Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 17, 2021, 12:03 p.m.	June 17, 2021, 12:05 p.m.

Size	222.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: sourdeline scallywag, Subject: frumpiness ergographs, Author: magnetite distinction, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Wed Apr 21 12:08:24 2010, Create Time/Date: Thu Apr 13 21:48:14 2000, Last Saved Time/Date: Wed Jun 16 11:47:50 2021, Security: 0
MD5	`c64202fc6e89fc1c49cde536894ed99d`
SHA256	`1e993ef7ee5f21b9f815ebf853b0bd40d3328a1bd6d680ffc3ace55e4bf73a89`
CRC32	`B119EF88`
ssdeep	`6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnWxuX+Fayp3oITIvuTUFSW3EUvNx:wlFaMYITITIW06Nx`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\Document 2519711.xls"
9068
- rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Roaming\64828.dll",StartW
  4716

Name	Response	Post-Analysis Lookup
adamjeecommodities.com	A 18.136.132.202	18.136.132.202
es.e-m2.net	A 94.124.84.11	94.124.84.11
dev1.whoatemylunch.org	A 70.39.250.160	70.39.250.160
teste.sitiodoastronauta.com.br	A 138.68.235.11	138.68.235.11
fitzgeraldstreet.com	A 162.253.125.64	162.253.125.64

IP Address	Status	Action
138.68.235.11	Active	Moloch
162.253.125.64	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
18.136.132.202	Active	Moloch
70.39.250.160	Active	Moloch
80.82.67.127	Active	Moloch
94.124.84.11	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 138.68.235.11:443 -> 192.168.56.102:49819	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49821 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49808 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.124.84.11:443 -> 192.168.56.102:49811	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49813 -> 162.253.125.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 162.253.125.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.253.125.64:443 -> 192.168.56.102:49815	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49822 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49817 -> 138.68.235.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 138.68.235.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 94.124.84.11:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49825 -> 70.39.250.160:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 18.136.132.202:443 -> 192.168.56.102:49823	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49825 70.39.250.160:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=dev1.whoatemylunch.org	89:a5:e5:57:f0:d4:a4:c5:3b:74:aa:2d:ef:de:b8:b3:df:7c:16:01

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 17, 2021, 12:03 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 17, 2021, 12:03 p.m.			0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://80.82.67.127/IE9CompatViewList.xml

Performs some HTTP requests (2 events)

request	GET http://80.82.67.127/IE9CompatViewList.xml
request	GET https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66fb1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 17, 2021, 12:03 p.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 208896 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003e0000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	80.82.67.127

Creates suspicious VBA object (1 event)

com_class

MSXML2.XMLHTTP

May attempt to connect to the outside world

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

"C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Roaming\64828.dll",StartW

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
FireEye	VB:Trojan.Valyria.4710
McAfee	RDN/GenericM
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
Cyren	X97M/Agent.WF.gen!Eldorado
BitDefender	VB:Trojan.Valyria.4710
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
AegisLab	Trojan.MSExcel.Valyria.4!c
MicroWorld-eScan	VB:Trojan.Valyria.4710
Ad-Aware	VB:Trojan.Valyria.4710
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.db
Emsisoft	VB:Trojan.Valyria.4710 (B)
SentinelOne	Static AI - Malicious OLE
GData	VB:Trojan.Valyria.4710
MAX	malware (ai score=80)
Microsoft	Trojan:Win32/Dridex!ml
ALYac	VB:Trojan.Valyria.4710
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.f (CLASSIC)
Fortinet	VBA/Agent.WCP!tr.dldr

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://es.e-m2.net/wp-includes/js/tinymce/themes/inlite/8S7qnln7.php

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\rundll32.exe

Document 2519711.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All