URL Details

URL
http://wnxelsiizfsa.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL March 6, 2019, 6:50 a.m. March 6, 2019, 6:56 a.m. 344 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-03-06 06:50:27 2019-03-06 06:56:11

Analyzer Log

2019-03-05 22:50:25,062 [analyzer] DEBUG: Starting analyzer from: C:\blxutjd
2019-03-05 22:50:25,217 [analyzer] DEBUG: Pipe server name: \\.\PIPE\WEvXfgbKwbjMtmDBXLdzxXdSwwYlxqg
2019-03-05 22:50:25,217 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\ftUjMbzyBCRSoGXLbmRMfKajEExBMQsZ
2019-03-05 22:50:26,871 [analyzer] DEBUG: Started auxiliary module Disguise
2019-03-05 22:50:27,167 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-03-05 22:50:27,184 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-03-05 22:50:27,184 [analyzer] DEBUG: Started auxiliary module Human
2019-03-05 22:50:27,184 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-03-05 22:50:27,184 [analyzer] DEBUG: Started auxiliary module Reboot
2019-03-05 22:50:27,433 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-03-05 22:50:27,433 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-03-05 22:50:27,433 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-03-05 22:50:28,213 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Microsoft Office\\Office12\\WINWORD.EXE' with arguments ['http://wnxelsiizfsa.com/'] and pid 2308
2019-03-05 22:50:31,676 [analyzer] DEBUG: Loaded monitor into process with pid 2308
2019-03-05 22:50:36,325 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Temp\72992.od
2019-03-05 22:50:41,255 [analyzer] INFO: Added new file to list with pid 2308 and path C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
2019-03-05 22:50:43,095 [analyzer] DEBUG: Ignoring Office process C:\Windows\splwow64.exe 12288!
2019-03-05 22:50:45,638 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
2019-03-05 22:51:05,543 [analyzer] INFO: Added new file to list with pid 2308 and path \Device\NamedPipe\DAV RPC SERVICE
2019-03-05 22:51:32,782 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
2019-03-05 22:51:32,828 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
2019-03-05 22:51:33,046 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41A8FBC7.gif
2019-03-05 22:51:33,108 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4055131C.gif
2019-03-05 22:51:33,155 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B315825-71E6-4607-AB11-17F4984F8D29}.tmp
2019-03-05 22:51:33,233 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C8054DB5-BFBD-4FEC-9C87-FB152310DEE2}.tmp
2019-03-05 22:51:33,250 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7AB206D.gif
2019-03-05 22:51:33,296 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3E5FEFCC-7020-4948-B965-33D62AB6DA58}.tmp
2019-03-05 22:51:33,358 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD41138A.gif
2019-03-05 22:51:33,421 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7290FA03.gif
2019-03-05 22:51:33,483 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF44E428.jpeg
2019-03-05 22:51:33,515 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFD23.tmp
2019-03-05 22:51:33,515 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFD24.tmp
2019-03-05 22:51:34,372 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
2019-03-05 22:54:30,653 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-03-05 22:55:40,572 [lib.common.results] ERROR: Exception uploading file c:\users\zamen\appdata\local\temp\tmp8n_mt7 to host: [Errno 9] Bad file descriptor
2019-03-05 22:55:40,604 [lib.api.process] INFO: Memory dump of process with pid 2308 completed
2019-03-05 22:55:40,604 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-03-05 22:55:40,604 [lib.api.process] INFO: Successfully terminated process with pid 2308.
2019-03-05 22:55:40,697 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\bd41138a.gif'" does not exist, skip.
2019-03-05 22:55:40,713 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\4055131c.gif'" does not exist, skip.
2019-03-05 22:55:40,743 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\7ab206d.gif'" does not exist, skip.
2019-03-05 22:55:40,743 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\ff44e428.jpeg'" does not exist, skip.
2019-03-05 22:55:40,775 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\7290fa03.gif'" does not exist, skip.
2019-03-05 22:55:40,775 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\41a8fbc7.gif'" does not exist, skip.
2019-03-05 22:55:40,775 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\dav rpc service'" does not exist, skip.
2019-03-05 22:55:40,790 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\msofd24.tmp'" does not exist, skip.
2019-03-05 22:55:40,805 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\msofd23.tmp'" does not exist, skip.
2019-03-05 22:55:40,805 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-03-06 06:50:27,447 [lib.cuckoo.core.scheduler] INFO: Task #1380: acquired machine win7x64 (label=win7x64)
2019-03-06 06:50:27,473 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2185 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1380/dump.pcap)
2019-03-06 06:50:48,109 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-03-06 06:56:07,338 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-03-06 06:56:08,976 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-03-06 06:56:16,518 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-03-06 06:56:24,725 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e1f2510>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:56:24,782 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e1f2850>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:56:24,828 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.013s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e1f22d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:56:24,852 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e1f2510>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:56:24,859 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937e1f2510>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937e1f2510>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)
cve CVE-2013-3906
Generates some ICMP traffic

Screenshots

No screenshots available.

