Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 7, 2021, 2:36 p.m.	Sept. 7, 2021, 2:38 p.m.

Size	67.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: plastic materials, Subject: plastic materials, Author: Admin Operations, Keywords: plastic materials, Last Saved By: Master Mana, Revision Number: 9, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 03:56, Create Time/Date: Sun Sep 5 21:30:57 2021, Last Saved Time/Date: Sun Sep 5 21:34:53 2021, Number of Words: 0
MD5	`72fbb1892420f4727710ea0f7a324834`
SHA256	`256f31588e790b06bb68a82d8e3a8703481e0a2da27c3527f5696d4ca23f09fb`
CRC32	`347D522A`
ssdeep	`192:NnmDNiaVdd1kHCs3xgdoleebyNQct6wNL6iKuuSE0i0sqXVXcvTBFoP8u92+V:Nm1dvkJ+ueeeND/N2iWSg2NclFo39D`
Yara	Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE" /S "C:\Users\test22\AppData\Local\Temp\Purchase Inquiry.ppt"
2344

Name	Response	Post-Analysis Lookup
www.bitly.com	A 67.199.248.15 A 67.199.248.14 CNAME bitly.com	67.199.248.14

IP Address	Status	Action
164.124.101.2	Active	Moloch
67.199.248.15	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 67.199.248.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 67.199.248.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a96e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bdd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bdd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bdd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bde000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bdd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bde000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 7, 2021, 2:36 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Script.Generic.a!c
ALYac	VB:Trojan.Valyria.5266
Arcabit	VB:Trojan.Valyria.D1492
Cyren	PP97M/Sload.B.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	VBA/TrojanDownloader.Agent.WPH
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.5266
MicroWorld-eScan	VB:Trojan.Valyria.5266
Ad-Aware	VB:Trojan.Valyria.5266
Emsisoft	VB:Trojan.Valyria.5266 (B)
F-Secure	Heuristic.HEUR/Macro.Downloader.MRKI.Gen
DrWeb	Exploit.Siggen3.20529
McAfee-GW-Edition	Artemis!Trojan
FireEye	VB:Trojan.Valyria.5266
Ikarus	Trojan-Downloader.VBA.Agent
Avira	HEUR/Macro.Downloader.MRKI.Gen
MAX	malware (ai score=86)
Microsoft	TrojanDownloader:O97M/Powdow.SS!MTB
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
GData	VB:Trojan.Valyria.5266
McAfee	RDN/Generic Downloader.x
Fortinet	VBA/Valyria.5266!tr
AVG	Other:Malware-gen [Trj]

Purchase Inquiry.ppt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All