Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

Лист вих. на 10.2021.docx

Word 2007 file format(docx)

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 16, 2021, 9:38 a.m.	Sept. 16, 2021, 9:41 a.m.

Size	13.2KB
Type	Microsoft Word 2007+
MD5	`c7b9240f44af3ad5e22451618729d874`
SHA256	`e8cc77fb98dcd5a3da22ff8269ea46a217e7c57958b28177bc10d742d737ef86`
CRC32	`07686038`
ssdeep	`192:CtNC/Ym29vD7huX1/CVB0mRayOkqDs+GTjHpP2GPR0dipeg6pLiN/nZgl:aN82OX1/CEmRayl+sdfME90hpLgf+l`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Лист вих. на 10.2021.docx"
2488

Name	Response	Post-Analysis Lookup
navigation45.countries.hibigaru.ru	A 94.228.125.223	94.228.125.223

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.228.125.223	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Performs some HTTP requests (5 events)

request	OPTIONS http://navigation45.countries.hibigaru.ru/%D0%9F%D0%95%D0%A0%D0%92%D0%AB%D0%99/
request	HEAD http://navigation45.countries.hibigaru.ru/%D0%9F%D0%95%D0%A0%D0%92%D0%AB%D0%99/intention.abk
request	OPTIONS http://navigation45.countries.hibigaru.ru/%D0%9F%D0%95%D0%A0%D0%92%D0%AB%D0%99
request	PROPFIND http://navigation45.countries.hibigaru.ru/%D0%9F%D0%95%D0%A0%D0%92%D0%AB%D0%99
request	GET http://navigation45.countries.hibigaru.ru/%D0%9F%D0%95%D0%A0%D0%92%D0%AB%D0%99/intention.abk

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

navigation45.countries.hibigaru.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 16, 2021, 9:38 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69eaa000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 16, 2021, 9:39 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69744000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$ст вих. на 10.2021.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 16, 2021, 9:38 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000044c filepath: C:\Users\test22\AppData\Local\Temp\~$ст вих. на 10.2021.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ст вих. на 10.2021.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
Zoner	Probably Heur.W97OleLink