URL Details

URL
http://wnxelsiizfsa.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL March 6, 2019, 6:50 a.m. March 6, 2019, 6:56 a.m. 349 seconds

Machine

Name Label Started On Shutdown On
win7x32 win7x32 2019-03-06 06:50:26 2019-03-06 06:56:16

Analyzer Log

2019-03-05 22:50:25,030 [analyzer] DEBUG: Starting analyzer from: C:\hxbtlh
2019-03-05 22:50:25,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\xiTuOhTYSxhyOwbSF
2019-03-05 22:50:25,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\CxfsQzntWAkzDSTinagiWBwvuczMkTM
2019-03-05 22:50:28,900 [analyzer] DEBUG: Started auxiliary module Disguise
2019-03-05 22:50:29,226 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-05 22:50:29,226 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-05 22:50:29,289 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-03-05 22:50:29,289 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-03-05 22:50:29,289 [analyzer] DEBUG: Loaded monitor into process with pid 476
2019-03-05 22:50:29,289 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-03-05 22:50:29,289 [analyzer] DEBUG: Started auxiliary module Human
2019-03-05 22:50:29,289 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-03-05 22:50:29,289 [analyzer] DEBUG: Started auxiliary module Reboot
2019-03-05 22:50:29,382 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-03-05 22:50:29,398 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-03-05 22:50:29,742 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE' with arguments ['http://wnxelsiizfsa.com/'] and pid 2960
2019-03-05 22:50:30,256 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-05 22:50:30,256 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-05 22:50:30,569 [analyzer] DEBUG: Loaded monitor into process with pid 2960
2019-03-05 22:50:33,516 [analyzer] INFO: Added new file to list with pid 2960 and path C:\Users\admin\AppData\Local\Temp\143349.od
2019-03-05 22:50:37,058 [analyzer] INFO: Added new file to list with pid 2960 and path C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
2019-03-05 22:50:37,901 [analyzer] INFO: Added new file to list with pid 2960 and path C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE762B20-E7EA-40D3-BEE1-E50F8CBA762E}.tmp
2019-03-05 22:51:03,063 [analyzer] INFO: Added new file to list with pid 2960 and path \Device\NamedPipe\DAV RPC SERVICE
2019-03-05 22:54:32,618 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-03-05 22:55:34,799 [analyzer] INFO: Added new file to list with pid 2960 and path \Device\NamedPipe\wkssvc
2019-03-05 22:55:38,684 [lib.common.results] ERROR: Exception uploading file c:\users\admin\appdata\local\temp\tmpkzg78z to host: [Errno 9] Bad file descriptor
2019-03-05 22:55:38,684 [lib.api.process] INFO: Memory dump of process with pid 2960 completed
2019-03-05 22:55:38,684 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-03-05 22:55:38,716 [lib.api.process] INFO: Successfully terminated process with pid 2960.
2019-03-05 22:55:38,716 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\wkssvc'" does not exist, skip.
2019-03-05 22:55:38,716 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\dav rpc service'" does not exist, skip.
2019-03-05 22:55:38,732 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-03-06 06:50:26,366 [lib.cuckoo.core.scheduler] INFO: Task #1381: acquired machine win7x32 (label=win7x32)
2019-03-06 06:50:26,392 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2183 (interface=eth2, host=192.168.128.112, pcap=/opt/cuckoo/storage/analyses/1381/dump.pcap)
2019-03-06 06:50:37,105 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x32, ip=192.168.128.112)
2019-03-06 06:56:13,308 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-03-06 06:56:14,103 [lib.cuckoo.core.guest] INFO: win7x32: analysis completed successfully
2019-03-06 06:57:40,302 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-03-06 06:57:42,990 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f63f690>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:42,994 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f63fed0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:43,011 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f63f910>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:43,013 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f63f690>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:43,015 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f63f690>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f63f690>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Creates (office) documents on the filesystem (1 event)
file C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)
cve CVE-2013-3906
Generates some ICMP traffic

Network

DNS

Name Response Post-Analysis Lookup
wnxelsiizfsa.com
dns.msftncsi.com 131.107.255.255

Hosts

No hosts contacted.

