Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 21, 2021, 8:45 a.m.	Aug. 21, 2021, 8:47 a.m.

Size	117.0KB
Type	Microsoft Word 2007+
MD5	`a35fcbf7ef40676341460277bdba9926`
SHA256	`0fc5aa555efd7787fb77cf71541dbb4832b0853ed0c9c84fd713fe11b7a92bfd`
CRC32	`A6DAFB1C`
ssdeep	`3072:61OnNKPfeWpd9N0ehXId+foRFlLZXNXgGxCp2ph627:+sCpXN0y4dIodTXg4/57`
Yara	None matched

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\International Crimean Platform.docx"
2284
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2532
  - MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
    2136

Name	Response	Post-Analysis Lookup
security-documents-check8.com	A 66.248.206.227	66.248.206.227

IP Address	Status	Action
164.124.101.2	Active	Moloch
66.248.206.227	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 66.248.206.227:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 66.248.206.227:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 21, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2021, 8:45 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (41 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a216000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a114000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a0d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a042000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a216000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a042000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x695d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a114000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 21, 2021, 8:45 a.m.	total_number_of_free_bytes: 10237272064 free_bytes_available: 10237272064 root_path: C:\Windows\system32 total_number_of_bytes: 34252779520	1	1	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$ternational Crimean Platform.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 21, 2021, 8:45 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000490 filepath: C:\Users\test22\AppData\Local\Temp\~$ternational Crimean Platform.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ternational Crimean Platform.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Zoner	Probably Heur.W97OleLink

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 21, 2021, 8:45 a.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (27 events)

mutex	Local\Microsoft_Office_15CSI_WDW:{C317568B-A2FC-4F44-A163-93D353683848}
mutex	Local\Microsoft_Office_15CSI_OMTX:{B755127C-3A08-48B8-A0B6-3C583BC5E587}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_WDW:{845D3832-C9DC-491E-839E-F197FF78860D}
mutex	Local\Microsoft_Office_15CSI_WDW:{5363FE3B-76B8-4749-81C9-FE73DBD4CD02}
mutex	Local\Microsoft_Office_15CSI_WDW:{B755127C-3A08-48B8-A0B6-3C583BC5E587}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15CSI_OMTX:{006A89E4-807E-49BF-BA09-E628193D4772}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15CSI_WDW:{61BFC5F4-D32C-4553-892D-9B71722DB5C4}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{5363FE3B-76B8-4749-81C9-FE73DBD4CD02}
mutex	Local\Microsoft_Office_15CSI_WDW:{9F1FC86D-0B21-4B20-AA7D-31BB985F66B8}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{CECB48B8-C9A1-480D-B3FC-DE769BACF8BC}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15CSI_WDW:{DA329DF1-B6FB-4F2C-8B37-7E9A3F418175}
mutex	Local\Microsoft_Office_15CSI_WDW:{006A89E4-807E-49BF-BA09-E628193D4772}
mutex	Local\Microsoft_Office_15CSI_WDW:{BD8B6A7A-046D-42B6-9847-14A3D655F69F}
mutex	Local\Microsoft_Office_15CSI_OMTX:{9F1FC86D-0B21-4B20-AA7D-31BB985F66B8}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 16056, u'time': 1.133653163909912, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 24436, u'time': 1.6119401454925537, u'dport': 1900, u'sport': 49168}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 30554, u'time': 1.5905861854553223, u'dport': 3702, u'sport': 49170}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 33410, u'time': 1.625150203704834, u'dport': 3702, u'sport': 49172}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 36138, u'time': 5.856461048126221, u'dport': 3702, u'sport': 53894}

International Crimean Platform.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All