Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 2, 2021, 6:15 p.m.	Sept. 2, 2021, 6:17 p.m.

Size	23.6KB
Type	Microsoft OOXML
MD5	`1d2094ce85d66878ee079185e2761beb`
SHA256	`938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52`
CRC32	`815CB869`
ssdeep	`384:Q6UDg00MWEg9fPCPyH111/elBqhveoNHfn5yAehqbhtgyhdCxi556BjsbIwRu:QcMWE04uebyvNv5yHcttg6dwc5YQb5Q`
Yara	None matched

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\A Letter before court 4.docx"
2408
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2200

Name	Response	Post-Analysis Lookup
hidusi.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 2, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 2, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 2, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2021, 6:15 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a176000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a176000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69541000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$Letter before court 4.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 2, 2021, 6:15 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000490 filepath: C:\Users\test22\AppData\Local\Temp\~$Letter before court 4.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$Letter before court 4.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
McAfee-GW-Edition	Artemis!Trojan
Microsoft	TrojanDownloader:O97M/Donoff.SA

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 2, 2021, 6:15 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (27 events)

mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15CSI_WDW:{D661FAA2-F9BB-46BC-A5C7-A599B57027CC}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_WDW:{8D417602-E794-4EBD-8366-3DEA5B32A02A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_WDW:{54288BA2-4149-4ED6-95F8-76BA97960887}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{8ED0EF96-4596-4A49-BAE4-4F2CE5291DFA}
mutex	Local\Microsoft_Office_15CSI_WDW:{2480702F-FB64-4690-8CC2-EFF756E2277E}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15CSI_OMTX:{2480702F-FB64-4690-8CC2-EFF756E2277E}
mutex	Local\Microsoft_Office_15CSI_WDW:{9F3C354C-00F7-45F3-B386-AEF24E98C811}
mutex	Local\Microsoft_Office_15CSI_WDW:{6A8322D1-EFD8-4A1F-B0AF-4EA97D092A26}
mutex	Local\Microsoft_Office_15CSI_OMTX:{D2330D71-C7CC-4930-AE94-712AA4F8D98C}
mutex	Local\Microsoft_Office_15CSI_WDW:{D2330D71-C7CC-4930-AE94-712AA4F8D98C}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15CSI_WDW:{0B4BCB56-AB6C-4DA5-B78B-9F9C015F421E}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{8F407E67-7678-4630-9FEA-CCB07052E3F7}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15CSI_WDW:{8ED0EF96-4596-4A49-BAE4-4F2CE5291DFA}
mutex	Local\Microsoft_Office_15CSI_OMTX:{9F3C354C-00F7-45F3-B386-AEF24E98C811}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 18841, u'time': 3.9325830936431885, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 27221, u'time': 4.643234014511108, u'dport': 1900, u'sport': 49168}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 33339, u'time': 4.390031099319458, u'dport': 3702, u'sport': 49170}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 36195, u'time': 4.8150529861450195, u'dport': 3702, u'sport': 49172}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 38923, u'time': 8.670734167098999, u'dport': 3702, u'sport': 53894}

A Letter before court 4.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All