Invoice-No.-9004_20210908.xlsb

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bff2000 process_handle: 0xffffffff	1	0	0

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 9, 2021, 8:48 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000474 filepath: C:\Users\test22\AppData\Local\Temp\~$Invoice-No.-9004_20210908.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Invoice-No.-9004_20210908.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

CAT-QuickHeal	XLS4.IcedID.42146
McAfee-GW-Edition	Artemis!Trojan
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Ikarus	Win32.Outbreak
Fortinet	XML/IcedId.AL!tr

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 9, 2021, 8:48 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0