Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

Invoice_9429770.xls

Dridex VBA_macro MSOffice File PE File DLL PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 22, 2021, 10:57 a.m.	July 22, 2021, 11:04 a.m.

Size	659.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice_9429770, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Thu Jul 26 12:08:13 2018, Create Time/Date: Thu Jul 26 00:26:51 2018, Last Saved Time/Date: Wed Jul 21 12:00:32 2021, Security: 0
MD5	`8e3797b1d0fbf7becdd633bc0635ba71`
SHA256	`a8cb608e710ebf154755b50c351c761135035b5792903c81a5c6007aff33a63c`
CRC32	`10BA4883`
ssdeep	`12288:LGDH3roxGMC/mc4bl3q5uaFsvCgdz2l5MjavMmIf+v:LGDXEUH/4EnsvJZ2lKjavMm/`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Invoice_9429770.xls
2080
- mshta.exe mshta C:\ProgramData//klListDataTypeNumber.sct
  2224

Name	Response	Post-Analysis Lookup
waunake.com	A 128.199.243.169 A 208.83.69.35	128.199.243.169

IP Address	Status	Action
128.199.243.169	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 128.199.243.169:8088 -> 192.168.56.102:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2021, 10:57 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b617000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2b3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d7d000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d7d000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2b3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\qCellTypeVisible.dll

Creates a suspicious process (1 event)

cmdline

mshta C:\ProgramData//klListDataTypeNumber.sct

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VBA.Heur2.Dridex.4.CD579A05.Gen
ALYac	VBA.Heur2.Dridex.4.CD579A05.Gen
Arcabit	HEUR.VBA.CG.1
Kaspersky	UDS:Exploit.MSOffice.CVE-2017-8570.gen
BitDefender	VBA.Heur2.Dridex.4.CD579A05.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware	VBA.Heur2.Dridex.4.CD579A05.Gen
Emsisoft	VBA.Heur2.Dridex.4.CD579A05.Gen (B)
TrendMicro	HEUR_VBA.O2
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.jb
FireEye	VBA.Heur2.Dridex.4.CD579A05.Gen
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	VBA.Heur2.Dridex.4.CD579A05.Gen
MAX	malware (ai score=83)
Zoner	Probably Heur.W97ShellB
Qihoo-360	virus.office.obfuscated.1

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

mshta C:\ProgramData//klListDataTypeNumber.sct