Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 9, 2021, 11:23 a.m. | March 9, 2021, 11:26 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\resume_89607647.doc
1116
Name | Response | Post-Analysis Lookup |
---|---|---|
fort-communications.com | 129.146.47.154 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49205 -> 129.146.47.154:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49204 -> 129.146.47.154:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
No Suricata TLS
file | C:\Users\test22\AppData\Local\Temp\~$sume_89607647.doc |
url | https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg |
url | https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png |
url | http://find.joins.com/ |
url | http://uk.ask.com/favicon.ico |
url | https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff |
url | http://google.com/ |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22 |
url | http://search.yahoo.co.jp |
url | http://ru.wikipedia.org/ |
url | https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg |
url | http://www.najdi.si/ |
url | http://www.merlin.com.pl/favicon.ico |
url | http://www.cnet.com/favicon.ico |
url | https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22 |
url | https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
url | http://search.naver.com/search.naver?sm=tab_hty.top |
url | http://www.snee.com/xml/xslt/sample.doc |
url | http://recherche.linternaute.com/ |
url | http://www.yceml.net/0559/10408495-1499411010011 |
url | http://p.zhongsou.com/ |
url | https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg |
url | https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png |
url | https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22 |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | https://ssl.pstatic.net/static/pwe/nm/b.gif |
url | http://search.nifty.com/ |
url | https://castbox.shopping.naver.com/js/lazyload.js |
url | http://ns.adobe.com/exif/1.0/ |
url | http://schemas.openxmlformats.org/wordprocessingml/2006/main |
url | https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22 |
url | http://www.etmall.com.tw/ |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png |
url | http://schemas.xmlsoap.org/wsdl/ |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png |
url | http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C |
url | https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | http://busca.estadao.com.br/favicon.ico |
url | http://search.hanafos.com/favicon.ico |
url | https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png |
url | https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg |
url | http://search.chol.com/favicon.ico |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png |
url | http://www.mercadolibre.com.mx/favicon.ico |
url | https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/825.png |
description | Hijack network configuration | rule | hijack_network | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Remote Administration toolkit enable RDP | rule | rat_rdp | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Affect hook table | rule | win_hook |
com_class | wscript.shell | May attempt to create new processes |
Elastic | malicious (high confidence) |
MicroWorld-eScan | VBA.Heur.ObfDldr.25.F7CECC24.Gen |
Sangfor | Malware.Generic-Macro.Save.6ef38ef4 |
Symantec | ISB.Downloader!gen60 |
Kaspersky | HEUR:Trojan-Downloader.Script.Generic |
BitDefender | VBA.Heur.ObfDldr.25.F7CECC24.Gen |
NANO-Antivirus | Trojan.Script.MLW.dnxmyp |
Rising | Malware.ObfusVBA@ML.99 (VBA) |
Ad-Aware | VBA.Heur.ObfDldr.25.F7CECC24.Gen |
TACHYON | Suspicious/WOX.Obfus.Gen.8 |
F-Secure | Heuristic.HEUR/Macro.Downloader.AMGY.Gen |
TrendMicro | HEUR_VBA.D |
McAfee-GW-Edition | BehavesLike.Downloader.mc |
FireEye | VBA.Heur.ObfDldr.25.F7CECC24.Gen |
Emsisoft | VBA.Heur.ObfDldr.25.F7CECC24.Gen (B) |
SentinelOne | Static AI - Malicious OPENXML |
GData | VBA.Heur.ObfDldr.25.F7CECC24.Gen |
Avira | HEUR/Macro.Downloader.AMGY.Gen |
Arcabit | VBA.Heur.ObfDldr.25.F7CECC24.Gen |
ZoneAlarm | HEUR:Trojan-Downloader.Script.Generic |
Cynet | Malicious (score: 85) |
MAX | malware (ai score=82) |
Zoner | Probably Heur.W97Obfuscated |
ESET-NOD32 | VBA/Obfuscated.C |
Tencent | Heur.Macro.Generic.h.c64c34a1 |
Fortinet | WM/Agent.AYS!tr |
Qihoo-360 | virus.office.obfuscated.1 |
payload_url | https://fort-communications.com/view/user/license.key |