Network

DNS

Name Response Post-Analysis Lookup
wnxelsiizfsa.com
javadl-esd-secure.oracle.com 23.14.119.135

Hosts

No hosts contacted.

Summary

Process WINWORD.EXE (2308)

  • Opened files

    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\
    • C:\Windows\AppPatch\sysmain.sdb
    • C:\
    • C:\Windows\SysWOW64\wininet.dll
    • C:\Users\zamen\AppData\Roaming\Microsoft\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF44E428.jpeg
    • C:\Program Files (x86)\Microsoft Office\Office12\WWLIB.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\1033\Building Blocks.dotx
    • \device\webdavredirector
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Word\STARTUP\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Network\Connections\Pbk\
    • C:\Users\zamen\Desktop\desktop.ini
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
    • \\?\PIPE\DAV RPC SERVICE
    • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\1033\MSO.ACL
    • C:\Users\zamen\AppData\
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD41138A.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4055131C.gif
    • C:\Users\zamen\AppData\Roaming\Microsoft\Proof\
    • C:\Users\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
    • C:\ProgramData\Microsoft\OFFICE\DATA\OPA12.BAK
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\
    • C:\Program Files (x86)\Microsoft Office\Office12\
    • C:\Users\zamen\AppData\Roaming
    • C:\Windows\SysWOW64\shell32.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dll
    • C:\Windows\WindowsShell.Manifest
    • C:\Users
    • C:\Windows\SysWOW64\en-US\urlmon.dll.mui
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\RICHED20.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
    • C:\Windows\System32\cryptui.dll
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks
    • C:\Users\zamen\AppData\Roaming\
    • C:\Program Files (x86)\Microsoft Office\Office12\STARTUP\
    • C:\Users\desktop.ini
    • C:\Program Files (x86)\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\
    • C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
    • C:\ProgramData\Microsoft\OFFICE\DATA\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\ID_00030.DPC
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
    • C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
    • C:\Windows\System32\davhlpr.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\1033\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    • C:\Users\zamen\AppData
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\
    • C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    • C:\Users\zamen\AppData\Local\Microsoft\Office\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Templates\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    • C:\Program Files (x86)\Microsoft Office\Office12\MSOHEV.DLL
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Program Files (x86)\Microsoft Office\Office12\WORD.PIP
    • C:\Program Files (x86)\Common Files\Microsoft Shared\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • C:\Windows\Fonts\staticcache.dat
    • C:\Program Files (x86)\Microsoft Office\Office12\OART.DLL
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7290FA03.gif
    • C:\Users\zamen
    • C:\Users\zamen\AppData\Local\Temp\CVR1B9A.tmp
    • C:\Windows\System32\rsaenh.dll
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7AB206D.gif
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41A8FBC7.gif
    • C:\Users\zamen\AppData\Roaming\Microsoft
    • C:\Users\zamen\
    • C:\Windows\System32\ras\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO
  • Written files

    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7290FA03.gif
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD41138A.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4055131C.gif
    • C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B315825-71E6-4607-AB11-17F4984F8D29}.tmp
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7AB206D.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF44E428.jpeg
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C8054DB5-BFBD-4FEC-9C87-FB152310DEE2}.tmp
    • \\?\PIPE\DAV RPC SERVICE
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3E5FEFCC-7020-4948-B965-33D62AB6DA58}.tmp
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41A8FBC7.gif
    • C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
    • C:\Users\zamen\AppData\Local\Temp\72992.od
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFD24.tmp
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
    • C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFD23.tmp

Process WINWORD.EXE (2308)

Process WINWORD.EXE (2308)

Process WINWORD.EXE (2308)

Process WINWORD.EXE (2308)

