Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 27, 2021, 9:16 a.m.	May 27, 2021, 9:34 a.m.

Size	165.1KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Quo., Author: Alexandre Roux, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Sep 14 13:37:00 2020, Last Saved Time/Date: Mon Sep 14 13:37:00 2020, Number of Pages: 2, Number of Words: 5, Number of Characters: 33, Security: 0
MD5	`24c28c9b3777b278fb4f05fbd7241a16`
SHA256	`e695cf4e39039af0b68878c1304dd20739f3ef7d50b5f63ae1de4797b698abab`
CRC32	`67F13B9C`
ssdeep	`1536:CQ7a9307Q7a930krdi1Ir77zOH98Wj2gpng9+a9SLfSvMHgiji1NukBuwrB:PrfrzOH98ipg4uMAijeN/Buwl`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\z9rNC7mJo4hH
4884

Name	Response	Post-Analysis Lookup
susumiller.com	A 91.195.240.13	91.195.240.13
leadercleverinvestissement.com	A 46.182.4.120	46.182.4.120
www.leadercleverinvestissement.com	A 46.182.4.120	46.182.4.120
wordpress-330097-1043717.cloudwaysapps.com
laladiwanchandmodernwrestlingandyogacentre.com	A 68.66.226.86	68.66.226.86
kavensports.com	A 173.212.251.233	173.212.251.233
everhappen.com	A 165.22.107.214	165.22.107.214
ec2-52-56-233-157.eu-west-2.compute.amazonaws.com	A 52.56.233.157	52.56.233.157

IP Address	Status	Action
164.124.101.2	Active	Moloch
165.22.107.214	Active	Moloch
172.217.25.14	Active	Moloch
173.212.251.233	Active	Moloch
46.182.4.120	Active	Moloch
52.56.233.157	Active	Moloch
68.66.226.86	Active	Moloch
91.195.240.13	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://everhappen.com/wp-content/ja/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://susumiller.com/wp-admin/1/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://leadercleverinvestissement.com/wp-admin/Ud/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.leadercleverinvestissement.com/wp-admin/Ud/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://laladiwanchandmodernwrestlingandyogacentre.com/wp-content/yuI/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kavensports.com/wp-includes/o/

Performs some HTTP requests (6 events)

request	GET http://everhappen.com/wp-content/ja/
request	GET http://susumiller.com/wp-admin/1/
request	GET http://leadercleverinvestissement.com/wp-admin/Ud/
request	GET http://www.leadercleverinvestissement.com/wp-admin/Ud/
request	GET http://laladiwanchandmodernwrestlingandyogacentre.com/wp-content/yuI/
request	GET http://kavensports.com/wp-includes/o/

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eb91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ebe5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e8f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e8f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:16 a.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 27, 2021, 9:16 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$rNC7mJo4hH desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$rNC7mJo4hH create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

52.56.233.157:80

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.VBA.Agent.BHI
FireEye	VB:Trojan.VBA.Agent.BHI
CAT-QuickHeal	W97M.Emotet.39118
ALYac	Trojan.Downloader.DOC.Gen
Sangfor	Trojan.Generic-VBS.Save.d74c8eff
K7AntiVirus	Trojan ( 0056e5251 )
K7GW	Trojan ( 0056e5251 )
Arcabit	VB:Trojan.VBA.Agent.BHI
Cyren	W97M/Downldr.IE.gen!Eldorado
Symantec	W97M.Downloader
ESET-NOD32	VBA/TrojanDownloader.Agent.UFY
TrendMicro-HouseCall	Trojan.W97M.EMOTET.SMBA1
Avast	Script:SNH-gen [Trj]
ClamAV	Doc.Downloader.Generic-9759989-0
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VB:Trojan.VBA.Agent.BHI
NANO-Antivirus	Trojan.Script.Downloader.hvpwfd
Tencent	Heur.Macro.Generic.f.495a2d2f
Ad-Aware	ATI:EmotetDOC.584AAFB4
TACHYON	Suspicious/W97M.Obfus.Gen.5
Sophos	Mal/DocDl-K
Comodo	Malware@#2zxzfk68ihn31
DrWeb	Exploit.Siggen2.36858
TrendMicro	Trojan.W97M.EMOTET.SMBA1
Emsisoft	Trojan-Downloader.Macro.Generic.AZ (A)
Ikarus	Trojan-Downloader.VBA.Emotet
Avira	W97M/Agent.5241213
Gridinsoft	Trojan.U.Agent.oa
Microsoft	TrojanDownloader:O97M/Emotet.CSK!MTB
AegisLab	Trojan.MSOffice.SAgent.4!c
GData	VB:Trojan.VBA.Agent.BHI
Cynet	Malicious (score: 99)
AhnLab-V3	Downloader/DOC.Emotet.S1294
McAfee	W97M/Downloader!24C28C9B3777
MAX	malware (ai score=100)
Zoner	Probably Heur.W97Obfuscated
Rising	Malware.ObfusVBA@ML.99 (VBA)
SentinelOne	Static AI - Malicious OLE
MaxSecure	Trojan.HEUR.Trojan.MSOffice.SAgent.gen
Fortinet	VBA/Agent.AUZ!tr.dldr
AVG	Script:SNH-gen [Trj]
Panda	O97M/Downloader

z9rNC7mJo4hH

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All