Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 27, 2021, 9:35 a.m.	July 27, 2021, 9:37 a.m.

Size	69.9KB
Type	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`1d614c41e99a9cd6749eedff96c0bb0f`
SHA256	`fff39628637e0666763630ab8929efe069af03b968fa6cd23a998bac71ef69c8`
CRC32	`CCF9BE2A`
ssdeep	`1536:EVnCIWimYXHr11AQYyqGJHQYCDEtU6dLTR97rg:nxYhxQYNtU6Zvrg`
Yara	None matched

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\report 07.21.doc"
552
- cmd.exe cmd /c c:\programdata\compsFor.hta
  1016
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\compsFor.hta"
    736

Name	Response	Post-Analysis Lookup
vastretail2005b.com	A 80.92.206.119	80.92.206.119

IP Address	Status	Action
164.124.101.2	Active	Moloch
80.92.206.119	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 27, 2021, 9:35 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (35 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a6be000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03dc2000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$port 07.21.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 27, 2021, 9:35 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000484 filepath: C:\Users\test22\AppData\Local\Temp\~$port 07.21.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$port 07.21.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\compsFor.hta"

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 27, 2021, 9:35 a.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 27, 2021, 9:35 a.m.	key_handle: 0x000003a0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (high confidence)
Symantec	ISB.Downloader!gen148
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Sophos	Mal/DocDl-X
ZoneAlarm	HEUR:Trojan.MSOffice.SAgent.gen
Microsoft	Trojan:Script/Wacatac.B!ml
TACHYON	Suspicious/XML.Obfus.Gen.8
Ikarus	Trojan-Dropper.VBA.Agent
Fortinet	VBA/Agent.43D7!tr

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

winword.exe

martian_process

cmd /c c:\programdata\compsFor.hta

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

cmd /c c:\programdata\compsFor.hta

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 resumed a thread in remote process 736
NtResumeThread July 27, 2021, 9:35 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 736	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

80.92.206.119:80

report 07.21.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All