information_01913.xlsb

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b6e3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\Documents\decrypt.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 12, 2021, 9:39 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003cc filepath: C:\Users\test22\AppData\Local\Temp\~$information_01913.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$information_01913.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (1 event)

cmdline

regsvr32 -s C:\Users\Public\Documents\decrypt.dll

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Alibaba	TrojanDownloader:Office/SLoad.7e7be6dd
Kaspersky	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
McAfee-GW-Edition	Artemis!Trojan
Fortinet	MSExcel/Agent.DB77!tr.dldr

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW July 12, 2021, 9:39 a.m.	url: https://free.mynowministries.com/app.dll stack_pivoted: 0 filepath_r: C:\Users\Public\Documents\decrypt.dll filepath: C:\Users\Public\Documents\decrypt.dll		2148270085	0

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

regsvr32 -s C:\Users\Public\Documents\decrypt.dll