Summary

Process WINWORD.EXE (2960)

  • Opened files

    • C:\Windows\System32
    • C:\Windows\AppPatch\sysmain.sdb
    • C:\
    • \\?\PIPE\wkssvc
    • C:\Windows\System32\en-US\tzres.dll.mui
    • C:\Windows\System32\en-US\USER32.dll.mui
    • C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\
    • C:\Windows\System32\spool\drivers\w32x86\3\msonpui.dll
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
    • C:\Program Files\Microsoft Office\Office12\ID_00030.DPC
    • \\?\PIPE\DAV RPC SERVICE
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
    • C:\Windows\System32\en-US\MSCTF.dll.mui
    • C:\Program Files\Microsoft Office\Office12\msproof6.dll
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\ProgramData\Microsoft\OFFICE\DATA\OPA12.BAK
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\RICHED20.DLL
    • C:\Windows\WindowsShell.Manifest
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
    • C:\Users
    • C:\Windows\System32\oleacc.dll
    • C:\Program Files\Microsoft Office\Office12\
    • C:\Program Files\Microsoft Office\Office12\STARTUP\
    • C:\Windows\System32\rsaenh.dll
    • C:\Program Files\Common Files\Microsoft Shared\
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • C:\Windows\System32\shell32.dll
    • C:\Users\admin\AppData\Local\Temp\CVR2F78.tmp
    • C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
    • C:\Users\desktop.ini
    • C:\Users\admin\AppData\Local\Microsoft\Office\
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\
    • C:\Program Files\Microsoft Office\Office12\WWLIB.DLL
    • \device\webdavredirector
    • C:\Program Files\
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\
    • C:\Program Files\Common Files\System\ado\msadox.dll
    • C:\Users\admin\AppData\Roaming\Microsoft\Office\Word12.pip
    • C:\Users\admin\Desktop\desktop.ini
    • C:\Users\admin\AppData\Roaming\Microsoft\Proof\
    • C:\Users\admin\AppData\Roaming
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
    • C:\Users\admin\AppData\Roaming\Microsoft\Templates\
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    • C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
    • C:\Windows\Fonts\staticcache.dat
    • C:\Windows\System32\davhlpr.dll
    • C:\Windows\System32\tzres.dll
    • C:\Users\admin\AppData\Roaming\Microsoft\Templates
    • C:\Program Files\Microsoft Office\Office12\OART.DLL
    • C:\Users\admin\AppData
    • C:\Windows\System32\en-US\MPR.dll.mui
    • C:\Users\admin
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
    • C:\Users\admin\AppData\Roaming\Microsoft
  • Written files

    • \\?\PIPE\DAV RPC SERVICE
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE762B20-E7EA-40D3-BEE1-E50F8CBA762E}.tmp
    • C:\Users\admin\AppData\Local\Temp\143349.od
    • C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
    • \\?\PIPE\wkssvc

Process WINWORD.EXE (2960)

Process WINWORD.EXE (2960)

Process WINWORD.EXE (2960)

Process WINWORD.EXE (2960)

  • DLLs Loaded

    • netutils.dll
    • API-MS-Win-Security-LSALookup-L1-1-0.dll
    • C:\Windows\system32\spool\DRIVERS\W32X86\3\msonpui.dll
    • DNSAPI.dll
    • dhcpcsvc6.DLL
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\uxtheme.dll
    • MPR.DLL
    • api-ms-win-downlevel-advapi32-l2-1-0.dll
    • API-MS-WIN-Service-Management-L2-1-0.dll
    • C:\Windows\system32\MSCTF.dll
    • wwlib.dll
    • UxTheme.DLL
    • API-MS-WIN-Service-winsvc-L1-1-0.dll
    • ole32.dll
    • SHLWAPI.dll
    • USER32.dll
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • VERSION.DLL
    • C:\Windows\system32\ADVAPI32.DLL
    • WININET.DLL
    • WTSAPI32.DLL
    • C:\Windows\System32\mswsock.dll
    • SHELL32.dll
    • C:\Windows\System32\wship6.dll
    • HLINK.DLL
    • UxTheme.dll
    • POWRPROF.dll
    • rpcrt4.dll
    • C:\Windows\System32\wshtcpip.dll
    • IMM32.dll
    • C:\Windows\System32\drprov.dll
    • urlmon.dll
    • WINSTA.dll
    • kernel32.dll
    • CRYPTBASE.dll
    • Netapi32.DLL
    • C:\Windows\system32\apphelp.dll
    • URLMON.DLL
    • api-ms-win-downlevel-ole32-l1-1-0.dll
    • Comctl32.dll
    • NETAPI32.dll
    • IPHLPAPI.DLL
    • profapi.dll
    • dhcpcsvc.DLL
    • comctl32.dll
    • SETUPAPI.dll
    • VERSION.dll
    • RpcRtRemote.dll
    • OLEAUT32.dll
    • C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll
    • C:\Windows\system32\rsaenh.dll
    • Shlwapi.DLL
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • CRYPTSP.dll
    • WinInet.dll
    • C:\Windows\system32\kernel32.dll
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
    • C:\Windows\system32\normaliz.dll
    • mso.dll
    • C:\Windows\system32\KERNEL32.DLL
    • api-ms-win-downlevel-shlwapi-l2-1-0.dll
    • ADVAPI32.dll
    • C:\Windows\System32\davclnt.dll
    • WS2_32.dll
    • C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
    • imm32.dll
    • C:\Program Files\Microsoft Office\Office12\msproof6.dll
    • ntmarta.dll
    • C:\Windows\system32\mscoree.dll
    • API-MS-WIN-Service-Management-L1-1-0.dll
    • rasadhlp.dll
    • C:\Windows\System32\ntlanman.dll
    • KERNEL32.DLL
    • Secur32.dll
    • OLEAUT32.DLL
    • DwmApi.DLL
    • winhttp.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll
    • MSO.dll
    • C:\Program Files\Microsoft Office\Office12\1033\wwintl.dll
    • DWMAPI.DLL
    • Kernel32.DLL
    • Winspool.DRV
    • RPCRT4.dll
    • SHLWAPI.DLL
    • C:\Windows\system32\oleaut32.dll
    • gdi32.DLL
    • C:\Windows\system32\mswsock.dll
    • SHELL32.DLL
    • Shlwapi.dll
No static analysis available.
No antivirus signatures available.