  • DLLs Loaded

    • netutils.dll
    • API-MS-Win-Security-LSALookup-L1-1-0.dll
    • DNSAPI.dll
    • UxTheme.dll
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\uxtheme.dll
    • MPR.DLL
    • API-MS-WIN-Service-Management-L2-1-0.dll
    • wwlib.dll
    • SspiCli.dll
    • ole32.dll
    • SHLWAPI.dll
    • USER32.dll
    • RASMAN.DLL
    • VERSION.DLL
    • WININET.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\riched20.dll
    • WTSAPI32.DLL
    • C:\Windows\System32\mswsock.dll
    • SHELL32.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Windows\System32\wship6.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\MSOHEV.DLL
    • HLINK.DLL
    • C:\Windows\SysWOW64\KERNEL32.DLL
    • rpcrt4.dll
    • C:\Windows\System32\wshtcpip.dll
    • IMM32.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\1033\wwintl.dll
    • C:\Windows\System32\drprov.dll
    • urlmon.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
    • WINSTA.dll
    • kernel32.dll
    • CRYPTBASE.dll
    • Netapi32.DLL
    • C:\Windows\system32\napinsp.dll
    • C:\Windows\system32\apphelp.dll
    • shlwapi.dll
    • URLMON.DLL
    • UxTheme.DLL
    • Comctl32.dll
    • C:\Windows\System32\fwpuclnt.dll
    • rtutils.dll
    • IPHLPAPI.DLL
    • RASAPI32.dll
    • winspool.drv
    • profapi.dll
    • comctl32.dll
    • SETUPAPI.dll
    • C:\Windows\system32\kernel32.dll
    • VERSION.dll
    • RpcRtRemote.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dll
    • Winspool.DRV
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\mso.dll
    • C:\Windows\system32\rsaenh.dll
    • Shlwapi.DLL
    • iphlpapi
    • C:\Windows\SysWOW64\ADVAPI32.DLL
    • C:\Windows\syswow64\MSCTF.dll
    • CRYPTSP.dll
    • API-MS-WIN-Service-winsvc-L1-1-0.dll
    • sensapi.dll
    • C:\Windows\system32\normaliz.dll
    • C:\Windows\system32\NLAapi.dll
    • mso.dll
    • ADVAPI32.dll
    • C:\Windows\System32\davclnt.dll
    • WS2_32.dll
    • gdi32.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • imm32.dll
    • ntmarta.dll
    • C:\Windows\system32\mscoree.dll
    • API-MS-WIN-Service-Management-L1-1-0.dll
    • rasadhlp.dll
    • C:\Windows\System32\ntlanman.dll
    • dnsapi
    • OLEAUT32.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
    • DwmApi.DLL
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • C:\Windows\system32\pnrpnsp.dll
    • MSO.dll
    • version.dll
    • wininet.dll
    • Kernel32.DLL
    • OLEAUT32.dll
    • RPCRT4.dll
    • SHLWAPI.DLL
    • C:\Windows\System32\winrnr.dll
    • cryptui.dll
    • ws2_32
    • C:\Windows\system32\mswsock.dll
    • SHELL32.DLL
    • Shlwapi.dll
    • Normaliz.dll
No static analysis available.
No antivirus signatures available.

Process Tree


WINWORD.EXE, PID: 2308, Parent PID: 2284

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
wnxelsiizfsa.com
javadl-esd-secure.oracle.com 23.14.119.135

TCP

Source Source Port Destination Destination Port
192.168.128.109 49161 192.168.128.112 139
192.168.128.109 49162 192.168.128.112 139

UDP

Source Source Port Destination Destination Port
192.168.128.109 50522 192.168.128.111 53
192.168.128.109 60037 192.168.128.111 53
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 65476 192.168.128.111 53
192.168.128.109 137 192.168.128.255 137
192.168.128.109 138 192.168.128.255 138
192.168.128.109 50839 224.0.0.252 5355
192.168.128.109 52096 224.0.0.252 5355
192.168.128.109 53446 224.0.0.252 5355
192.168.128.112 137 192.168.128.109 137
192.168.128.112 5355 192.168.128.109 50839
192.168.128.112 5355 192.168.128.109 53446

