Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 1, 2021, 3:30 p.m.	July 1, 2021, 3:33 p.m.

Size	49.7KB
Type	Microsoft Word 2007+
MD5	`faf4b5f0994bd6a977ecb95bfabe8c19`
SHA256	`6d5a8b0946bdc05412ac4e2b848dcb0dce02f25400bb2cc27424fab37d5775e5`
CRC32	`357D9027`
ssdeep	`768:/BK2BJ4rnVo/kZRmTQ0Nq5hJD1iB/be8k+uYtjR5y6LaJDS+38XNF:/Q7RKQT5hJ1iBkYzYt8dF`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\report_06.21.doc
1972
- cmd.exe c:\windows\system32\cmd /c c:\programdata\sinTextbox.hta
  2936
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\sinTextbox.hta"
    1120

Name	Response	Post-Analysis Lookup
wearevansd.com	A 45.84.0.215	45.84.0.215

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.84.0.215	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2021, 3:30 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ca05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c721000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72472000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03611000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04762000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04762000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04762000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04762000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 3:31 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04762000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$port_06.21.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 1, 2021, 3:30 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$port_06.21.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$port_06.21.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\sinTextbox.hta"

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2021, 3:30 p.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03610000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 1, 2021, 3:30 p.m.	key_handle: 0x000003ac regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Elastic	malicious (high confidence)
Alibaba	TrojanDownloader:VBA/Obfuscation.A
Symantec	ISB.Downloader!gen148
Kaspersky	VHO:Trojan.MSOffice.SAgent.gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Sophos	Troj/DocDL-ADRS
SentinelOne	Static AI - Malicious OPENXML
Microsoft	TrojanDownloader:O97M/IcedID.RVO!MTB
Arcabit	HEUR.VBA.Trojan.d
AegisLab	Trojan.MSOffice.SAgent.4!c
Ikarus	Trojan-Dropper.VBA.Agent

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

c:\windows\system32\cmd /c c:\programdata\sinTextbox.hta

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2936 resumed a thread in remote process 1120
NtResumeThread July 1, 2021, 3:30 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 1120	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.84.0.215:80

report_06.21.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All