Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2021, 5:19 p.m.	Sept. 25, 2021, 5:23 p.m.

Size	5.2MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Chinto, Template: Normal.dotm, Last Saved By: Allen Murphy, Revision Number: 17, Name of Creating Application: Microsoft Office Word, Total Editing Time: 17:00, Create Time/Date: Tue Sep 21 06:52:00 2021, Last Saved Time/Date: Tue Sep 21 09:00:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5	`7c6ff96ddaf3bf3bf824ba6e625a9d21`
SHA256	`59ed41388826fed419cc3b18d28707491a4fa51309935c4fa016e53c6f2f94bc`
CRC32	`709128C6`
ssdeep	`12288:hpwQb99aavz5CoFNqxu+aef7yrRiYHJHI/+y7YC:DwQJUH/`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Nakul Kumar.doc"
2500

Name	Response	Post-Analysis Lookup
tasnimnewstehran.club	A 185.161.208.57	185.161.208.57

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.161.208.57	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0975a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0975a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0975b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0975b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0975b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0975b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e2000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$kul Kumar.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 25, 2021, 5:19 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a4 filepath: C:\Users\test22\AppData\Local\Temp\~$kul Kumar.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$kul Kumar.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 25, 2021, 5:19 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

A potential heapspray has been detected. 74 megabytes was sprayed onto the heap of the WINWORD.EXE process (1 event)

count

2392

name

heapspray

process

WINWORD.EXE

total_mb

length

32768

protection

PAGE_READWRITE

The process winword.exe wrote an executable file to disk (1 event)

file	C:\Users\Public\Pictures\winword.con

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.MSWord.Generic.4!c
Elastic	malicious (high confidence)
Arcabit	HEUR.VBA.CG.2
Baidu	VBA.Trojan-Downloader.Agent.bti
Symantec	Trojan.Gen.2
TrendMicro-HouseCall	TROJ_FRS.VSNTIO21
Kaspersky	UDS:Trojan.MSOffice.Alien.gen
BitDefender	VB.Heur.EmoDldr.32.CD6503CE.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VB.Heur.EmoDldr.32.CD6503CE.Gen
Ad-Aware	VB.Heur.EmoDldr.32.CD6503CE.Gen
Emsisoft	VB.Heur.EmoDldr.32.CD6503CE.Gen (B)
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.tx
FireEye	VB.Heur.EmoDldr.32.CD6503CE.Gen
Ikarus	Win32.Outbreak
MAX	malware (ai score=82)
Microsoft	Trojan:Win32/Phonzy.C!ml
GData	VB.Heur.EmoDldr.32.CD6503CE.Gen
ALYac	VB.Heur.EmoDldr.32.CD6503CE.Gen
TACHYON	Suspicious/W97M.Obfus.Gen.6
Zoner	Probably Heur.W97Obfuscated
SentinelOne	Static AI - Malicious OLE

Nakul Kumar.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All