Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2021, 3:15 p.m.	July 1, 2021, 3:21 p.m.

Size	49.4KB
Type	Microsoft Word 2007+
MD5	`c17f947258355884f1d359e24733b92e`
SHA256	`50624595ef9d444a5fca276d8dc0ff9521d105f09a879c89f3d4d3dab6761fd2`
CRC32	`8EABB185`
ssdeep	`768:/GAOxB6x+5ezsRwYNTHQ0Nq5hJD1iB/be8k+uYtjR5y6LaJDS3nn3XGfR:/RMB60Rwi7QT5hJ1iBkYzYqn325`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\material.06.21.doc
9068
- cmd.exe c:\windows\system32\cmd /c c:\programdata\intLength.hta
  5096
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\intLength.hta"
    8324

Name	Response	Post-Analysis Lookup
fordlogisticss.com	A 45.84.0.211	45.84.0.211

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2021, 3:15 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ebb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04462000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04462000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04462000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04462000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04462000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$terial.06.21.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 1, 2021, 3:15 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003e0 filepath: C:\Users\test22\AppData\Local\Temp\~$terial.06.21.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$terial.06.21.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\intLength.hta"

Word document hooks document open

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Elastic	malicious (high confidence)
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Sophos	Troj/DocDL-ADRS
SentinelOne	Static AI - Malicious OPENXML
Zoner	Probably Heur.W97Obfuscated
Ikarus	Trojan-Dropper.VBA.Agent
Qihoo-360	virus.office.qexvmc.1075

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2021, 3:15 p.m.	process_identifier: 8324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x035a0000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 1, 2021, 3:15 p.m.	key_handle: 0x000003ac regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

c:\windows\system32\cmd /c c:\programdata\intLength.hta

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5096 resumed a thread in remote process 8324
NtResumeThread July 1, 2021, 3:15 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 8324	1	0	0

Generates some ICMP traffic

material.06.21.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All