08.01 11:08
dz.js

Latest News
08.02 03:08
Navegar entre inovaçõe...
08.02 03:08
The Cyber Fallout: Nav...
08.02 02:08
Google Using Enhanced ...
08.02 02:08
Microsoft Confirms Glo...
08.02 02:08
CrowdStrike, Antitrust...
08.02 02:08
New BingoMod Android M...
08.02 01:08
Company Paid Record-Br...
08.02 01:08
Meta's PromptGuard Mod...
08.02 01:08
8 Essential Considerat...
08.02 01:08
One Does Not Simply … ...

Summary | ZeroBOX

INVESTIGATION_OF_SEXUAL_HARASSMENT.docx

Word 2007 file format(docx) ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 8, 2024, 2:07 p.m.	July 8, 2024, 2:09 p.m.

Size	1.4MB
Type	Microsoft OOXML
MD5	`9345d52abd5bab4320c1273eb2c90161`
SHA256	`b72ac58d599e6e1080251b1ac45a521b33c08d7d129828a4e82a7095e9f93e53`
CRC32	`F3A6DC49`
ssdeep	`24576:VoNQ1+/W3rFh9SgVD3rhsIcll1VjjSfeKLTnrvSOJh+zu8vOuW4ZhlQK9Wd:VoNQKW3rFh9l2hlHHBKLbrvhUiCOuWAK`
Yara	zip_file_format - ZIP file format docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\INVESTIGATION_OF_SEXUAL_HARASSMENT.docx
3032

Name	Response	Post-Analysis Lookup
investigation04.session-out.com	A 89.150.40.43	89.150.40.43
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	23.52.33.11

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.41.113.9	Active	Moloch
89.150.40.43	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 89.150.40.43:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49162 -> 89.150.40.43:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 89.150.40.43:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 89.150.40.43:443	C=US, O=Let's Encrypt, CN=R11	CN=*.session-out.com	52:ef:0a:05:6a:3d:2b:7c:d3:af:dd:15:76:7f:18:1b:44:f4:24:9a
TLSv1 192.168.56.102:49162 89.150.40.43:443	C=US, O=Let's Encrypt, CN=R11	CN=*.session-out.com	52:ef:0a:05:6a:3d:2b:7c:d3:af:dd:15:76:7f:18:1b:44:f4:24:9a
TLSv1 192.168.56.102:49167 89.150.40.43:443	None	None	None

Performs some HTTP requests (1 event)

request

GET http://x1.i.lencr.org/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2024, 2:07 p.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a20a000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$VESTIGATION_OF_SEXUAL_HARASSMENT.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 8, 2024, 2:07 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000454 filepath: C:\Users\test22\AppData\Local\Temp\~$VESTIGATION_OF_SEXUAL_HARASSMENT.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$VESTIGATION_OF_SEXUAL_HARASSMENT.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Kaspersky	HEUR:Trojan-Downloader.MSOffice.Dotmer.gen
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
ZoneAlarm	HEUR:Trojan-Downloader.MSOffice.Dotmer.gen
Zoner	Probably Heur.W97OleLink