popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Invoice_3326809.xlsm

Dridex VBA_macro Generic Malware Malicious Library PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 27, 2021, 5:53 p.m. July 27, 2021, 6:04 p.m.
Size 332.5KB
Type Microsoft Excel 2007+
MD5 86c63e5a375f54c79cfa007828400a5d
SHA256 297fa628e174f62edfc8ecf1e4ec79d8f177fe89308a0c04a0b55693af0a776f
CRC32 C355E5FD
ssdeep 6144:23j+sWRo6tcJhv7Bzg+8h6F493OzNStil3SH0Gon2HC:2T+Zenzdl8OLzNSt/UJ5
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
immidiateupdates.com
A 185.21.216.153
A 128.199.243.169
A 163.172.213.69
A 208.83.69.35
163.172.213.69
IP Address Status Action
128.199.243.169 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 128.199.243.169:8088 -> 192.168.56.101:49201 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dce1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dc81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732d1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x052b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x052b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x052c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x052d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f492000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$Invoice_3326809.xlsm
file C:\ProgramData\qPaperEnvelopePersonal.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003a4
filepath: C:\Users\test22\AppData\Local\Temp\~$Invoice_3326809.xlsm
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Invoice_3326809.xlsm
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline mshta C:\ProgramData//theParamTypeSmallInt.sct
Lionic Trojan.MSExcel.Dridex.4!c
Elastic malicious (high confidence)
MicroWorld-eScan VBA.Heur2.Dridex.4.E491F826.Gen
FireEye VBA.Heur2.Dridex.4.E491F826.Gen
Alibaba TrojanDownloader:VBA/MalDoc.ali1000101
Avast SNH:Script [Dropper]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender VBA.Heur2.Dridex.4.E491F826.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware VBA.Heur2.Dridex.4.E491F826.Gen
TACHYON Suspicious/XOX.Obfus.Gen.8
McAfee-GW-Edition BehavesLike.Downloader.fc
Emsisoft VBA.Heur2.Dridex.4.E491F826.Gen (B)
Ikarus Win32.Outbreak
Microsoft TrojanDownloader:O97M/Dridex.BK!MTB
GData VBA.Heur2.Dridex.4.E491F826.Gen
MAX malware (ai score=88)
Fortinet VBA/Agent.CF9E!tr
AVG SNH:Script [Dropper]
parent_process excel.exe martian_process mshta C:\ProgramData//theParamTypeSmallInt.sct