Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

Invoice_657894.xls

Dridex VBA_macro MSOffice File PE File DLL PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 22, 2021, 10:57 a.m.	July 22, 2021, 11:02 a.m.

Size	317.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice_657894, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Thu Jul 26 12:08:13 2018, Create Time/Date: Thu Jul 26 00:26:51 2018, Last Saved Time/Date: Wed Jul 21 11:58:47 2021, Security: 0
MD5	`bd59e42a9ee00ba415448c31190e57d7`
SHA256	`f4f0127923c4a1c69aab04516907fd4010f9af8302e132b972d053813577b18d`
CRC32	`94A3415C`
ssdeep	`6144:q0Y35qAOJl/YrLYz+WrNhZF+E+W2RGtqPjKBbA2G0VeU+fMGMdcLJVI1LkbGX:ujwbA2EfKaICa`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Invoice_657894.xls
2648
- mshta.exe mshta C:\ProgramData//klClipboardFormatDspText.sct
  2932

Name	Response	Post-Analysis Lookup
paymetconfirm.com	A 128.199.243.169 A 208.83.69.35	208.83.69.35

IP Address	Status	Action
128.199.243.169	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 128.199.243.169:8088 -> 192.168.56.101:49204	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2021, 10:57 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f492000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\qDialogFormatText.dll

Creates a suspicious process (1 event)

cmdline

mshta C:\ProgramData//klClipboardFormatDspText.sct

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VBA.Heur2.Dridex.4.CD579A05.Gen
FireEye	VBA.Heur2.Dridex.4.CD579A05.Gen
Kaspersky	VHO:Exploit.MSOffice.CVE-2017-8570.gen
BitDefender	VBA.Heur2.Dridex.4.CD579A05.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware	VBA.Heur2.Dridex.4.CD579A05.Gen
Emsisoft	VBA.Heur2.Dridex.4.CD579A05.Gen (B)
TrendMicro	HEUR_VBA.O2
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.fg
Microsoft	Trojan:Script/Woreflint.A!cl
GData	VBA.Heur2.Dridex.4.CD579A05.Gen
ALYac	VBA.Heur2.Dridex.4.CD579A05.Gen
MAX	malware (ai score=81)
Zoner	Probably Heur.W97ShellB
Qihoo-360	virus.office.obfuscated.1

Creates suspicious VBA object (1 event)

com_class

Scripting.FilesystemObject

May attempt to write one or more files to the harddisk

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

mshta C:\ProgramData//klClipboardFormatDspText.sct