Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2021, 10:33 a.m.	Sept. 25, 2021, 10:35 a.m.

Size	81.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dot, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 23 05:24:00 2021, Last Saved Time/Date: Thu Sep 23 05:24:00 2021, Number of Pages: 6, Number of Words: 3879, Number of Characters: 22113, Security: 0
MD5	`875f35ac7017ca6c572fdc3e40c0eec5`
SHA256	`d58d7818d94180f017bf98b2649799bb75b35f6fb473544ad8f80fcfb30140d3`
CRC32	`20078FD2`
ssdeep	`768:WIgEG0LScWGsklF85IaPr5QWzDxgwzJrEmjYJ+a93xkX731ibh6Axx8EwDH9/EmF:WYvwDH9/juy`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Для руководства в работе.doc"
1896
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  292

Name	Response	Post-Analysis Lookup
officeproductupdate.com	A 23.227.202.195	23.227.202.195

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.227.202.195	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 23.227.202.195:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 23.227.202.195:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 23.227.202.195:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	CN=officeproductupdate.com	95:40:e2:6b:9a:06:47:28:61:73:7e:59:b3:84:0a:95:aa:e8:4f:3f
TLSv1 192.168.56.103:49171 23.227.202.195:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	CN=officeproductupdate.com	95:40:e2:6b:9a:06:47:28:61:73:7e:59:b3:84:0a:95:aa:e8:4f:3f

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 25, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2021, 10:33 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2021, 10:33 a.m.		1	1	0

Performs some HTTP requests (3 events)

request	OPTIONS https://officeproductupdate.com/
request	HEAD https://officeproductupdate.com/xenyl.xlt
request	GET https://officeproductupdate.com/xenyl.xlt

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a216000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a114000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a0d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a042000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a216000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a042000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x694a1000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\xenyl[1].doc
file	C:\Users\test22\AppData\Local\Temp\~$я руководства в работе.doc
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F8F8720.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 25, 2021, 10:33 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004b0 filepath: C:\Users\test22\AppData\Local\Temp\~$я руководства в работе.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$я руководства в работе.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 25, 2021, 10:33 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef50000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Creates known RBot files, registry keys and/or mutexes (1 event)

mutex

Local\Microsoft_Office_15CSI_WDW:{EBCA02B8-7CBF-4F26-BB10-05B725FCD4CB}

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (27 events)

mutex	Local\Microsoft_Office_15CSI_WDW:{68325480-552B-4FE2-A2E0-6FB313014A38}
mutex	Local\Microsoft_Office_15CSI_WDW:{5145BFD1-3EA2-46C5-AA70-CA0426233D1A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{68325480-552B-4FE2-A2E0-6FB313014A38}
mutex	Local\Microsoft_Office_15CSI_OMTX:{07DBC3E2-7362-495C-A252-74A2D2A5885C}
mutex	Local\Microsoft_Office_15CSI_WDW:{07DBC3E2-7362-495C-A252-74A2D2A5885C}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15CSI_WDW:{0F75BBFC-AD42-41B8-AFEE-2DE5EFEDAC8B}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_OMTX:{D005E5DE-EC50-45AE-8AE1-59CFD571ED34}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15CSI_WDW:{E5A671AC-6ADC-4BCD-B65B-BEF4F75BE058}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15CSI_WDW:{D005E5DE-EC50-45AE-8AE1-59CFD571ED34}
mutex	Local\Microsoft_Office_15CSI_WDW:{DDCCFBBE-D08B-4B1B-99A6-9B30163A9DCF}
mutex	Local\Microsoft_Office_15CSI_WDW:{B30C6187-4A3D-4199-96FF-D6432E74E55B}
mutex	Local\Microsoft_Office_15CSI_WDW:{EBCA02B8-7CBF-4F26-BB10-05B725FCD4CB}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_OMTX:{E5A671AC-6ADC-4BCD-B65B-BEF4F75BE058}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B3ECB977-6F9B-4978-BC38-5F37ED42AE86}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 29409, u'time': 3.973099946975708, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 37789, u'time': 4.666748046875, u'dport': 1900, u'sport': 49168}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 43907, u'time': 4.431807994842529, u'dport': 3702, u'sport': 49170}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 46763, u'time': 4.836993932723999, u'dport': 3702, u'sport': 49172}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 49491, u'time': 8.710231065750122, u'dport': 3702, u'sport': 53894}

Для руководства в работе.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All