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.128.109 192.168.128.112 3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 4bb7acdcc7a632ac_~$ilding blocks.dotx
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
Size 162.0B
Processes 2308 (WINWORD.EXE)
Type data
MD5 e1511f37b2a7a9a9a98ab011c59ed8b9
SHA1 6dbccbe61dd629681942c60b5342010663e2c0ff
SHA256 4bb7acdcc7a632acb1246e5b5e6df55673dc3b14875364cb45172672b218ff81
CRC32 2BCAB543
ssdeep 3:fBplxl/Zlxl/vHlBgXl:fJ3HlBgX
Yara None matched
VirusTotal Search for analysis
Name 48722ea4ddc90df7_~wrs{3e5fefcc-7020-4948-b965-33d62ab6da58}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3E5FEFCC-7020-4948-B965-33D62AB6DA58}.tmp
Size 1.0KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 61eebef3073e30cb5efb2a9dd67d57a6
SHA1 b57e550ffa8716807b25c18d444962efb6a2aaef
SHA256 48722ea4ddc90df7c49b8841d2073dfa15814fc75c8a07a7605b44105b5cc9b5
CRC32 9B0ADC44
ssdeep 24:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNwwNwulHHq+H:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNwa
Yara None matched
VirusTotal Search for analysis
Name 6e9bd1e5638d48c1_building blocks.dotx
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
Size 314.8KB
Processes 2308 (WINWORD.EXE)
Type Microsoft Word 2007+
MD5 89e2626a866bc9a18da185e35228a404
SHA1 4bc5718e114fa9cd2d60af37ba3d58d382ed18da
SHA256 6e9bd1e5638d48c1219c2312b67f2134ff404ab9f9644431df9b3b33ec33de66
CRC32 9DF23CE3
ssdeep 6144:nxl82xfVaZUt2Km7Jh+u0O7Ss5SuSfNaEf1e/PR5Oa52G0jlE0:n78+VamMKicBO7SaSuSx85Oa5CR
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name b2b926aa27d8d860_~wrs{c8054db5-bfbd-4fec-9c87-fb152310dee2}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C8054DB5-BFBD-4FEC-9C87-FB152310DEE2}.tmp
Size 1.5KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 e9a407f268f6b601adec60b1421c90b6
SHA1 7df7d3b8c63f2c3fdc8e6c0acc26fefbe5b214a3
SHA256 b2b926aa27d8d860e38a51aa640a39eee79244d960ae148c36153f1e8f46c6c5
CRC32 5090F353
ssdeep 3:Nzyxwnml0baZ4PON8DCBPl7l2xllVlzlpDll3/J/jvfllZtLQXZlhlhlhlZ/Z/nS:NmWmG2GW2GJxl2oXlgdRpj4W
Yara None matched
VirusTotal Search for analysis
Name b3d510ef04275ca8_custom.dic
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Size 2.0B
Processes 2308 (WINWORD.EXE)
Type Little-endian UTF-16 Unicode text, with no line terminators
MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
CRC32 88F83096
ssdeep 3:Qn:Qn
Yara None matched
VirusTotal Search for analysis
Name 0dee4e8964923c1c_72992.od
Filepath C:\Users\zamen\AppData\Local\Temp\72992.od
Size 134.0B
Processes 2308 (WINWORD.EXE)
Type ASCII text, with CRLF line terminators
MD5 24b4f5b94f21e8e8244ee83dfcef656e
SHA1 f674149dab4fe6505fb30c51b4f4e60256b229ab
SHA256 0dee4e8964923c1c87401d28ecec1c8e22bb6f96a40a96b6dc3fef30a9226d95
CRC32 F72FA1CA
ssdeep 3:OFrpRCMKLovyafNREalYEBicIEcK99wWfSAfwB7GNReav:OKMKcaaYal1b/9trII6k
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers0 - Looks for big numbers 20:sized
VirusTotal Search for analysis
Name 516fb627008cde5d_mso1033.acl
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
Size 36.9KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 6b489e95aabbab418e7983c41006c522
SHA1 c78282a2097b696538f96d475e14df281854d5f4
SHA256 516fb627008cde5d2c07e8fb474757e7852a752c32943fefe33ee7f85c5a3146
CRC32 F8DE2631
ssdeep 768:WatNbFeZKdogeyHMOeYhYVi+iOFOwbPXdEma1b:B/eLAhYVzbw
Yara None matched
VirusTotal Search for analysis
Name d7584156dd713bbd_~wrs{2b315825-71e6-4607-ab11-17f4984f8d29}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B315825-71E6-4607-AB11-17F4984F8D29}.tmp
Size 158.0KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 52704c3833a9d2b3978ff1c2b0c36c52
SHA1 0ed4c53e1f8fb59586e20da76493dcb788bad2c5
SHA256 d7584156dd713bbd2bedd787c1affecf43a946ef1876967d88c381f759eadf11
CRC32 04DC38B2
ssdeep 1536:jSY4QLnmYthBRrA3p7XV5g69jFBPEAN0fq:jWQZabcQ
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
VirusTotal Search for analysis
Name 3d5bc0c3c759609b_opa12.dat
Filepath C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
Size 8.0KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 0e7e24ed21bd5da96b0d882d5a043ad4
SHA1 543bba04369e50dfb74d27d24e1069810a5707ea
SHA256 3d5bc0c3c759609b3637e8efb7508600ec8a175e601779916097537c80092f2d
CRC32 E4BF56FA
ssdeep 192:12xaaUyse71abxl0fatpNnxa/2WvVJBZHp5isu/dY/tBNLqu5Xw2a:12x3slgatpNnxZGplu1Yte2ba
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1380
Mongo ID 5c7fb57111d30812ab7206c2
Cuckoo release 2.0-dev