Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 2, 2021, 6:18 p.m.	Sept. 2, 2021, 6:20 p.m.

Size	347.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 949, Author: Ellen Swicord, Template: Normal.dotm, Last Saved By: Honey, Revision Number: 45, Name of Creating Application: Microsoft Office Word, Total Editing Time: 28:00, Last Printed: Tue Jan 14 14:56:00 2020, Create Time/Date: Sun Mar 1 09:16:00 2020, Last Saved Time/Date: Wed Sep 30 06:02:00 2020, Number of Pages: 2, Number of Words: 314, Number of Characters: 1791, Security: 0
MD5	`3657586d8555593012bfd7420d488be4`
SHA256	`0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff`
CRC32	`8D10D34A`
ssdeep	`3072:MMo3HoQ45xd/y9MnLm9MLL39MoL89MFLV9MGL+/5M/WMj/X/MC/XMMZ/XQMs/XY8:MMvQ4MtGNwp6zZqop1joyQw+LS7pl8X`
Yara	Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\who_template.doc
2324

Name	Response	Post-Analysis Lookup
appmedicine.whoint.cf

IP Address	Status	Action
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
UDP 192.168.56.103:53893 -> 164.124.101.2:53	2025107	ET INFO DNS Query for Suspicious .cf Domain	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 2, 2021, 6:18 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:18 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:18 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0494b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:18 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0494b000 process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\~$o_template.doc

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 2, 2021, 6:18 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a4 filepath: C:\Users\test22\AppData\Local\Temp\~$o_template.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$o_template.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 2, 2021, 6:18 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

Lionic	Trojan.Script.Generic.a!c
Elastic	malicious (high confidence)
ALYac	Trojan.Downloader.DOC.Gen
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.WER
Avast	SNH:Script [Dropper]
Kaspersky	UDS:DangerousObject.Multi.Generic
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot	DOC.Z.Agent.355328.A
Tencent	Heur.MSWord.Downloader.d
DrWeb	W97M.DownLoader.2988
VIPRE	LooksLike.Macro.Malware.gen!d1 (v)
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.fb
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
Microsoft	Trojan:O97M/Sadoca.C!ml
TACHYON	Suspicious/W97M.Downloader.Gen
Rising	Heur.Macro.Downloader.f (CLASSIC)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.0CB3!tr
AVG	SNH:Script [Dropper]

who_template.doc