Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 6, 2021, 4:38 p.m.	April 6, 2021, 4:40 p.m.

Size	219.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Last Saved By: DELL, Last Printed: Fri Jun 22 03:15:57 2012, Last Saved Time/Date: Fri Jun 22 03:16:00 2012, Security: 0
MD5	`f1ffa12c53c606c2e0ff11933f15ccc1`
SHA256	`bd69c3f206a5cfd93246c8fdf8e694158285fc376f26236775c8c055e0c7407a`
CRC32	`32CDC466`
ssdeep	`3072:7g4yMDdWsk8JofSiPt3aCPKuTggt6iiRvBkWVbrzQ7IT81Z/p4tv2aK:s4yg5Kt3OusZbkF4t`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\2012062508550176.xls
2648
- cmd.exe C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  1444
  - attrib.exe attrib -S -h "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    2696
- cmd.exe C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2624
- cmd.exe C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  1452
- wscript.exe "C:\Windows\System32\wscript.exe" E:\KK\2012062508550176_Search.vbs
  2032

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 6, 2021, 2:43 p.m.	buffer: C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls console_handle: 0x00000007	1	1
WriteConsoleW April 6, 2021, 2:43 p.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x0000000b	1	1
WriteConsoleW April 6, 2021, 2:43 p.m.	buffer: The directory name is invalid. console_handle: 0x0000000b	1	1

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 6, 2021, 2:43 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25 wscript+0x2fbd @ 0xb82fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x76713ef4 registers.esp: 4585084 registers.edi: 0 registers.eax: 40209296 registers.ebp: 4585112 registers.edx: 1 registers.ebx: 0 registers.esi: 9141336 registers.ecx: 1845638620	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 6, 2021, 2:43 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25
wscript+0x2fbd @ 0xb82fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x76713ef4
registers.esp: 4585084
registers.edi: 0
registers.eax: 40209296
registers.ebp: 4585112
registers.edx: 1
registers.ebx: 0
registers.esi: 9141336
registers.ecx: 1845638620

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:44 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:44 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 2:43 p.m.	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f492000 process_handle: 0xffffffff	1

Creates a suspicious process (3 events)

cmdline	C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
cmdline	C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
cmdline	C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
cmdline	C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
cmdline	attrib -S -h "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

Creates suspicious VBA object (1 event)

com_class

scRiPTinG.fiLEsysTeMoBjEcT

May attempt to write one or more files to the harddisk

One or more non-whitelisted processes were created (4 events)

parent_process	excel.exe	martian_process	C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
parent_process	excel.exe	martian_process	C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
parent_process	excel.exe	martian_process	"C:\Windows\System32\wscript.exe" E:\KK\2012062508550176_Search.vbs
parent_process	excel.exe	martian_process	C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\test22\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	X97M.Mailcab
Elastic	malicious (high confidence)
Cynet	Malicious (score: 85)
FireEye	X97M.Mailcab.A@mm
CAT-QuickHeal	X97M.Mailcab.A
McAfee	W97M/Downloader.bqa
VIPRE	Virus.MSExcel.Mailcab.a (v)
Sangfor	Malware
K7AntiVirus	Virus ( 000000001 )
K7GW	Virus ( 000000001 )
Arcabit	HEUR.VBA.CG.2
Invincea	XM97/MailCab-A
Cyren	X97M/MailCab.A
Symantec	XM.Mailcab@mm
TotalDefense	Mailcab.A
Baidu	MSExcel.Virus.Mailcab.b
TrendMicro-HouseCall	Virus.X97M.MAILCAB.A
Avast	MW97:Laroux-C
ClamAV	Xls.Trojan.Agent-36856
Kaspersky	Virus.MSExcel.Agent.f
BitDefender	X97M.Mailcab.A@mm
NANO-Antivirus	Virus.Macro.Agent.ssfat
ViRobot	X97M.Ecsys
MicroWorld-eScan	X97M.Mailcab.A@mm
Rising	Trojan.Script.VBS.Dole.g (CLASSIC)
Ad-Aware	X97M.Mailcab.A@mm
Emsisoft	X97M.Mailcab.A@mm (B)
Comodo	Worm.MSExcel.Mailcab.A@4pfaz9
F-Secure	Malware.X2000M/Agent.6489234
DrWeb	W97M.Keylog.1
TrendMicro	Virus.X97M.MAILCAB.A
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.dr
Sophos	XM97/MailCab-A
SentinelOne	DFI - Malicious OLE
Jiangmin	XF/Marker.Gen
Avira	X2000M/Agent.6489234
Antiy-AVL	Virus/MSExcel.ToDole.b
Microsoft	Virus:X97M/Mailcab.A
AegisLab	Virus.MSExcel.Agent.n!c
ZoneAlarm	Virus.MSExcel.Agent.f
GData	X97M.Mailcab.A@mm
TACHYON	Trojan/X97M.Mailcab
AhnLab-V3	X97M/Mailcab
ALYac	X97M.Mailcab.A@mm
MAX	malware (ai score=100)
ESET-NOD32	X97M/Mailcab.A
Tencent	OLE.Win32.Macro.700418
Ikarus	Trojan.VBS.Agent
Fortinet	VBA/Mailcab.A@mm
AVG	MW97:Laroux-C

2012062508550176.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All