Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 18, 2024, 10:49 a.m.	July 18, 2024, 10:52 a.m.

Size	50.7KB
Type	Microsoft Word 2007+
MD5	`8783d7173dbdfd95f05501fa9a20e46f`
SHA256	`5214b558c6596c9e9df91c6c0b018bf61970138acb4f9b837e5d25879195cd49`
CRC32	`F6B77950`
ssdeep	`1536:OoqVkXkGhQn3WFcXhRMOeIF7fankKdQiYQ:CqkUQ3GSQMUkKbP`
Yara	docx - Word 2007 file format detection zip_file_format - ZIP file format Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\attachment.docm
2552
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Roaming\Microsoft\Templates\version.vbs
  2748

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 18, 2024, 10:50 a.m.	buffer: 'C:\Users\test22\AppData\Roaming\Microsoft\Templates\version.vbs' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 18, 2024, 10:49 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:49 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:49 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e541000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:49 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:49 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dfe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dde1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dde4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ddc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ddc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd37000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2024, 10:50 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cd25000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$tachment.docm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 18, 2024, 10:49 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003f4 filepath: C:\Users\test22\AppData\Local\Temp\~$tachment.docm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$tachment.docm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Roaming\Microsoft\Templates\version.vbs

Creates suspicious VBA object (1 event)

com_class

WScript.Shell

May attempt to create new processes

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Roaming\Microsoft\Templates\version.vbs

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	GT:VB.EmoooDldr.4.B03C1B6E
VIPRE	GT:VB.EmoooDldr.4.B03C1B6E
Sangfor	Malware.Generic-Macro.Save.a893fb17
BitDefender	GT:VB.EmoooDldr.4.B03C1B6E
Arcabit	HEUR.VBA.CG.2
ESET-NOD32	VBA/Kimsuky.K
Avast	VBS:Obfuscated-gen [Trj]
ClamAV	Doc.Downloader.Valyria-10021468-0
NANO-Antivirus	Trojan.Script.Dnldr.elyanu
MicroWorld-eScan	GT:VB.EmoooDldr.4.B03C1B6E
Rising	Trojan.Kimsuky/VBA!8.1330D (TOPIS:E0:6BMNDE24csN)
Emsisoft	GT:VB.EmoooDldr.4.B03C1B6E (B)
F-Secure	Heuristic.HEUR/Macro.Downloader.PBMD.Gen
DrWeb	modification of W97M.Suspicious.1
TrendMicro	HEUR_VBA.O2
FireEye	GT:VB.EmoooDldr.4.B03C1B6E
Google	Detected.Heuristic.Script
Avira	HEUR/Macro.Downloader.PBMD.Gen
Antiy-AVL	Trojan/Macro.Kimsuky.k
GData	GT:VB.EmoooDldr.4.B03C1B6E
TACHYON	Suspicious/WOX.XSR.Gen
MAX	malware (ai score=85)
AVG	VBS:Obfuscated-gen [Trj]

The process winword.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

attachment.docm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All