Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 20, 2022, 7:05 p.m.	Aug. 20, 2022, 7:08 p.m.

Size	205.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Subject: Handmade Argentina Handcrafted Frozen Towels yellow Frozen virtual Guatemala array Lesotho JBOD, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 30 23:48:00 2020, Last Saved Time/Date: Tue Nov 3 02:14:00 2020, Number of Pages: 1, Number of Words: 9339, Number of Characters: 53237, Security: 8
MD5	`3079af4d01ee6ec51bd3d9911da7e23f`
SHA256	`c578a9fc241658517a7346a2a60236c84f0bb4919b857db226150aab4093451e`
CRC32	`964FF0D0`
ssdeep	`3072:evt3BDbKRPJivKie6B/w2yiWydh+bRevf1+l:evdlbKRPJiP/w2PCx`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\emo.doc
2832

Name	Response	Post-Analysis Lookup
mobsouk.htb
ngllogistics.htb
www.outspokenvisions.htb
biglaughs.htb
daprofesional.htb
da-industrial.htb
dagranitegiare.htb

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e9f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e961000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e531000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2022, 7:05 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:06 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:06 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e174000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2022, 7:06 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$emo.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 20, 2022, 7:05 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$emo.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$emo.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.MSWord.Generic.4!c
Elastic	malicious (high confidence)
ClamAV	Doc.Malware.Emotet-9785300-0
FireEye	VB.Heur.EmoDldr.33.0F5A300F.Gen
CAT-QuickHeal	OLE.Downloader.39729
McAfee	X97M/Downloader.gh
Arcabit	HEUR.VBA.A.1
Cyren	W97M/Agent.OB.gen!Eldorado
Symantec	W97M.Downloader
ESET-NOD32	VBA/TrojanDownloader.Agent.UUC
TrendMicro-HouseCall	TrojanSpy.Win32.EMOTET.YXBKQZ
Avast	SNH:Script [Dropper]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VB.Heur.EmoDldr.33.0F5A300F.Gen
NANO-Antivirus	Trojan.Script.Downloader.ibqziu
ViRobot	W97M.S.Downloader.210432.C
MicroWorld-eScan	VB.Heur.EmoDldr.33.0F5A300F.Gen
Tencent	Heur.Macro.Generic.h.eeacb295
Ad-Aware	ATI:EmotetDOC.66F3CD64
Sophos	Troj/DocDl-ADEJ
Comodo	Malware@#p1e4nxse0el3
DrWeb	Exploit.Siggen3.1317
VIPRE	VB.Heur.EmoDldr.33.0F5A300F.Gen
TrendMicro	TrojanSpy.Win32.EMOTET.YXBKQZ
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.dg
Emsisoft	VB.Heur.EmoDldr.33.0F5A300F.Gen (B)
SentinelOne	Static AI - Malicious OLE
Avira	W97M/Agent.4629217
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMacro.2C853
Microsoft	TrojanDownloader:O97M/Emotet.QAX!MTB
ZoneAlarm	HEUR:Trojan.MSOffice.SAgent.gen
GData	VB.Heur.EmoDldr.33.0F5A300F.Gen
Google	Detected
AhnLab-V3	Trojan/MSOffice.XProcess
Acronis	suspicious
ALYac	Trojan.Downloader.DOC.Gen
VBA32	TrojanDownloader.O97M.Emotet.QAX
Rising	Malware.Obfus/VBA@AI.99 (VBA)
Ikarus	Trojan-Downloader.VBA.Agent
Fortinet	VBA/CoinMiner.UFY!tr.dldr
AVG	SNH:Script [Dropper]
Panda	O97M/Downloader

emo.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All