resume_89607647.doc

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 9, 2021, 11:23 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:23 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:23 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c751000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:23 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c741000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:23 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c701000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:23 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c6f1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:23 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c6b1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c5f1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c5f4000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 11:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$sume_89607647.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 9, 2021, 11:23 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$sume_89607647.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$sume_89607647.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Potentially malicious URLs were found in the process memory dump (50 out of 1292 events)

url	https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://find.joins.com/
url	http://uk.ask.com/favicon.ico
url	https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
url	http://google.com/
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url	http://search.yahoo.co.jp
url	http://ru.wikipedia.org/
url	https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg
url	http://www.najdi.si/
url	http://www.merlin.com.pl/favicon.ico
url	http://www.cnet.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://search.naver.com/search.naver?sm=tab_hty.top
url	http://www.snee.com/xml/xslt/sample.doc
url	http://recherche.linternaute.com/
url	http://www.yceml.net/0559/10408495-1499411010011
url	http://p.zhongsou.com/
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	http://ns.adobe.com/exif/1.0/
url	http://schemas.openxmlformats.org/wordprocessingml/2006/main
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url	http://www.etmall.com.tw/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	http://schemas.xmlsoap.org/wsdl/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	http://search.chol.com/favicon.ico
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	http://www.mercadolibre.com.mx/favicon.ico
url	https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/825.png

Yara rule detected in process memory (30 events)

description	Hijack network configuration				rule	hijack_network
description	Create a COM server				rule	create_com_service
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over HTTP				rule	network_http
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west file				rule	spreading_file
description	Remote Administration toolkit enable RDP				rule	rat_rdp
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	ThreadControl__Context
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Affect hook table				rule	win_hook

Creates suspicious VBA object (1 event)

com_class

wscript.shell

May attempt to create new processes

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VBA.Heur.ObfDldr.25.F7CECC24.Gen
Sangfor	Malware.Generic-Macro.Save.6ef38ef4
Symantec	ISB.Downloader!gen60
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VBA.Heur.ObfDldr.25.F7CECC24.Gen
NANO-Antivirus	Trojan.Script.MLW.dnxmyp
Rising	Malware.ObfusVBA@ML.99 (VBA)
Ad-Aware	VBA.Heur.ObfDldr.25.F7CECC24.Gen
TACHYON	Suspicious/WOX.Obfus.Gen.8
F-Secure	Heuristic.HEUR/Macro.Downloader.AMGY.Gen
TrendMicro	HEUR_VBA.D
McAfee-GW-Edition	BehavesLike.Downloader.mc
FireEye	VBA.Heur.ObfDldr.25.F7CECC24.Gen
Emsisoft	VBA.Heur.ObfDldr.25.F7CECC24.Gen (B)
SentinelOne	Static AI - Malicious OPENXML
GData	VBA.Heur.ObfDldr.25.F7CECC24.Gen
Avira	HEUR/Macro.Downloader.AMGY.Gen
Arcabit	VBA.Heur.ObfDldr.25.F7CECC24.Gen
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
Cynet	Malicious (score: 85)
MAX	malware (ai score=82)
Zoner	Probably Heur.W97Obfuscated
ESET-NOD32	VBA/Obfuscated.C
Tencent	Heur.Macro.Generic.h.c64c34a1
Fortinet	WM/Agent.AYS!tr
Qihoo-360	virus.office.obfuscated.1

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://fort-communications.com/view/user/license.key