Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 7, 2021, 10:40 a.m.	Nov. 7, 2021, 10:46 a.m.

Size	60.8KB
Type	Microsoft OOXML
MD5	`ffeb8e4150061e66092e9bbb513167f7`
SHA256	`59e08d42ce495f290c4dfd7be9614f786cdfed3ebdd7d6e68accbb630c051083`
CRC32	`C62C6CA1`
ssdeep	`1536:cQvlIz3zXETkheH63IlUtEP9bB3Lv0jjaqmHZVPaWPvU16ftB89m+:cSK3zXETxa3IgCbZLv0AHZRRM43qm+`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\姓氏名字.docx"
2316
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2580

Name	Response	Post-Analysis Lookup
www.xiaodi8.com	A 47.75.212.155	47.75.212.155

IP Address	Status	Action
164.124.101.2	Active	Moloch
47.75.212.155	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 47.75.212.155:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 47.75.212.155:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 47.75.212.155:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Nov. 7, 2021, 10:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2021, 10:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2021, 10:40 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2021, 10:40 a.m.		1	1	0

Performs some HTTP requests (3 events)

request	OPTIONS http://www.xiaodi8.com/
request	HEAD http://www.xiaodi8.com/1.dotm?raw=ture
request	GET http://www.xiaodi8.com/1.dotm?raw=ture

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69fa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69ea4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69a61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a01000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f8bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75599000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6acd4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7362a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69fa6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69331000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$姓氏名字.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 7, 2021, 10:40 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000488 filepath: C:\Users\test22\AppData\Local\Temp\~$姓氏名字.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$姓氏名字.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef40000 process_handle: 0xffffffff	1	0	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

BitDefender	Trojan.GenericKD.47343059
ESET-NOD32	a variant of Generik.LQMVOCZ
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Trojan.GenericKD.47343059
Ad-Aware	Trojan.GenericKD.47343059
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.47343059
Ikarus	Trojan.SuspectCRC
GData	Macro.Trojan.Agent.AWDB2X
AhnLab-V3	Downloader/XML.External.S1418
MAX	malware (ai score=86)
Zoner	Probably Heur.W97OleLink
AVG	Other:Malware-gen [Trj]

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (24 events)

mutex	Local\Microsoft_Office_15CSI_WDW:{3489969C-6849-4140-9C6B-BE86FED3AC60}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15CSI_WDW:{B6796F50-33FF-4ADC-809E-8E884A44B7E1}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15CSI_OMTX:{B6796F50-33FF-4ADC-809E-8E884A44B7E1}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15CSI_WDW:{B1EFA442-BA29-4A58-A0AE-FF01B9560CA4}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_WDW:{7920F5CD-2359-42A5-99D1-084F273764AD}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_WDW:{5CB30A29-87F0-47DB-8F9F-12528D2F356A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15CSI_OMTX:{37DBEE8D-1E92-4099-A3DC-E0F197314BCE}
mutex	Local\Microsoft_Office_15CSI_WDW:{FED04108-ABCE-4A39-8C92-9B8E1FD6ABAC}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15CSI_WDW:{37DBEE8D-1E92-4099-A3DC-E0F197314BCE}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{3DA01BDA-F5D2-4DCF-8870-B100819A608A}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{B1EFA442-BA29-4A58-A0AE-FF01B9560CA4}
mutex	Local\Microsoft_Office_15CSI_WDW:{2B8B12E4-D5F0-484D-9F37-EDA49BE113E0}
mutex	Local\Microsoft_Office_15CSI_WDW:{B9C534B7-78C1-44D9-A0BA-FBCA0C0FB30D}
mutex	Local\Microsoft_Office_15CSI_OMTX:{7920F5CD-2359-42A5-99D1-084F273764AD}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 16434, u'time': 5.716450929641724, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 24810, u'time': 95.40261101722717, u'dport': 1900, u'sport': 60121}

姓氏 名字.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All

姓氏名字.docx