Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 31, 2021, 1:26 p.m.	July 31, 2021, 2:05 p.m.

Size	736.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: rmeyer, Template: Normal, Last Saved By: user, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Last Printed: Thu Jan 29 17:29:00 2009, Create Time/Date: Tue Jun 1 13:52:00 2021, Last Saved Time/Date: Tue Jun 1 13:52:00 2021, Number of Pages: 1, Number of Words: 105, Number of Characters: 601, Security: 0
MD5	`3f89ed9e9e4be551f2d13b16287248c0`
SHA256	`7dd7fcb839e3d18745b8dfd20dc6ef4f0fd6bad46597b10ec7649a2f7f364d0a`
CRC32	`7A9256E4`
ssdeep	`12288:zBbfJoh59mnEXCjgoVGk+8meFn9wLW+KVthQt12WbwNrlgUDJfKDSwRZUIQv:Fb+hDmgCjgZKmeFnGUvQt1VwNB3lfLw+`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\Document%20896885.doc
544

Name	Response	Post-Analysis Lookup
brasilvioleiro.com.br	A 172.67.210.41 A 104.21.23.96	104.21.23.96
breadxfish.com	A 208.109.41.227	208.109.41.227
thegoldprocess.com	A 198.12.234.210	198.12.234.210
ukcorporatetransfer.com	A 160.153.208.149	160.153.208.149
www.thewordmarvel.com	CNAME thewordmarvel.com A 159.89.200.161	159.89.200.161
highpointroofers.com	A 107.180.29.18	107.180.29.18
reachmedical.in	A 142.4.29.146	142.4.29.146
mirrorlakedrugs.com	A 192.185.110.230	192.185.110.230
test.podcastbites.io	A 162.241.218.172	162.241.218.172
zotno.xyz	A 172.67.205.213 A 104.21.52.244	172.67.205.213

IP Address	Status	Action
104.21.23.96	Active	Moloch
104.21.52.244	Active	Moloch
107.180.29.18	Active	Moloch
142.4.29.146	Active	Moloch
159.89.200.161	Active	Moloch
160.153.208.149	Active	Moloch
162.241.218.172	Active	Moloch
164.124.101.2	Active	Moloch
192.185.110.230	Active	Moloch
198.12.234.210	Active	Moloch
208.109.41.227	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 104.21.52.244:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 192.185.110.230:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49171 -> 198.12.234.210:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49197 -> 160.153.208.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 142.4.29.146:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 142.4.29.146:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 198.12.234.210:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 208.109.41.227:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49176 -> 159.89.200.161:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 159.89.200.161:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 159.89.200.161:443 -> 192.168.56.102:49176	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 159.89.200.161:443 -> 192.168.56.102:49176	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49182 -> 162.241.218.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 160.153.208.149:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 208.109.41.227:443 -> 192.168.56.102:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 198.12.234.210:443 -> 192.168.56.102:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 142.4.29.146:443 -> 192.168.56.102:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49178 -> 208.109.41.227:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 159.89.200.161:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49174 -> 159.89.200.161:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49174 -> 159.89.200.161:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 159.89.200.161:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49175 -> 159.89.200.161:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49175 -> 159.89.200.161:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.180.29.18:443 -> 192.168.56.102:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 192.185.110.230:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 159.89.200.161:443 -> 192.168.56.102:49175	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 159.89.200.161:443 -> 192.168.56.102:49175	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.185.110.230:443 -> 192.168.56.102:49194	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 104.21.23.96:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49183 -> 162.241.218.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.218.172:443 -> 192.168.56.102:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 107.180.29.18:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 107.180.29.18:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 160.153.208.149:443 -> 192.168.56.102:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 159.89.200.161:443 -> 192.168.56.102:49174	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 159.89.200.161:443 -> 192.168.56.102:49174	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 104.21.52.244:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a8:79:58:32:70:81:29:58:c8:ea:87:be:f6:a7:e4:6c:31:b8:7c:f5
TLSv1 192.168.56.102:49190 104.21.23.96:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	68:e2:fe:e6:33:4f:56:07:40:96:fa:1a:5d:e3:ff:53:b1:52:d0:b5

Performs some HTTP requests (2 events)

request	GET https://zotno.xyz/wp-content/themes/storefront/e2e/specs/kCKt578W.php
request	GET https://brasilvioleiro.com.br/wp-content/cache/object/e3c/9ab/rSpBh8UHQx8r.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a041000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06839000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06839000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06839000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06839000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0683a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0683a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$cument 896885.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 31, 2021, 1:26 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000470 filepath: C:\Users\test22\AppData\Local\Temp\~$cument 896885.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$cument 896885.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4785
FireEye	VB:Trojan.Valyria.4785
McAfee	W97M/Downloader.dpx
Cyren	W97M/Agent.WF.gen!Eldorado
Avast	VBA:Crypt-AB [Trj]
BitDefender	VB:Trojan.Valyria.4785
Ad-Aware	VB:Trojan.Valyria.4785
VIPRE	LooksLike.Macro.Malware.gen!d1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.bb
Emsisoft	VB:Trojan.Valyria.4785 (B)
Ikarus	Trojan.Office.Doc
MAX	malware (ai score=82)
Microsoft	TrojanDownloader:O97M/Dridex.BVG!MTB
Arcabit	HEUR.VBA.Trojan.d
GData	VB:Trojan.Valyria.4785
ALYac	VB:Trojan.Valyria.4785
TACHYON	Suspicious/W97M.Obfus.Gen.6
Zoner	Probably Heur.W97Obfuscated
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBA:Crypt-AB [Trj]
Qihoo-360	virus.office.qexvmc.1080

Document%20896885.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All