1.xlsb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2021, 4:17 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 2, 2021, 4:17 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bc73000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 2, 2021, 4:17 p.m.	process_identifier: 1600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cd2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 2, 2021, 4:17 p.m.	process_identifier: 1600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bc73000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 2, 2021, 4:17 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cd2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 2, 2021, 4:17 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bc73000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 2, 2021, 4:17 p.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cd2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 2, 2021, 4:17 p.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bc73000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

mshta.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 2, 2021, 4:17 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003f0 filepath: C:\Users\test22\AppData\Local\Temp\~$1.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$1.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (1 event)

cmdline

mshta C:\ProgramData\excel.rtf

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

DrWeb	X97M.DownLoader.763
MicroWorld-eScan	Trojan.GenericKD.47271096
CAT-QuickHeal	XLS4.IcedID.42146
Arcabit	Trojan.Generic.D2D14CB8
Cyren	XLSB/Agent.JZ.gen!Camelot
ESET-NOD32	a variant of DOC/TrojanDropper.Agent.WL
BitDefender	Trojan.GenericKD.47271096
Ad-Aware	Trojan.GenericKD.47271096
Emsisoft	Trojan.GenericKD.47271096 (B)
McAfee-GW-Edition	X97M/Downloader.ky
FireEye	Trojan.GenericKD.47271096
GData	Trojan.GenericKD.47271096
Avira	W97M/Agent.cpm
MAX	malware (ai score=85)
Microsoft	TrojanDownloader:O97M/EncDoc.PMSH!MTB
Cynet	Malicious (score: 99)
McAfee	X97M/Downloader.ky
Fortinet	VBA/Agent.WL!tr

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

mshta C:\ProgramData\excel.rtf