Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 3, 2021, 9:16 a.m.	June 3, 2021, 9:18 a.m.

Size	793.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: gillnetters auxiliar, Subject: pointed commoned, Author: jellygraphed quiet, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jun 2 11:14:12 2021, Last Saved Time/Date: Wed Jun 2 11:14:13 2021, Security: 0
MD5	`d24d609e6ac612f69030bfc3695e6aad`
SHA256	`7b14612ff42c9c8e8abdc45ca2d55abf3ccb523e5787e62b91a2cf2c2a289890`
CRC32	`79E6BDC8`
ssdeep	`24576:WWGuTsXFlLsNPVoAMoWJaCgzYiDomDZqYYS8:ZGuT6nutdNWJaCgHDogeS8`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Malicious_Packer_Zero - Malicious Packer Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\PO 825468.xls"
1896

Name	Response	Post-Analysis Lookup
bwcreativestudio.com	A 51.79.223.113	51.79.223.113
zabalit.com	A 82.223.12.53	82.223.12.53
sunshineserviceproviders.com	A 192.185.145.128	192.185.145.128
arboretsens72.fr	A 5.135.136.199	5.135.136.199

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.185.145.128	Active	Moloch
5.135.136.199	Active	Moloch
51.79.223.113	Active	Moloch
82.223.12.53	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.185.145.128:443 -> 192.168.56.101:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 192.185.145.128:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 192.185.145.128:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 51.79.223.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 51.79.223.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 51.79.223.113:443 -> 192.168.56.101:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 82.223.12.53:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 5.135.136.199:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49213 82.223.12.53:443	C=US, O=Let's Encrypt, CN=R3	CN=zabalit.com	68:74:6b:78:2c:ef:e5:1b:91:7b:59:11:77:d9:4b:f5:59:d1:74:64
TLSv1 192.168.56.101:49212 5.135.136.199:443	C=US, O=Let's Encrypt, CN=R3	CN=arboretsens72.fr	0e:d2:c6:54:ff:de:f0:f2:23:87:af:97:bd:ae:4c:eb:da:97:2e:ad

Performs some HTTP requests (2 events)

request	GET https://arboretsens72.fr/wp-content/themes/twentyseventeen/template-parts/footer/X8FJlzkyXi8ixjn.php
request	GET https://zabalit.com/wp-content/plugins/wordpress-seo/css/dist/3IR10ztB.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d911000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 9:16 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

"C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Roaming\62086.dll" OfflineFilesStart

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (moderate confidence)
FireEye	VB:Trojan.Valyria.4515
Arcabit	HEUR.VBA.Trojan.d
Cyren	X97M/Agent.WF.gen!Eldorado
Avast	VBS:Dropper-QF [Trj]
BitDefender	VB:Trojan.Valyria.4515
MicroWorld-eScan	VB:Trojan.Valyria.4515
Ad-Aware	VB:Trojan.Valyria.4515
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.bb
Emsisoft	VB:Trojan.Valyria.4515 (B)
Microsoft	Trojan:Win32/Dridex!ml
GData	VB:Trojan.Valyria.4515
TACHYON	Suspicious/X97M.Obfus.Gen.6
ALYac	VB:Trojan.Valyria.4515
MAX	malware (ai score=81)
Zoner	Probably Heur.W97Obfuscated
Rising	Malware.ObfusVBA@ML.99 (VBA)
SentinelOne	Static AI - Suspicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBS:Dropper-QF [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://sunshineserviceproviders.com/wp-content/plugins/w2dc/templates/categories/WS3E2S2dTX7hx.php

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\rundll32.exe

PO 825468.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All