Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 12, 2021, 9:40 a.m.	Nov. 12, 2021, 9:42 a.m.

Size	12.0KB
Type	Zip archive data, at least v2.0 to extract
MD5	`936cad45145d0745ffde338ed6492615`
SHA256	`dd088962eb9e2a6b6e10114d4aecad1b20ca033f6eba1308eb6c0fcd9905cbee`
CRC32	`47011EFB`
ssdeep	`192:7RxHhv85uJHwc3q7KKm5GyIpCxX/g5G7err/lytqzQ/iCtHrdqK1VfIedYzGF3P+:7R3E5Z5m5ZiCxvFWxyozQ/iMLQK1NkG4`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\invoice.docx
2380
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2620

Name	Response	Post-Analysis Lookup
tigerdrill.xyz	A 159.223.68.213	159.223.68.213

IP Address	Status	Action
159.223.68.213	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 159.223.68.213:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 159.223.68.213:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 159.223.68.213:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 159.223.68.213:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 159.223.68.213:80	2033960	ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Nov. 12, 2021, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 12, 2021, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 12, 2021, 9:40 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 12, 2021, 9:40 a.m.		1	1	0

Performs some HTTP requests (3 events)

request	OPTIONS http://tigerdrill.xyz/
request	HEAD http://tigerdrill.xyz/EYWCET97LV2U.html
request	GET http://tigerdrill.xyz/EYWCET97LV2U.html

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69ee6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69de4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69da1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69d12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x699a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f8bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75599000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6acd4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7362a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69ee6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69d12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69271000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$nvoice.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 12, 2021, 9:40 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000490 filepath: C:\Users\test22\AppData\Local\Temp\~$nvoice.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$nvoice.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 12, 2021, 9:40 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef50000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (24 events)

mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15CSI_WDW:{0D821421-63F3-48B4-8139-00A9756B7F81}
mutex	Local\Microsoft_Office_15CSI_OMTX:{98F54D6B-E08F-4CFD-8E8C-2616A3CC2476}
mutex	Local\Microsoft_Office_15CSI_WDW:{F4DB8D5A-CAE8-4EE9-9DC0-6DAE9D609362}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15CSI_OMTX:{EA3EAC51-2357-4E92-AF45-73550EE5F3AC}
mutex	Local\Microsoft_Office_15CSI_WDW:{DC4C2D25-D1F4-450A-BE6C-4C1FB68DB0C4}
mutex	Local\Microsoft_Office_15CSI_WDW:{6E679D25-2A83-49E9-B23E-2DC6987A8A27}
mutex	Local\Microsoft_Office_15CSI_OMTX:{F4DB8D5A-CAE8-4EE9-9DC0-6DAE9D609362}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_WDW:{E20F3842-1EBC-4CA4-B0BB-3533D770BACF}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{0D821421-63F3-48B4-8139-00A9756B7F81}
mutex	Local\Microsoft_Office_15CSI_WDW:{EACD3049-F78D-401A-B175-E59B855BA0AA}
mutex	Local\Microsoft_Office_15CSI_WDW:{EA3EAC51-2357-4E92-AF45-73550EE5F3AC}
mutex	Local\Microsoft_Office_15CSI_WDW:{EF2A5DB3-BE01-4E7F-919F-743A486AAF02}
mutex	Local\Microsoft_Office_15CSI_WDW:{98F54D6B-E08F-4CFD-8E8C-2616A3CC2476}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{B992FD6B-D8FB-4B36-8F67-CB03D426C9EA}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 32345, u'time': 3.9683310985565186, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 40721, u'time': 93.67306017875671, u'dport': 1900, u'sport': 60884}

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

ClamAV	Doc.Exploit.CVE_2021_40444-9891528-0
CAT-QuickHeal	OLE.CVE-2021-40444.44117
Sangfor	Exploit.Generic-Doc.SAVE.exp15
Arcabit	Exploit.CVE-2021-40444.Gen.1
Cyren	URL/CVE2140444.A.gen!Eldorado
Symantec	Exp.CVE-2021-40444!g4
ESET-NOD32	DOC/TrojanDownloader.Agent.DHY
Avast	XML:CVE-2021-40444-A [Expl]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Exploit.MSOffice.CVE-2021-40444.a
BitDefender	Exploit.CVE-2021-40444.Gen.1
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Exploit.CVE-2021-40444.Gen.1
Rising	Exploit.CVE-2021-40444!1.D97D (CLASSIC)
Ad-Aware	Exploit.CVE-2021-40444.Gen.1
Sophos	Exp/2140444-A
DrWeb	Exploit.CVE-2021-40444.1
TrendMicro	Trojan.W97M.CVE202140444.SMYJBIC
McAfee-GW-Edition	Exploit-CVE2021-40444.a
FireEye	Exploit.CVE-2021-40444.Gen.1
Emsisoft	Exploit.CVE-2021-40444.Gen.1 (B)
Ikarus	Exploit.CVE-2021-40444
GData	Script.Exploit.CVE-2021-40444.A
Avira	EXP/CVE-2021-40444.Gen
Microsoft	TrojanDownloader:O97M/Donoff.SA!Gen
McAfee	Exploit-CVE2021-40444.a
MAX	malware (ai score=86)
Tencent	Trojan.MsOffice.Downloader.11013726
Fortinet	MSOffice/Agent.DIT!tr
AVG	XML:CVE-2021-40444-A [Expl]

invoice.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All