Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 3, 2021, 9:57 a.m.	Sept. 3, 2021, 9:59 a.m.

Size	71.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: admin, Template: Normal, Last Saved By: 8765456789, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 2 10:04:00 2021, Last Saved Time/Date: Thu Sep 2 10:04:00 2021, Number of Pages: 1, Number of Words: 220, Number of Characters: 7153, Security: 0
MD5	`327f2a52c00aaf93337f62b03456ee51`
SHA256	`e862c9b2725e5b5a26f01dbd294c3d2f749d1ae15593f4c0fd74e2da7c9fcf4b`
CRC32	`29C15E1B`
ssdeep	`1536:yBtQlhIk6+PQxXvHQ1n/m3KWUzQwM2igMU2a+ma:e2okzKXPMmaWU8+igOaha`
Yara	Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\deed contract_09.21.doc"
1608
- explorer.exe c:\\..\\..\\..\\windows\\explorer 1.hta
  200

Name	Response	Post-Analysis Lookup
canalfarod.com	A 194.62.42.160	194.62.42.160

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.62.42.160	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 3, 2021, 9:50 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 3, 2021, 9:50 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://canalfarod.com/bmdff/24537/tzE0/90235/92182/dUho5y6KNXjtiHCU6UgT88XLUvU/34842/lure2?id=uYJFO1DZDdERyg7LGoUFAjk2mffQD&id=sxq8rOS3HZchNMIiP&3pxh=Cs&sid=Rh1&vssuvZ7E7A=aHImg4kBE&=y6rQHWnv

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b84000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b84000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b86000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b86000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b8c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b8c000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$ed contract_09.21.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 3, 2021, 9:57 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004ac filepath: C:\Users\test22\AppData\Local\Temp\~$ed contract_09.21.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ed contract_09.21.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 3, 2021, 9:57 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

c:\\..\\..\\..\\windows\\explorer 1.hta

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Elastic	malicious (high confidence)
Cyren	W97M/Agent
Symantec	ISB.Downloader!gen148
Avast	SNH:Script [Dropper]
BitDefender	VB:Trojan.Valyria.5258
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VB:Trojan.Valyria.5258
Ad-Aware	VB:Trojan.Valyria.5258
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.ll
FireEye	VB:Trojan.Valyria.5258
Emsisoft	VB:Trojan.Valyria.5258 (B)
Ikarus	Trojan-Dropper.VBA.Agent
GData	VB:Trojan.Valyria.5258
Arcabit	HEUR.VBA.Trojan.d
Microsoft	Trojan:Script/Woreflint.A!cl
TACHYON	Suspicious/W97M.Obfus.Gen.8
MAX	malware (ai score=82)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.MKK!tr
AVG	SNH:Script [Dropper]

deed contract_09.21.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All