Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 21, 2021, 1:39 p.m.	May 21, 2021, 1:42 p.m.

Size	1.1MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MyPc, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 20 10:16:00 2021, Last Saved Time/Date: Thu May 20 10:16:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
MD5	`aecae614ceb5f5c3dac0e00c773acb6d`
SHA256	`a856857b48a4fc929504097cfdfde8d3ce54953995fff31b2a3adab28a994890`
CRC32	`31A3C3CD`
ssdeep	`24576:MEIjrPUaphvGvGUZ93/semhXp7AsW7aHESKbhweYkTfBR0:M/jhvGvGU93097AF7sESKyeYkTfB`
Yara	OS_Processor_Check_Zero - OS Processor Check Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\0520_2812845003972.doc
2444
- rundll32.exe rundll32.exe c:\users\test22\appdata\roaming\microsoft\word\startup\rem.r,ESLMJYVFMJX
  1456

Name	Response	Post-Analysis Lookup
api.ipify.org	A 50.19.242.215 CNAME nagano-19599.herokussl.com A 54.243.154.178 A 54.221.236.13 A 54.225.157.230 A 23.21.48.44 A 54.225.144.221 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 23.21.76.253 A 54.235.175.90	54.225.157.230
vaethemanic.com	A 2.56.10.123	2.56.10.123
tembovewinated.ru	A 185.10.45.99	185.10.45.99
prournauseent.ru	A 176.9.248.145	176.9.248.145

IP Address	Status	Action
176.9.248.145	Active	Moloch
164.124.101.2	Active	Moloch
185.10.45.99	Active	Moloch
2.56.10.123	Active	Moloch
54.221.236.13	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49207 -> 54.221.236.13:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 21, 2021, 1:40 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 21, 2021, 1:40 p.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://vaethemanic.com/8/forum.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://tembovewinated.ru/8/forum.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://prournauseent.ru/8/forum.php

Performs some HTTP requests (4 events)

request	GET http://api.ipify.org/
request	POST http://vaethemanic.com/8/forum.php
request	POST http://tembovewinated.ru/8/forum.php
request	POST http://prournauseent.ru/8/forum.php

Sends data using the HTTP POST Method (3 events)

request	POST http://vaethemanic.com/8/forum.php
request	POST http://tembovewinated.ru/8/forum.php
request	POST http://prournauseent.ru/8/forum.php

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	tembovewinated.ru				description	Russian Federation domain TLD
domain	prournauseent.ru				description	Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (49 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 21, 2021, 1:39 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:39 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:39 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ca05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:39 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:39 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c851000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b034000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x077a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b617000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b4e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b4a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72551000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b341000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c7b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b311000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c7a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b64a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 region_size: 77824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73730000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72472000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 1:40 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724e1000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$20_2812845003972.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 21, 2021, 1:39 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$20_2812845003972.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$20_2812845003972.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 21, 2021, 1:40 p.m.	flags: 0 family: 2	1	0	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Symantec	ISB.Suspexec!gen29
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Tencent	Heur.Macro.Generic.d.378f60c7
TrendMicro	HEUR_VBA.DE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.tb
Sophos	Mal/EncPk-ABL
Ikarus	Trojan-Dropper.VBA.Agent
Microsoft	Program:Win32/Wacapew.C!ml
TACHYON	Suspicious/W97.NS.Gen
BitDefenderTheta	Gen:NN.ZedlaF.34690.Eu4@aKxQvvii

Creates suspicious VBA object (1 event)

com_class

Scripting.FileSystemObject

May attempt to write one or more files to the harddisk

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

rundll32.exe c:\users\test22\appdata\roaming\microsoft\word\startup\rem.r,ESLMJYVFMJX

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (2 events)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestA May 21, 2021, 1:41 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: GUID=8962251904648732308&BUILD=2005_mesbn&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)		0	0
HttpSendRequestA May 21, 2021, 1:41 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: GUID=8962251904648732308&BUILD=2005_mesbn&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)		0	0

The process winword.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\fax.f

0520_2812845003972.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All