Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 14, 2021, 7:42 a.m.	April 14, 2021, 7:44 a.m.

Size	19.8KB
Type	Microsoft Word 2007+
MD5	`826864ae301ac28e4a146cfd90ec473e`
SHA256	`805556259778df2444b13ff0a96e5ad182afcc53e0cf6356a903f7758a7044ad`
CRC32	`FFFD5687`
ssdeep	`384:GpkrgXoqMBnWPGAFud451ygI1icuoAwOrYF/R5EuNpp:C+gXovBnW211hf5fEuNr`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\%c4%90%e1%bb%81%20C%c6%b0%c6%a1ng.docm
2332

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.77.9.151	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 45.77.9.151:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 45.77.9.151:80 -> 192.168.56.101:49200	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 45.77.9.151:80 -> 192.168.56.101:49200	2014819	ET INFO Packed Executable Download	Misc activity
TCP 45.77.9.151:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.77.9.151:80 -> 192.168.56.101:49200	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 45.77.9.151:80 -> 192.168.56.101:49200	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://45.77.9.151/443.dll

Performs some HTTP requests (1 event)

request

GET http://45.77.9.151/443.dll

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c7c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c7b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c5c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c5c4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 7:42 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$4%90%e1%bb%81 C%c6%b0%c6%a1ng.docm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 14, 2021, 7:42 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$4%90%e1%bb%81 C%c6%b0%c6%a1ng.docm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$4%90%e1%bb%81 C%c6%b0%c6%a1ng.docm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Communicates with host for which no DNS query was performed (1 event)

host

45.77.9.151

Creates suspicious VBA object (1 event)

com_class

Microsoft.XMLHTTP

May attempt to connect to the outside world

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

BitDefender	VB:Trojan.Emeka.556
Arcabit	VB:Trojan.Emeka.556
Cyren	PP97M/Agent.OK.gen!Eldorado
Symantec	ISB.Downloader!gen60
ESET-NOD32	VBS/TrojanDownloader.Agent.NMQ
Baidu	VBA.Trojan-Downloader.Agent.dus
Avast	Script:SNH-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus	Trojan.Script.Downloader.hzsrxx
MicroWorld-eScan	VB:Trojan.Emeka.556
Tencent	Heur.MSWord.Downloader.d
Ad-Aware	VB:Trojan.Emeka.556
Emsisoft	VB:Trojan.Emeka.556 (B)
DrWeb	W97M.DownLoader.2988
McAfee-GW-Edition	BehavesLike.Downloader.lc
FireEye	VB:Trojan.Emeka.556
Sophos	Troj/DocDl-D
SentinelOne	Static AI - Malicious OPENXML
GData	VB:Trojan.Emeka.556
Avira	HEUR/Macro.Downloader.AMAO.Gen
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
TACHYON	Suspicious/WOX.Obfus.Gen.6
MAX	malware (ai score=89)
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.e (CLASSIC)
Fortinet	WM/Agent!tr
AVG	Script:SNH-gen [Trj]
Qihoo-360	virus.office.qexvmc.1085

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

http://45.77.9.151/443.dll

%c4%90%e1%bb%81%20C%c6%b0%c6%a1ng.docm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All