Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 31, 2022, 1:40 p.m.	March 31, 2022, 1:42 p.m.

Size	76.0KB
Type	Composite Document File V2 Document, Cannot read section info
MD5	`4520cad706d5dfc7df2250b487dcf020`
SHA256	`78f698c15915e877fcd3e370bc33ba7385e2918877bc660eb32de2ecdd16ea8f`
CRC32	`84E4AA51`
ssdeep	`1536:dxo/qTZs17oi2AunC7wv/duH1Ur3M8vL7TX5jAKKc:dCqtsVoi7H7w38kLpE`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\vbaProject.bin.doc
1968

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8a6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a88b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a897000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a87b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a876000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8bb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a857000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a89b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a890000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8a6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a88b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a897000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a87b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a876000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8bb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a857000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2022, 1:40 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a89b000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
file	C:\Users\test22\AppData\Local\Temp\~$aProject.bin.doc
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 31, 2022, 1:40 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000108 filepath: C:\Users\test22\AppData\Local\Temp\~$aProject.bin.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$aProject.bin.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.6251
FireEye	VB:Trojan.Valyria.6251
Arcabit	VB:Trojan.Valyria.D186B
VirIT	W97M/Downloader.Y
Symantec	Trojan.Gen.MBT
ESET-NOD32	VBA/TrojanDownloader.Agent.XOC
Avast	SNH:Script [Dropper]
Kaspersky	HEUR:Trojan-Downloader.MSOffice.Generic
BitDefender	VB:Trojan.Valyria.6251
Tencent	Office.Trojan-downloader.Generic.Palk
Ad-Aware	VB:Trojan.Valyria.6251
Emsisoft	VB:Trojan.Valyria.6251 (B)
McAfee-GW-Edition	BehavesLike.OLE2.Bad-VBA.ll
Microsoft	Trojan:O97M/Sonbokli.A!cl
ZoneAlarm	HEUR:Trojan-Downloader.MSOffice.Generic
GData	VB:Trojan.Valyria.6251
MAX	malware (ai score=86)
SentinelOne	Static AI - Suspicious OLE
Fortinet	VBA/Valyria.6251!tr
AVG	SNH:Script [Dropper]

vbaProject.bin.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All