Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 4, 2023, 7:18 p.m.	July 4, 2023, 7:20 p.m.

Size	128.0KB
Type	Composite Document File V2 Document, Little Endian, Os: MacOS, Version 7.11, Code page: 10000, Title: SCHOOL OF PHYSICAL SCIENCES, Author: Dean's Office, Template: Normal.dotm, Last Saved By: Microsoft Office User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Last Printed: Fri Nov 15 02:13:00 2013, Create Time/Date: Thu Jun 29 18:36:00 2023, Last Saved Time/Date: Thu Jun 29 18:43:00 2023, Number of Pages: 2, Number of Words: 587, Number of Characters: 3347, Security: 0
MD5	`d0807bfc6b65ec81e4c2cb6bc91d026c`
SHA256	`1184252bed47270fdb5d853d07279cb2b01e61e3fe960bf8a69c56db2605d67d`
CRC32	`2D3E362C`
ssdeep	`1536:BFjfZgpYdRm/BjljrEQ1OkVKybVTOMlKNw0zqpTxD0dR1Cwxrt3r8aOt0My8LAFp:XLd6UeOHQXKNwqq18RNJr8xt0/dr`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\visalostpassp.doc
3012

Name	Response	Post-Analysis Lookup
config.messenger.msn.com	CNAME config.messenger.msnmessenger.msn.com.akadns.net A 64.4.26.155	64.4.26.155

IP Address	Status	Action
164.124.101.2	Active	Moloch
64.4.26.155	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (26 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:18 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 7:19 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$salostpassp.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 4, 2023, 7:18 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000468 filepath: C:\Users\test22\AppData\Local\Temp\~$salostpassp.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$salostpassp.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document close

Word document hooks document open

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

64.4.26.155:80

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Elastic	malicious (high confidence)
DrWeb	MACRO.WORM.Virus
Cynet	Malicious (score: 99)
CAT-QuickHeal	W97M.PSD.A
ALYac	VB:Trojan.Emeka.398
Sangfor	Virus.Generic-Macro.Save.02810d82
Cyren	W97M/Pri.Q
TrendMicro-HouseCall	W97M_Generic
Avast	BV:Hdfk-A [Trj]
ClamAV	Win.Trojan.Psycho-3
Kaspersky	Virus.MSWord.Melissa.w
BitDefender	VB:Trojan.Emeka.398
NANO-Antivirus	Trojan.Macro.Thus.byppsa
MicroWorld-eScan	VB:Trojan.Emeka.398
Rising	Macro.Melissa.b (CLASSIC)
Emsisoft	VB:Trojan.Emeka.398 (B)
F-Secure	Malware.O97M/Cybernet.Bmm.1
Baidu	MSWord.Virus.War.c
VIPRE	VB:Trojan.Emeka.398
TrendMicro	W97M_Generic
McAfee-GW-Edition	BehavesLike.OLE2.Class.cg
FireEye	VB:Trojan.Emeka.398
SentinelOne	Static AI - Malicious OLE
GData	VB:Trojan.Emeka.398
Jiangmin	MO/Jerk.d
Avira	O97M/Cybernet.Bmm.1
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent.secu
Arcabit	VB:Trojan.Emeka.398
ZoneAlarm	Virus.MSWord.Melissa.w
Microsoft	Virus:W97M/Pri.Q
Google	Detected
Acronis	suspicious
McAfee	W97M/Pri.q@MM
VBA32	Virus.MSWord.Melissa.w
Yandex	WORD.97.PRI.B
Ikarus	Trojan.VB.Valyria
MaxSecure	Virus.MSWord.Pri.w
Fortinet	WM/Moat.5866BA59!tr
AVG	BV:Hdfk-A [Trj]
Panda	W97M/Pri.Q

visalostpassp.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All