Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2021, 9:16 a.m.	June 16, 2021, 9:18 a.m.

Size	396.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 949, Author: William, Template: Normal.dotm, Last Saved By: William, Revision Number: 87, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:42:00, Create Time/Date: Sun Feb 28 00:01:00 2021, Last Saved Time/Date: Fri Apr 2 00:34:00 2021, Number of Pages: 1, Number of Words: 220, Number of Characters: 1256, Security: 8
MD5	`d5e974a3386fc99d2932756ca165a451`
SHA256	`0193bd8bcbce9765dbecb288d46286bdc134261e4bff1f3c1f772d34fe4ec695`
CRC32	`62126FD3`
ssdeep	`6144:vFIWx6yERMpGpKlBXyqSmkHPH7J0zQO557HWQINLpUTQB46d0J3uvAhsB7:vGkxERtKlBCd1DGjz72VpUsvd0J`
Yara	VBMacro_Convert_Image_File_Zero - VBMacro Convert Image File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\결의대회초안.doc
2740

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ca05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b1b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b0f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b0f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2021, 9:16 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$결의대회초안.doc

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 16, 2021, 9:16 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$결의대회초안.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$결의대회초안.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0
NtCreateFile June 16, 2021, 9:16 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000200 filepath: C:\Users\test22\AppData\Local\Temp\~$결의대회초안.htm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$결의대회초안.htm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Creates suspicious VBA object (1 event)

com_class

ADODB.Stream

May attempt to write one or more files to the harddisk

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4372
FireEye	VB:Trojan.Valyria.4372
CAT-QuickHeal	Ole.Trojan.A1679054
ALYac	Trojan.DOC.405504
Sangfor	Trojan.Generic-Script.Save.58bfd89c
Cyren	W97M/Agent.UT.gen!Eldorado
Symantec	W97M.Downloader
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.UOE
TrendMicro-HouseCall	TROJ_FRS.0NA103DT21
Avast	SNH:Script [Dropper]
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	VB:Trojan.Valyria.4372
ViRobot	W97M.S.Agent.405504
Ad-Aware	ATI:Lazarus.Doc.BMPStegano.6B0AD048
Comodo	Malware@#1v5nno5v97i7u
DrWeb	W97M.Dropper.103
TrendMicro	TROJ_FRS.0NA103DT21
McAfee-GW-Edition	BehavesLike.OLE2.Bad-VBA.fb
Emsisoft	VB:Trojan.Valyria.4372 (B)
SentinelOne	Static AI - Malicious OLE
GData	VB:Trojan.Valyria.4372
Avira	HEUR/Macro.Downloader.MRDT.Gen
MAX	malware (ai score=100)
Gridinsoft	Trojan.U.Downloader.oa
Arcabit	VB:Trojan.Valyria.D1114
AegisLab	Trojan.Multi.Generic.4!c
Microsoft	TrojanDownloader:O97M/Tnega!MSR
Cynet	Malicious (score: 99)
AhnLab-V3	Dropper/DOC.Generic
McAfee	RDN/Generic Downloader.x
TACHYON	Suspicious/W97M.Obfus.Gen.8
Tencent	Trojan.Win32.MacroV.11000092
Ikarus	Trojan-Downloader.VBA.Agent
Fortinet	VBA/Agent.UOE!tr
AVG	SNH:Script [Dropper]

결의대회초안.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All