Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 10, 2025, 10:09 a.m.	March 10, 2025, 10:13 a.m.

Size	21.2KB
Type	Microsoft Word 2007+
MD5	`65a18dada289696e52a38b04ca7f8c8d`
SHA256	`79e73d7d1c51b238c9d123afea7707cb1aa339cbb6d42fd7b4dd84813419c0cb`
CRC32	`2360699C`
ssdeep	`384:tlH87tnJQ6JxOrAt/fZvd3YMWkPCXcPg7VfRJ6x6MQV:/HMnJtcrsfZF3YMGcPg9j6y`
Yara	docx - Word 2007 file format detection zip_file_format - ZIP file format Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\mal_temp.dotm
2560

Name	Response	Post-Analysis Lookup
free-games-ua.s3.eu-central-1.amazonaws.com	A 52.219.171.18 A 3.5.139.107 CNAME s3-r-w.eu-central-1.amazonaws.com A 3.5.139.127 A 3.5.139.166 A 3.5.135.225 A 52.219.170.30 A 52.219.170.118 A 3.5.139.117	52.219.171.78

IP Address	Status	Action
164.124.101.2	Active	Moloch
52.219.170.118	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 52.219.170.118:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 10, 2025, 10:09 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:09 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:09 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:09 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:09 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e141000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e0f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e034000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x069a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x069b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 10:10 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$l_temp.dotm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 10, 2025, 10:09 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003f4 filepath: C:\Users\test22\AppData\Local\Temp\~$l_temp.dotm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$l_temp.dotm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates suspicious VBA object (1 event)

com_class

MSXML2.XMLHTTP

May attempt to connect to the outside world

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.MSWord.PwShell.a!c
Elastic	malicious (high confidence)
ClamAV	Doc.Downloader.Powershell-10002004-0
CAT-QuickHeal	O97M.Dropper.AX
VIPRE	GT:VB.Heur2.PwShell.2.2BFB8634
Sangfor	Trojan.Generic-Macro.Save.f2707abd
BitDefender	GT:VB.Heur2.PwShell.2.2BFB8634
Arcabit	GT:VB.Heur2.PwShell.2.2BFB8634
VirIT	W97M/Downloader.AE
Symantec	ISB.Dropper!gen1
TrendMicro-HouseCall	TROJ_FRS.0NA104BO25
Avast	VBA:Downloader-FDK [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
Alibaba	TrojanDownloader:Script/modification.4d889f0f
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	GT:VB.Heur2.PwShell.2.2BFB8634
Rising	Heur.Macro.powershell.a (CLASSIC)
Emsisoft	GT:VB.Heur2.PwShell.2.2BFB8634 (B)
F-Secure	Trojan:W97M/MaliciousMacro.GEN
DrWeb	modification of W97M.Suspicious.1
TrendMicro	TROJ_FRS.0NA104BO25
CTX	docx.downloader.w97m
SentinelOne	Static AI - Malicious OPENXML
FireEye	GT:VB.Heur2.PwShell.2.2BFB8634
Google	Highly Suspicious
Avira	HEUR/Macro.Downloader.ARIT.Gen
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent
Kingsoft	Script.Trojan-Downloader.Generic.a
ViRobot	DOC.Z.Agent.21731
GData	GT:VB.Heur2.PwShell.2.2BFB8634
Varist	PP97M/Downldr.GC.gen!Eldorado
TACHYON	Suspicious/WOX.DNL.Gen
Ikarus	GT.Trojan-Downloader.PS.Agent
Zoner	Probably Heur.W97ShellS
Tencent	Heur.Macro.Generic.a.eca8e0c5
huorong	OMacro/Downloader.il
Fortinet	VBA/Dloader.FDK!tr
AVG	VBA:Downloader-FDK [Trj]
alibabacloud	Trojan[downloader]:MSOffice/Heur2.PrKycQR

mal_temp.dotm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All