Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2021, 3:30 p.m.	July 1, 2021, 3:33 p.m.

Size	49.7KB
Type	Microsoft Word 2007+
MD5	`67092e0e7cae41a063ee9e7d71f0209f`
SHA256	`20196bea23378c11f6f2760dd289cb46e03e36b7c83ead1883d157fa3d9a3c48`
CRC32	`59CE5FCD`
ssdeep	`768:/9RCQnfkzCy7ZhUsVQ0Nq5hJD1iB/be8k+uYtjR5y6LaJDSCOTXR:/Pnfkt7TQT5hJ1iBkYzYJOTB`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\specifics,06.21.doc
7092
- cmd.exe c:\windows\system32\cmd /c c:\programdata\nextDelVariable.hta
  6204
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\nextDelVariable.hta"
    8232

Name	Response	Post-Analysis Lookup
testmahoneyd.com	A 45.84.0.215	45.84.0.215

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
45.84.0.215	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2021, 3:30 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ebb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05341000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b2000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$ecifics,06.21.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 1, 2021, 3:30 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003e0 filepath: C:\Users\test22\AppData\Local\Temp\~$ecifics,06.21.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ecifics,06.21.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\nextDelVariable.hta"

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x036f0000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 1, 2021, 3:30 p.m.	key_handle: 0x000003a8 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (high confidence)
Alibaba	TrojanDownloader:VBA/Obfuscation.A
Symantec	ISB.Downloader!gen148
Kaspersky	VHO:Trojan.MSOffice.SAgent.gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Sophos	Troj/DocDL-ADRS
Ikarus	Trojan-Dropper.VBA.Agent
Arcabit	HEUR.VBA.Trojan.d
Zoner	Probably Heur.W97Obfuscated
SentinelOne	Static AI - Malicious OPENXML

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

c:\windows\system32\cmd /c c:\programdata\nextDelVariable.hta

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6204 resumed a thread in remote process 8232
NtResumeThread July 1, 2021, 3:30 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 8232	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.84.0.215:80

specifics,06.21.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All