Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 19, 2021, 5:08 p.m.	Oct. 19, 2021, 5:10 p.m.

Size	65.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: flies, Subject: flies, Author: Dawn Hawk, Keywords: flies, Last Saved By: support , Revision Number: 11, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 26:07, Create Time/Date: Wed Oct 13 11:42:33 2021, Last Saved Time/Date: Wed Oct 13 12:08:40 2021, Number of Words: 0
MD5	`3e804f9f266483ec4884546f08e396a8`
SHA256	`93002698d17ed42fda59a7a37533c12bd13ce27fae60d6673c7b71f94a0eccc7`
CRC32	`14E03C61`
ssdeep	`384:Z9caf4fFqIlETSlyCFKkr0pw1MKUP5Pv6AZJlcbclFo39D:AagNblETSlyCFKvw1W6Gcbcjo`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE" /S C:\Users\test22\AppData\Local\Temp\1311719753.ppt
2500

Name	Response	Post-Analysis Lookup
www.bitly.com	A 67.199.248.15 A 67.199.248.14 CNAME bitly.com	67.199.248.14

IP Address	Status	Action
164.124.101.2	Active	Moloch
67.199.248.15	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 67.199.248.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 67.199.248.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a96e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04315000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04315000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042ee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042ee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 19, 2021, 5:08 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.Script.Generic.a!c
ALYac	VB:Trojan.Valyria.5266
Cyren	PP97M/Agent.ADH.gen!Eldorado
ESET-NOD32	VBA/TrojanDownloader.Agent.WUZ
TrendMicro-HouseCall	TROJ_FRS.VSNTJI21
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.5266
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VB:Trojan.Valyria.5266
Ad-Aware	VB:Trojan.Valyria.5266
DrWeb	Exploit.Siggen3.21344
McAfee-GW-Edition	Artemis!Trojan
FireEye	VB:Trojan.Valyria.5266
Emsisoft	VB:Trojan.Valyria.5266 (B)
Ikarus	Win32.SuspectCrc
GData	VB:Trojan.Valyria.5266
MAX	malware (ai score=87)
Arcabit	VB:Trojan.Valyria.D1492
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
Microsoft	TrojanDownloader:O97M/Powdow.PDS!MTB
McAfee	RDN/Generic Downloader.x
Fortinet	VBA/Valyria.5266!tr

1311719753.ppt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All