Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 17, 2021, 9:23 a.m.	Sept. 17, 2021, 9:25 a.m.

Size	26.9KB
Type	Zip archive data, at least v1.0 to extract
MD5	`41dacae2a33ee717abcc8011b705f2cb`
SHA256	`84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69`
CRC32	`F404BB96`
ssdeep	`768:8HVoVneOa0HD/vb9EVoiJWq8UCei96T8vuX3m86RAFvg5e:8QVvbvb9wnIq8OitP88eY5e`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Проверка Сотрудников.docx"
916
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2692

Name	Response	Post-Analysis Lookup
trendparlye.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 17, 2021, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 17, 2021, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 17, 2021, 9:23 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2021, 9:23 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a176000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a176000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69541000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$оверка Сотрудников.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 17, 2021, 9:23 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000494 filepath: C:\Users\test22\AppData\Local\Temp\~$оверка Сотрудников.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$оверка Сотрудников.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 17, 2021, 9:23 a.m.	process_identifier: 916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef50000 process_handle: 0xffffffff	1	0	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Lionic	Trojan.MSWord.Generic.4!c
Arcabit	Exploit.CVE-2021-40444.Gen.1
BitDefender	Exploit.CVE-2021-40444.Gen.1
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Exploit.CVE-2021-40444.Gen.1
Ad-Aware	Exploit.CVE-2021-40444.Gen.1
McAfee-GW-Edition	Artemis
FireEye	Exploit.CVE-2021-40444.Gen.1
Emsisoft	Exploit.CVE-2021-40444.Gen.1 (B)
GData	Exploit.CVE-2021-40444.Gen.1

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (27 events)

mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_OMTX:{6C372A36-7BCF-4DC8-AF88-BFA43EF103F6}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_WDW:{155DAB95-D0CA-4A49-A592-5847A489DE81}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15CSI_OMTX:{00C97AF6-AE13-4262-A6C5-423D717A6356}
mutex	Local\Microsoft_Office_15CSI_WDW:{6C372A36-7BCF-4DC8-AF88-BFA43EF103F6}
mutex	Local\Microsoft_Office_15CSI_OMTX:{3B41D473-61F1-4876-99E5-E9FA1340AA22}
mutex	Local\Microsoft_Office_15CSI_WDW:{00C97AF6-AE13-4262-A6C5-423D717A6356}
mutex	Local\Microsoft_Office_15CSI_WDW:{838B21C7-CAEE-44B7-909A-F9A966D7600E}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15CSI_WDW:{3B41D473-61F1-4876-99E5-E9FA1340AA22}
mutex	Local\Microsoft_Office_15CSI_WDW:{86EC6DBA-99DC-4615-8942-8F103E92D1F4}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15CSI_WDW:{CADF4802-0D99-48D3-8501-E4046D36AF4C}
mutex	Local\Microsoft_Office_15CSI_WDW:{AE74C88C-940D-419B-AC80-9AEFDA3A7278}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{838B21C7-CAEE-44B7-909A-F9A966D7600E}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{F2DF42E2-1552-4B34-B1C3-52DB02D2980E}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15CSI_WDW:{CC097E78-0DD6-4C1F-BD19-3E286936EE99}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 12116, u'time': 4.042176008224487, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 20496, u'time': 4.645461082458496, u'dport': 1900, u'sport': 49168}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 26614, u'time': 4.51127815246582, u'dport': 3702, u'sport': 49170}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 29470, u'time': 4.6534810066223145, u'dport': 3702, u'sport': 49172}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 32198, u'time': 8.771152973175049, u'dport': 3702, u'sport': 53894}

Проверка Сотрудников.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All