Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 14, 2021, 5:42 p.m.	Sept. 14, 2021, 5:44 p.m.

Size	12.8KB
Type	Microsoft OOXML
MD5	`3c64e8a4bfdce7c4f19a441d13413acb`
SHA256	`dd1f09bb538a31c2c0e4f3218aa4a989256691e73738c7bfb7a60e6db9b7b0cf`
CRC32	`655A664D`
ssdeep	`192:76O3KmBOJ2wc3rMKkViP/kcMD2h0v5MJnJv18H111M05AgPekpn/w:76O3fBIhV8/6hv5MJnJ2H111/eqn/w`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\document.docx
2364
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2096

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.254.245.82	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 14, 2021, 5:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 5:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 5:42 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2021, 5:42 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	OPTIONS http://104.254.245.82/
suspicious_features	Connection to IP address	suspicious_request	HEAD http://104.254.245.82/word.html
suspicious_features	Connection to IP address	suspicious_request	GET http://104.254.245.82/word.html

Performs some HTTP requests (3 events)

request	OPTIONS http://104.254.245.82/
request	HEAD http://104.254.245.82/word.html
request	GET http://104.254.245.82/word.html

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a156000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a054000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69f82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a156000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69f82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69531000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$cument.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 14, 2021, 5:42 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000494 filepath: C:\Users\test22\AppData\Local\Temp\~$cument.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$cument.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 14, 2021, 5:42 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef50000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

104.254.245.82

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (27 events)

mutex	Local\Microsoft_Office_15CSI_WDW:{DB90836E-BAE9-421B-99DF-B4ECF273182B}
mutex	Local\Microsoft_Office_15CSI_OMTX:{3B0BF266-8A7A-4CEC-9B70-07E9E6B5E66F}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_WDW:{6D1CE756-FA3C-4203-A0D2-F414C2BBB873}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15CSI_OMTX:{59A5376C-F47C-41B2-BEEA-8E586F05AEC9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15CSI_WDW:{59A5376C-F47C-41B2-BEEA-8E586F05AEC9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_WDW:{59AB9B14-9B6B-40E4-B387-1505C46044A6}
mutex	Local\Microsoft_Office_15CSI_OMTX:{59AB9B14-9B6B-40E4-B387-1505C46044A6}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{0346ACD5-4318-40EB-BB78-A49393654177}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15CSI_WDW:{73041FE8-36DD-40AC-A8D9-A4A2D1EFDF6D}
mutex	Local\Microsoft_Office_15CSI_WDW:{3B0BF266-8A7A-4CEC-9B70-07E9E6B5E66F}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{73041FE8-36DD-40AC-A8D9-A4A2D1EFDF6D}
mutex	Local\Microsoft_Office_15CSI_WDW:{30CEDB04-AC30-4A7F-8B9E-642727516708}
mutex	Local\Microsoft_Office_15CSI_WDW:{7103DAE2-927C-47B2-94B1-4EEBF26E46D5}
mutex	Local\Microsoft_Office_15CSI_WDW:{E7FC6134-3044-4DD0-8D38-9B3B89F721D9}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 17760, u'time': 4.0757410526275635, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 26140, u'time': 4.691236972808838, u'dport': 1900, u'sport': 49168}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 32258, u'time': 4.535790920257568, u'dport': 3702, u'sport': 49170}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 35114, u'time': 4.699913024902344, u'dport': 3702, u'sport': 49172}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 37842, u'time': 8.78237509727478, u'dport': 3702, u'sport': 49174}

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

ClamAV	Doc.Exploit.CVE_2021_40444-9891528-0
CAT-QuickHeal	OLE.CVE-2021-40444.44117
McAfee	Exploit-CVE2021-40444.a
Arcabit	Exploit.CVE-2021-40444.Gen.1
ESET-NOD32	DOC/TrojanDownloader.Agent.DHY
Avast	XML:CVE-2021-40444-A [Expl]
Kaspersky	HEUR:Exploit.MSOffice.CVE-2021-40444.a
BitDefender	Exploit.CVE-2021-40444.Gen.1
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Exploit.CVE-2021-40444.Gen.1
Rising	Exploit.CVE-2021-40444!1.D97D (CLASSIC)
Ad-Aware	Exploit.CVE-2021-40444.Gen.1
Emsisoft	Exploit.CVE-2021-40444.Gen.1 (B)
DrWeb	Exploit.CVE-2021-40444.1
McAfee-GW-Edition	Exploit-CVE2021-40444.a
FireEye	Exploit.CVE-2021-40444.Gen.1
GData	Script.Exploit.CVE-2021-40444.A
MAX	malware (ai score=86)
Microsoft	TrojanDownloader:O97M/Donoff.SA!Gen
ZoneAlarm	HEUR:Exploit.MSOffice.CVE-2021-40444.a
Fortinet	MSOffice/Agent.DHY!tr
AVG	XML:CVE-2021-40444-A [Expl]

document.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All