Process Tree


WINWORD.EXE, PID: 2960, Parent PID: 2932

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
wnxelsiizfsa.com
dns.msftncsi.com 131.107.255.255

TCP

Source Source Port Destination Destination Port
192.168.128.102 1057 192.168.128.112 139
192.168.128.102 1060 192.168.128.112 139
192.168.128.109 49161 192.168.128.112 139
192.168.128.109 49162 192.168.128.112 139

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.112 137
192.168.128.112 138 192.168.128.102 138
192.168.128.112 137 192.168.128.109 137
192.168.128.112 5355 192.168.128.109 50839
192.168.128.112 5355 192.168.128.109 53446
192.168.128.112 49254 192.168.128.111 53
192.168.128.112 50804 192.168.128.111 53
192.168.128.112 53921 192.168.128.111 53
192.168.128.112 56984 192.168.128.111 53
192.168.128.112 137 192.168.128.255 137
192.168.128.112 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.128.109 192.168.128.112 3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name fd6881e56f42a0c6_~$normal.dotm
Filepath C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Size 162.0B
Processes 2960 (WINWORD.EXE)
Type data
MD5 58bd9fc7e71b0c6eea1dde7dcc6b987e
SHA1 01d02c6aeba8a8e11c3f62ffd5ef479735027323
SHA256 fd6881e56f42a0c658f45fd56293a1e8dedc2201f163e1ec3585b826cd7990de
CRC32 6058D0AD
ssdeep 3:fBplxl/ttZlvs09ln/mDCl/liJNG:fJ1tb00Hn/0mEa
Yara None matched
VirusTotal Search for analysis
Name 4826c0d860af884d_~wrs{be762b20-e7ea-40d3-bee1-e50f8cba762e}.tmp
Filepath C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE762B20-E7EA-40D3-BEE1-E50F8CBA762E}.tmp
Size 1.0KB
Processes 2960 (WINWORD.EXE)
Type FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
MD5 5d4d94ee7e06bbb0af9584119797b23a
SHA1 dbb111419c704f116efa8e72471dd83e86e49677
SHA256 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
CRC32 23C03491
ssdeep 3:ol3lYdn:4Wn
Yara None matched
VirusTotal Search for analysis
Name d3c0949bf0ddd97a_143349.od
Filepath C:\Users\admin\AppData\Local\Temp\143349.od
Size 134.0B
Processes 2960 (WINWORD.EXE)
Type ASCII text, with CRLF line terminators
MD5 ef6f2d45f0372363b914f59580292920
SHA1 fb0ef8e333e3d4da1b1fc05abad1d53bf5616b21
SHA256 d3c0949bf0ddd97ad21c5e07c744271f5f114de01ba10bd2d90adcf7e44c21c5
CRC32 BB38CCCB
ssdeep 3:OFrpRCMKLovyafNREalYEotcXUsTTjKf1NAHrXIRX55dw1BucWn:OKMKcaaYalFX3TTjVHDaQWn
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers0 - Looks for big numbers 20:sized
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1381
Mongo ID 5c7fb5b711d30812ab720752
Cuckoo release 2.0-dev