Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2021, 5:18 p.m.	Sept. 25, 2021, 5:21 p.m.

Size	33.2KB
Type	Microsoft Word 2007+
MD5	`6d956049dbaadc19543a565d303e26a5`
SHA256	`c12b108d7406cf3297e5bf3b886c82cf11ad001263df071b2c01a75c4fe88a6c`
CRC32	`CC319A2C`
ssdeep	`768:l6t7LNZA47MpCGej7vvJGETww9BxwOsc5ZVAbW2:l6J5e/J8EETww9P/X7+62`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\липень.docx
2284
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  352

Name	Response	Post-Analysis Lookup
classroom.dangeti.ru	A 194.67.87.218	194.67.87.218

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.67.87.218	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 25, 2021, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2021, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2021, 5:18 p.m.		1	1	0

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

classroom.dangeti.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a216000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a114000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a0d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a042000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75179000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x35180000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75187000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6af44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738ba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a216000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a042000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 5:18 p.m.	process_identifier: 352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69611000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$липень.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 25, 2021, 5:18 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000490 filepath: C:\Users\test22\AppData\Local\Temp\~$липень.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$липень.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 25, 2021, 5:20 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef50000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (27 events)

mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_OMTX:{16B53E46-D79E-428E-93B0-40888B69D04E}
mutex	Local\Microsoft_Office_15CSI_WDW:{529CC7EA-E671-4B87-A188-E95788436B79}
mutex	Local\Microsoft_Office_15CSI_WDW:{16B53E46-D79E-428E-93B0-40888B69D04E}
mutex	Local\Microsoft_Office_15CSI_WDW:{E9A8D762-8F20-4F49-A381-3D040F4FF549}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15CSI_WDW:{1DE76104-C511-40BC-8929-07710B523D7B}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15CSI_WDW:{06BD8A44-5B34-48F5-854F-5F895A355264}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15CSI_WDW:{9963796E-A010-4205-9BD3-12748736DA67}
mutex	Local\Microsoft_Office_15CSI_WDW:{3D8EE2A4-1B45-457D-91A1-643828C0A4F0}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_OMTX:{E9A8D762-8F20-4F49-A381-3D040F4FF549}
mutex	Local\Microsoft_Office_15CSI_OMTX:{9963796E-A010-4205-9BD3-12748736DA67}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15CSI_WDW:{FBFF1394-AC2C-4299-8FE3-1F3160E0A064}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{AA813EA7-AC53-43D3-AEC0-6C2D1F726AA0}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15CSI_WDW:{64E1F80D-D23D-4C9C-A4D9-E83FFBE96CDE}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{06BD8A44-5B34-48F5-854F-5F895A355264}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 10380, u'time': 4.181267976760864, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 18760, u'time': 4.7573628425598145, u'dport': 1900, u'sport': 49168}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 24878, u'time': 4.642681837081909, u'dport': 3702, u'sport': 49170}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 27734, u'time': 4.766280889511108, u'dport': 3702, u'sport': 49172}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 30462, u'time': 8.936331033706665, u'dport': 3702, u'sport': 53894}

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.MSWord.Groooboor.4!c
BitDefender	Trojan.Groooboor.Gen.13
Arcabit	Trojan.Groooboor.Gen.13
Cyren	DOCX/CVE-2017-11882.B.gen!Camelot
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.MSOffice.Dotmer.gen
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Trojan.Groooboor.Gen.13
Emsisoft	Trojan.Groooboor.Gen.13 (B)
McAfee-GW-Edition	Exploit-GDR!6B1779553B62
FireEye	Trojan.Groooboor.Gen.13
Ikarus	Trojan.Groooboor
GData	Trojan.Groooboor.Gen.13
Avira	W97M/Agent.bvw
Microsoft	Exploit:O97M/CVE-2017-0199.RVAK!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSOffice.Dotmer.gen
McAfee	Exploit-GDR!6B1779553B62
MAX	malware (ai score=99)
Fortinet	MSOffice/Agent.2DEC!tr
AVG	Other:Malware-gen [Trj]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

194.67.87.218:80

липень.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All