Report - 0520_9597866810567.doc

VBA_macro DNS Socket ScreenShot AntiDebug AntiVM OS Processor Check MSOffice File
ScreenShot
Created 2021.05.21 10:14 Machine s1_win7_x6402
Filename 0520_9597866810567.doc
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth
AI Score Not founds Behavior Score
20.4
ZERO API file : clean
VT API (file) 13 detected (Suspexec, gen29, MalwareX, SDrop, Ole2, druvzi, EncPk, Wacapew, ZedlaF, Eu4@aKxQvvii)
md5 30e6824bbda52b477b50c80b2f96f855
sha256 5c1bc1d27424d9163fd2bb9b8bc9cde3a641388731e2745eae98d949a74fbf22
ssdeep 24576:CEIjrPUaphvGvGUZ93/semhXp7AsWoaHESKDhweYkTfBR0:C/jhvGvGU93097AFosESKqeYkTfB
imphash
impfuzzy
  Network IP location

Signature (42cnts)

Level Description
danger Executed a process and injected code into it
warning Generates some ICMP traffic
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
watch File has been identified by 13 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Libraries known to be associated with a CVE were requested (may be False Positive)
watch One or more non-whitelisted processes were created
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch The process winword.exe wrote an executable file to disk
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process rundll32.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates (office) documents on the filesystem
notice Creates a suspicious process
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Resolves a suspicious Top Level Domain (TLD)
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Word document hooks document open
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (14cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://vaethemanic.com/8/forum.php DE IMLONGHAO 2.56.10.123 clean
http://api.ipify.org/?format=xml US AMAZON-AES 54.235.175.90 clean
http://api.ipify.org/ US AMAZON-AES 54.235.175.90 clean
http://q09pi7.ru/6jkio9ukds.exe Unknown 8.211.5.232 malware
q09pi7.ru Unknown 8.211.5.232 malware
sweyblidian.com RU Advanced Solutions LLC 92.62.115.177 mailcious
api.ipify.org US AMAZON-AES 54.235.175.90 clean
vaethemanic.com DE IMLONGHAO 2.56.10.123 clean
8.211.5.232 Unknown 8.211.5.232 malware
2.56.10.123 DE IMLONGHAO 2.56.10.123 mailcious
50.16.192.84 US AMAZON-AES 50.16.192.84 clean
139.155.178.173 CN Shenzhen Tencent Computer Systems Company Limited 139.155.178.173 clean
92.62.115.177 RU Advanced Solutions LLC 92.62.115.177 clean

Suricata ids



Similarity measure (PE file only) - Checking for service failure