ScreenShot
| Created | 2022.12.13 10:20 | Machine | s1_win7_x6403 |
| Filename | 241.docx | ||
| Type | Microsoft Word 2007+ | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (GenericKD, CVE-2017-0199, CVE-2020-1701, CVE20170199, VSNW09L22, Redline, equmby, Artemis, Detected, ai score=99, Embed, oleurl, HHC4JI, Malicious, score, External, S1942, Probably Heur, W97OleLink, ExtLink, CLASSIC, Groooboor) | ||
| md5 | 587b90f5cf6b0776db453f4404022a98 | ||
| sha256 | 737668f5569e69d5570e2dc3b5a93098a16c5e72cb02d95915603bcc9ce829d7 | ||
| ssdeep | 192:ScIMmtP8ar5G/bfIdTOGnamWBX8ex6y30Wfx:SPXt4ATOGnosMFZ | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more non-whitelisted processes were created |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| watch | Zeus P2P (Banking Trojan) |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates (office) documents on the filesystem |
| notice | Creates hidden or system file |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | MS_RTF_Suspicious_documents | Suspicious documents using RTF document OLE object | binaries (download) |
| info | docx | Word 2007 file format detection | binaries (upload) |
| info | Rich_Text_Format_Zero | Rich Text Format Signature Zero | binaries (download) |
Network (3cnts) ?
Suricata ids
ET INFO Dotted Quad Host DOC Request
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET HUNTING Microsoft Office User-Agent Requesting A Doc File
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Possible RTF File With Obfuscated Version Header
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET HUNTING Microsoft Office User-Agent Requesting A Doc File
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Possible RTF File With Obfuscated Version Header