Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 17, 2023, 1:12 p.m.	July 17, 2023, 1:14 p.m.

Size	711.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice 894324 from Quickbooks, LLC, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 14 08:38:23 2021, Last Saved Time/Date: Wed Jul 14 14:04:09 2021, Security: 0
MD5	`73f2506109fae384bc40c7ba7cb5fc9c`
SHA256	`eb5b61b197c89ba6a19d3eaeda56d858f6bd30beaff0a43719fc5c6591e7ad2d`
CRC32	`22B24BBE`
ssdeep	`12288:DRYbXrlUc6XS/CwRl+4MW1H5onZHBDznxcp/c0UGtkbByxlFYd2DrpE9Nr:sUc6EjDMW1UrDjxcNcfgZI2or`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Receipt-894324.xls
2552
- mshta.exe mshta "C:\ProgramData\qLegendPositionTop.sct"
  2712

Name	Response	Post-Analysis Lookup
jeromfastsolutions.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 17, 2023, 1:12 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f5b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f60f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f60f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f551000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70e11000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2023, 1:12 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70da2000 process_handle: 0xffffffff	1

Creates a suspicious process (1 event)

cmdline

mshta "C:\ProgramData\qLegendPositionTop.sct"

Creates suspicious VBA object (1 event)

com_class

Scripting.FileSystemObject

May attempt to write one or more files to the harddisk

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

mshta "C:\ProgramData\qLegendPositionTop.sct"

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Script.Generic.a!c
Elastic	malicious (high confidence)
DrWeb	Exploit.Siggen3.18834
MicroWorld-eScan	VB:Trojan.Valyria.5063
FireEye	VB:Trojan.Valyria.5063
CAT-QuickHeal	Ole.Trojan.A1709673
ALYac	Trojan.Downloader.XLS.Gen
Cyren	X97M/Agent.AAZ.gen!Eldorado
Symantec	W97M.Downloader
ESET-NOD32	VBA/TrojanDropper.Agent.CBR
TrendMicro-HouseCall	TROJ_FRS.0NA103GF21
Avast	SNH:Script [Dropper]
ClamAV	Doc.Dropper.MSHTA-6966166-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	VB:Trojan.Valyria.5063
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Tencent	Trojan.MsOffice.MacroS.11012383
Ad-Aware	VB:Trojan.Valyria.5063
Emsisoft	Trojan-Downloader.Macro.Generic.CQ (A)
Comodo	Malware@#lc7v1onpryii
TrendMicro	TROJ_FRS.0NA103GF21
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.bb
Sophos	Troj/DocDl-ADXD
SentinelOne	Static AI - Suspicious OLE
GData	VB:Trojan.Valyria.5063
Avira	HEUR/Macro.Downloader.AJAM.Gen
MAX	malware (ai score=99)
Gridinsoft	Trojan.U.Downloader.oa
Arcabit	VB:Trojan.Valyria.D13C7
ViRobot	XLS.Z.Agent.728576.C
Microsoft	TrojanDownloader:O97M/Dridex.PSTT!MTB
Cynet	Malicious (score: 99)
McAfee	RDN/Dridex
TACHYON	Suspicious/X97M.Dropper.Gen
Ikarus	VBA.Dridex
Fortinet	VBA/Agent.3EC4!tr
AVG	SNH:Script [Dropper]

Receipt-894324.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All