Summary | ZeroBOX

0831_3314378773.doc

VBA_macro Generic Malware MSOffice File GIF Format
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 6, 2021, 8:37 a.m. Sept. 6, 2021, 8:39 a.m.
Size 431.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: kell, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Aug 30 13:16:00 2021, Last Saved Time/Date: Mon Aug 30 13:16:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
MD5 ca29d350e363b21d507ba30cb65413ce
SHA256 257d5c61c3d237d3246acc02032f7f6f02f80ad9ee26845681c7c6c0c93cb6d2
CRC32 658FDC34
ssdeep 12288:7V9iQsDr8NLClDfKTFi1w06/vbOes1AOrk4r:7VXkr8N2NfKB30AOesoc
Yara
  • Generic_Malware_Zero - Generic Malware
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49175 -> 23.21.76.7:80 2021997 ET POLICY External IP Lookup api.ipify.org Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
request GET http://api.ipify.org/
domain gratimen.ru description Russian Federation domain TLD
domain waliteriter.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a85d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a46e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0507c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0507c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0507c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0507c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0507c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0507c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0509f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0509f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0509f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0509f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0509f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0509f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08855000
process_handle: 0xffffffff
1 0 0
domain api.ipify.org
file C:\Users\test22\AppData\Local\Temp\~$31_3314378773.doc
file c:\Users\test22\AppData\Roaming\microsoft\templates\~$glib.doc
file C:\Users\test22\AppData\Local\Temp\jjy.dll
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\glib.doc.LNK
Time & API Arguments Status Return Repeated

NtCreateFile

create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000004ac
filepath: C:\Users\test22\AppData\Local\Temp\~$31_3314378773.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$31_3314378773.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000688
filepath: c:\Users\test22\AppData\Roaming\microsoft\templates\~$glib.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\c:\users\test22\appdata\roaming\microsoft\templates\~$glib.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\glib.doc.LNK
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 0
family: 2
1 0 0
Lionic Trojan.Script.Generic.b!c
DrWeb Exploit.Siggen3.20297
Cyren W97M/Agent.ABS.gen!Eldorado
Symantec JS.Downloader
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan-Dropper.Script.Generic
VIPRE LooksLike.Macro.Malware.k (v)
SentinelOne Static AI - Suspicious OLE
Microsoft TrojanDropper:O97M/Hancitor.BK!MTB
Tencent Heur.Macro.Generic.c.c68b9918
Ikarus Trojan-Dropper.VBA.Agent
AVG Script:SNH-gen [Trj]
parent_process winword.exe martian_process rundll32 c:\users\test22\appdata\roaming\microsoft\templates\yefff.dll,QIHTXYFJRAN
Time & API Arguments Status Return Repeated

HttpSendRequestA

headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=3008_hsdj8&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=3008_hsdj8&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=3008_hsdj8&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0
file C:\Users\test22\AppData\Local\Temp\jjy.dll
dead_host 46.148.26.93:80
dead_host 185.230.91.127:80
dead_host 176.105.252.131:80