Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 14, 2021, 9:30 a.m.	Oct. 14, 2021, 9:45 a.m.

Size	19.9KB
Type	Microsoft Word 2007+
MD5	`eb25b0638ba81906f0a7cb196a28afe3`
SHA256	`6f3f96802b8e90049d64467fc1a2bf4b1b098a485d83cd8c48cc9b9bccfa2f1c`
CRC32	`ECA3DC64`
ssdeep	`384:tmt1m5+X05YxkRt88nplKQUzbMlH7+yLU3Ge72nzKPPFB3G:q1m535vt88PJXH7b1eqzKPdE`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\word.dotm
1948
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy C:\Users\test22\AppData\Local\Temp\word.dotm C:\Users\test22\AppData\Local\Temp\111.zip
  932
- cmd.exe "C:\Windows\System32\cmd.exe" /c move C:\Users\test22\AppData\Local\Temp\Content_Datas.xml C:\Users\test22\AppData\Local\Temp\msutil.exe
  1376
- cmd.exe "C:\Windows\System32\cmd.exe" /c del -f C:\Users\test22\AppData\Local\Temp\111.zip
  2252
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\msutil.exe
  776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 14, 2021, 9:30 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 14, 2021, 9:30 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 14, 2021, 9:30 a.m.	buffer: 'C:\Users\test22\AppData\Local\Temp\msutil.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 9:30 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69404000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$word.dotm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 14, 2021, 9:30 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000044c filepath: C:\Users\test22\AppData\Local\Temp\~$word.dotm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$word.dotm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c del -f C:\Users\test22\AppData\Local\Temp\111.zip
cmdline	"C:\Windows\System32\cmd.exe" /c copy C:\Users\test22\AppData\Local\Temp\word.dotm C:\Users\test22\AppData\Local\Temp\111.zip
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\msutil.exe
cmdline	"C:\Windows\System32\cmd.exe" /c move C:\Users\test22\AppData\Local\Temp\Content_Datas.xml C:\Users\test22\AppData\Local\Temp\msutil.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 14, 2021, 9:30 a.m.	show_type: 0 filepath_r: cmd parameters: /c copy C:\Users\test22\AppData\Local\Temp\word.dotm C:\Users\test22\AppData\Local\Temp\111.zip filepath: cmd	1	1
ShellExecuteExW Oct. 14, 2021, 9:30 a.m.	show_type: 0 filepath_r: cmd parameters: /c move C:\Users\test22\AppData\Local\Temp\Content_Datas.xml C:\Users\test22\AppData\Local\Temp\msutil.exe filepath: cmd	1	1
ShellExecuteExW Oct. 14, 2021, 9:30 a.m.	show_type: 0 filepath_r: cmd parameters: /c del -f C:\Users\test22\AppData\Local\Temp\111.zip filepath: cmd	1	1
ShellExecuteExW Oct. 14, 2021, 9:30 a.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Users\test22\AppData\Local\Temp\msutil.exe filepath: cmd	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c del -f C:\Users\test22\AppData\Local\Temp\111.zip
cmdline	cmd /c del -f C:\Users\test22\AppData\Local\Temp\111.zip

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\111.zip

A command shell or script process was created by an unexpected parent process (4 events)

parent_process	winword.exe	martian_process	cmd /c copy C:\Users\test22\AppData\Local\Temp\word.dotm C:\Users\test22\AppData\Local\Temp\111.zip
parent_process	winword.exe	martian_process	cmd /c C:\Users\test22\AppData\Local\Temp\msutil.exe
parent_process	winword.exe	martian_process	cmd /c move C:\Users\test22\AppData\Local\Temp\Content_Datas.xml C:\Users\test22\AppData\Local\Temp\msutil.exe
parent_process	winword.exe	martian_process	cmd /c del -f C:\Users\test22\AppData\Local\Temp\111.zip

One or more non-whitelisted processes were created (8 events)

parent_process	winword.exe	martian_process	cmd /c copy C:\Users\test22\AppData\Local\Temp\word.dotm C:\Users\test22\AppData\Local\Temp\111.zip
parent_process	winword.exe	martian_process	cmd /c C:\Users\test22\AppData\Local\Temp\msutil.exe
parent_process	winword.exe	martian_process	cmd /c move C:\Users\test22\AppData\Local\Temp\Content_Datas.xml C:\Users\test22\AppData\Local\Temp\msutil.exe
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del -f C:\Users\test22\AppData\Local\Temp\111.zip
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c copy C:\Users\test22\AppData\Local\Temp\word.dotm C:\Users\test22\AppData\Local\Temp\111.zip
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\msutil.exe
parent_process	winword.exe	martian_process	cmd /c del -f C:\Users\test22\AppData\Local\Temp\111.zip
parent_process	winword.exe	martian_process	"C:\Windows\System32\cmd.exe" /c move C:\Users\test22\AppData\Local\Temp\Content_Datas.xml C:\Users\test22\AppData\Local\Temp\msutil.exe

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB.Heur2.EmoDldr.5.D0822A91.Gen
FireEye	VB.Heur2.EmoDldr.5.D0822A91.Gen
CAT-QuickHeal	O97M.Dropper.AX
Sangfor	Malware.Generic-Macro.Save.521fff6b
Arcabit	HEUR.VBA.CG.1
TrendMicro-HouseCall	Mal_OLEMAL-3
Avast	VBA:Downloader-ABM [Trj]
BitDefender	VB.Heur2.EmoDldr.5.D0822A91.Gen
NANO-Antivirus	Trojan.Script.ExpKit.exylvw
Tencent	Heur.Macro.Generic.b.14da2c3e
Ad-Aware	VB.Heur2.EmoDldr.5.D0822A91.Gen
TrendMicro	Mal_OLEMAL-3
McAfee-GW-Edition	BehavesLike.Downloader.lc
Emsisoft	VB.Heur2.EmoDldr.5.D0822A91.Gen (B)
GData	VB.Heur2.EmoDldr.5.D0822A91.Gen
AhnLab-V3	VBA/Downloader.S78
MAX	malware (ai score=82)
Zoner	Probably Heur.W97Obfuscated
SentinelOne	Static AI - Malicious OPENXML
Fortinet	VBA/Agent.MQC!tr.dldr
AVG	VBA:Downloader-ABM [Trj]

The process winword.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

word.dotm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All