Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

MSOfficeUpdate.cab

KeyLogger Escalate priviledges AntiDebug AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 22, 2021, 10:05 p.m.	Sept. 22, 2021, 10:09 p.m.

Size	222.6KB
Type	Microsoft Cabinet archive data, 227977 bytes, 1 file
MD5	`0907498bc0ee4cee45b37df6a186b602`
SHA256	`94b94d1882e9ab47481de62ce0c658f8ddf12ddf0936a8978b06fc8506731911`
CRC32	`DEBDA9B4`
ssdeep	`3072:gtOueVt10q/1MNcUem37I/4WWn6Yac6BYaZWfKEXRy/v2:cOuQd/1MWUeqEAWw6YaciYcWSKRy/O`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "aXOODGdQmN" C:\Users\test22\AppData\Local\Temp\MSOfficeUpdate.cab
2472
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\MSOfficeUpdate.cab"
  2524

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2021, 10:05 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2021, 10:05 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736c2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72393000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 22, 2021, 10:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Escalate priviledges				rule	Escalate_priviledges
description	Run a KeyLogger				rule	KeyLogger
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Lionic	Trojan.Win32.Agent.m!c
Arcabit	Trojan.Generic.D23D5BF2
Symantec	Trojan.Gen.NPE
TrendMicro-HouseCall	TROJ_FRS.VSNTID21
Avast	Win32:Malware-gen
Kaspersky	Backdoor.Win32.Agent.myudnx
BitDefender	Trojan.GenericKD.37575666
MicroWorld-eScan	Trojan.GenericKD.37575666
Sophos	Troj/Cabinf-A
TrendMicro	TROJ_FRS.VSNTID21
FireEye	Trojan.GenericKD.37575666
Emsisoft	Trojan.GenericKD.37575666 (B)
Microsoft	TrojanDownloader:O97M/Donoff.SA!CAB
GData	Exploit.CVE-2021-40444.Gen.2
MAX	malware (ai score=86)
Tencent	Win32.Backdoor.Agent.Dkx
AVG	Win32:Malware-gen
Panda	PUP/Hacktool