popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Afghanistan-is-rich-in-minerals-but-getting-to-them-is-challenging.docx

Word 2007 file format(docx)
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 27, 2021, 2:48 p.m. Sept. 27, 2021, 2:50 p.m.
Size 862.9KB
Type Microsoft Word 2007+
MD5 ebfa7b412fe87af4bf586472f6f274c5
SHA256 b00d27bb7b9a1962dd8166ec51b4497b71bf47120fdb96e0d058d2136d190b57
CRC32 E035E691
ssdeep 24576:YKMGlCX0q4m+Vsd0GYAi4XWRtvzS5yPK3Z/5eIaq4G7gUozAK:YKDq41kxfGXvO5yPa/cIjMt
Yara
  • docx - Word 2007 file format detection

Name Response Post-Analysis Lookup
aljazeera.cc
A 181.214.31.79
181.214.31.79
IP Address Status Action
164.124.101.2 Active Moloch
181.214.31.79 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
domain aljazeera.cc description Cocos Islands domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a216000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a114000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a0d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a042000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x69cd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01251000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2688
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fb2f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2688
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x35180000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75180000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x35180000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75179000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x35180000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75181000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75187000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6af44000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x738ba000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a216000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a042000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x695d1000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$ghanistan-is-rich-in-minerals-but-getting-to-them-is-challenging.docx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000488
filepath: C:\Users\test22\AppData\Local\Temp\~$ghanistan-is-rich-in-minerals-but-getting-to-them-is-challenging.docx
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ghanistan-is-rich-in-minerals-but-getting-to-them-is-challenging.docx
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
ESET-NOD32 DOC/TrojanDownloader.Agent.ARJ
TrendMicro-HouseCall TROJ_FRS.VSNW1AI21
Avast Other:Malware-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.MSOffice.Dotmer.gen
NANO-Antivirus Exploit.Xml.CVE-2017-0199.equmby
Sophos Troj/DocDl-AEIR
Rising Exploit.ExtLink/OFFICE!1.C97A (CLASSIC)
AVG Other:Malware-gen [Trj]
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef60000
process_handle: 0xffffffff
1 0 0
parent_process winword.exe martian_process C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE
cmdline C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE
mutex Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{F67652BA-0F41-4F64-8380-9850372555E7}
mutex Local\Microsoft_Office_15CSI_OMTX:{723E7339-CA26-4A2C-93ED-E4BB2979B83B}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex Local\Microsoft_Office_15CSI_WDW:{7019502D-2B31-4340-86B7-46ABA5D12D96}
mutex Local\Microsoft_Office_15CSI_WDW:{723E7339-CA26-4A2C-93ED-E4BB2979B83B}
mutex Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex Local\Microsoft_Office_15CSI_WDW:{5D5017D3-74EC-471D-B5F2-F49FAD4DDEB3}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex Local\Microsoft_Office_15CSI_OMTX:{5D5017D3-74EC-471D-B5F2-F49FAD4DDEB3}
mutex Local\Microsoft_Office_15CSI_WDW:{56CC461A-82F9-40B5-97F9-65D4559FDF49}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex Local\Microsoft_Office_15CSI_WDW:{0197864C-9ADB-422C-9CB4-517063C37373}
mutex Local\Microsoft_Office_15CSI_OMTX:{98EAF636-1A01-4810-B675-27F2EF0AB09C}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex Local\Microsoft_Office_15CSI_WDW:{98EAF636-1A01-4810-B675-27F2EF0AB09C}
mutex Local\Microsoft_Office_15CSI_WDW:{2AA5C200-022C-48A8-B001-5BEDEE449613}
mutex Local\Microsoft_Office_15CSI_WDW:{F67652BA-0F41-4F64-8380-9850372555E7}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex Local\Microsoft_Office_15Csi_CTTxnTableLock:{56E7129E-5267-4F11-8C92-EAAC6A93C76C}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex Local\Microsoft_Office_15CSI_WDW:{0D26ED19-B922-42EF-BE63-3582DDAA80E9}
udp {u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 12014, u'time': 4.177455902099609, u'dport': 3702, u'sport': 49152}
udp {u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 20394, u'time': 4.777735948562622, u'dport': 1900, u'sport': 49168}
udp {u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 26512, u'time': 4.634357929229736, u'dport': 3702, u'sport': 49170}
udp {u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 29368, u'time': 4.785506010055542, u'dport': 3702, u'sport': 49172}
udp {u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 32096, u'time': 8.883843898773193, u'dport': 3702, u'sport': 53894}