Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 28, 2024, 2:36 a.m.	Sept. 28, 2024, 2:38 a.m.

Size	736.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: rmeyer, Template: Normal, Last Saved By: user, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Last Printed: Thu Jan 29 17:29:00 2009, Create Time/Date: Tue Jun 1 13:52:00 2021, Last Saved Time/Date: Tue Jun 1 13:52:00 2021, Number of Pages: 1, Number of Words: 105, Number of Characters: 601, Security: 0
MD5	`3f89ed9e9e4be551f2d13b16287248c0`
SHA256	`7dd7fcb839e3d18745b8dfd20dc6ef4f0fd6bad46597b10ec7649a2f7f364d0a`
CRC32	`7A9256E4`
ssdeep	`12288:zBbfJoh59mnEXCjgoVGk+8meFn9wLW+KVthQt12WbwNrlgUDJfKDSwRZUIQv:Fb+hDmgCjgZKmeFnGUvQt1VwNB3lfLw+`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File Generic_Malware_Zero - Generic Malware

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\Document%20896885.doc
2552

Name	Response	Post-Analysis Lookup
brasilvioleiro.com.br
breadxfish.com
thegoldprocess.com	A 23.227.38.32	23.227.38.32
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	23.52.33.11
ukcorporatetransfer.com	A 3.33.130.190 A 15.197.148.33	3.33.130.190
www.thewordmarvel.com
highpointroofers.com
reachmedical.in
mirrorlakedrugs.com	A 199.59.243.227	199.59.243.227
test.podcastbites.io	A 162.241.218.172	162.241.218.172
zotno.xyz	A 77.37.66.5	77.37.75.155

IP Address	Status	Action
162.241.218.172	Active	Moloch
164.124.101.2	Active	Moloch
199.59.243.227	Active	Moloch
23.227.38.32	Active	Moloch
23.41.113.9	Active	Moloch
3.33.130.190	Active	Moloch
77.37.66.5	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 23.227.38.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 77.37.66.5:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 77.37.66.5:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.218.172:443 -> 192.168.56.101:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 23.227.38.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 162.241.218.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 162.241.218.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 199.59.243.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 3.33.130.190:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 199.59.243.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 3.33.130.190:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49176 199.59.243.227:443	C=US, O=Let's Encrypt, CN=E5	CN=mirrorlakedrugs.com	af:02:b5:c3:e5:22:38:11:b5:b3:b3:d0:d8:97:7b:d4:2d:22:c4:13
TLSv1 192.168.56.101:49179 199.59.243.227:443	C=US, O=Let's Encrypt, CN=E5	CN=mirrorlakedrugs.com	af:02:b5:c3:e5:22:38:11:b5:b3:b3:d0:d8:97:7b:d4:2d:22:c4:13

Performs some HTTP requests (2 events)

request	GET http://x1.i.lencr.org/
request	GET https://mirrorlakedrugs.com/wp-content/themes/twentyseventeen/template-parts/footer/0ZyL3hUtu.php

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e541000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6de81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6de61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6de21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6de01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dde1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc44000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2024, 2:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$cument 896885.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 28, 2024, 2:36 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$cument 896885.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$cument 896885.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.MSWord.Valyria.b!c
CAT-QuickHeal	OLE.Downloader.43771
Skyhigh	BehavesLike.OLE2.Suspicious.bb
ALYac	VB:Trojan.Valyria.4785
VIPRE	VB:Trojan.Valyria.4785
Arcabit	HEUR.VBA.Trojan.d
Symantec	Trojan.Gen.NPE.C
Elastic	malicious (high confidence)
ESET-NOD32	GenScript.MHI
TrendMicro-HouseCall	TROJ_FRS.0NA103AO24
McAfee	W97M/Downloader.dpx
Avast	VBA:Crypt-AB [Trj]
ClamAV	Doc.Malware.Snake-10031454-0
Kaspersky	HEUR:Trojan-Dropper.MSOffice.SDrop.gen
BitDefender	VB:Trojan.Valyria.4785
MicroWorld-eScan	VB:Trojan.Valyria.4785
Rising	Malware.Obfus/VBA@AI.99 (VBA)
Emsisoft	VB:Trojan.Valyria.4785 (B)
TrendMicro	TROJ_FRS.0NA103AO24
FireEye	VB:Trojan.Valyria.4785
Ikarus	Trojan.Office.Doc
Google	Detected.Heuristic.Script
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent
Xcitium	Malware@#2kqrg5qj8mv52
Microsoft	TrojanDownloader:O97M/Dridex.BVG!MTB
ViRobot	DOC.Z.Agent.753664
ZoneAlarm	HEUR:Trojan-Dropper.MSOffice.SDrop.gen
GData	VB:Trojan.Valyria.4785
Varist	W97M/Agent.WF.gen!Eldorado
AhnLab-V3	Malware/MSOffice.Generic.SC180281
Acronis	suspicious
TACHYON	Suspicious/W97M.DRP.Gen
Tencent	Trojan.MsOffice.MacroS.11012866
huorong	HEUR:OMacro/Errgo.a
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBA:Crypt-AB [Trj]
alibabacloud	Trojan[dropper]:MSOffice/GenScript.MHI trojan

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://zotno.xyz/wp-content/themes/storefront/e2e/specs/kCKt578W.php

Document%20896885.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All