popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

scan0001.doc

Doc XML Downloader Generic Malware Malicious Library UPX Word 2007 file format(docx) doc .NET DLL PE File DLL OS Processor Check PE32 ZIP Format RTF File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 24, 2024, 3:26 p.m. July 24, 2024, 3:28 p.m.
Size 43.5KB
Type Zip archive data, at least v2.0 to extract
MD5 e96e2ed88e2f2fb80d02e7cd99a1420d
SHA256 dc747e9846ecb4c232b2e36007abdadc6d608272a8ea4305c89931ed0979944b
CRC32 70010857
ssdeep 768:3Tkbd5YLRTk1RqpsWOBFI7j5jJ3OGMXSdCoa3UcDeSHNLQgwXt1KtJBZUrAK1UO0:3TkbIVk1YTT/iR3UEeQ7ot1K1Zeu9z
Yara
  • docx - Word 2007 file format detection
  • zip_file_format - ZIP file format
  • Doc_XML_Downloader - Detect a MS Office document with embedded XML Downloader

Name Response Post-Analysis Lookup
office-updatecentral.com
A 94.141.120.137
94.141.120.137
IP Address Status Action
117.18.232.200 Active Moloch
164.124.101.2 Active Moloch
94.141.120.137 Active Moloch

request OPTIONS http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/
request HEAD http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/knolls
request OPTIONS http://office-updatecentral.com/armorer/opposing/stratifies/beachheads
request PROPFIND http://office-updatecentral.com/armorer/opposing/stratifies/beachheads
request PROPFIND http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/
request PROPFIND http://office-updatecentral.com/armorer/opposing/stratifies
request PROPFIND http://office-updatecentral.com/armorer/opposing/stratifies/
request PROPFIND http://office-updatecentral.com/armorer/opposing
request PROPFIND http://office-updatecentral.com/armorer/opposing/
request GET http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/knolls
request GET http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/exacerbating
request GET http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/canto
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4e6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4cb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4d7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4bb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4b6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4fb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a497000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4db000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4d0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a502000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4eb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a501000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4e6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4cb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4d7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4bb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4b6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4fb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a497000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a4db000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a16a000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$an0001.doc
file C:\Users\test22\AppData\Local\Temp\ztNU9wPs.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000458
filepath: C:\Users\test22\AppData\Local\Temp\~$an0001.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$an0001.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Local\Temp\ztNU9wPs.dll
Cynet Malicious (score: 99)
NANO-Antivirus Exploit.Xml.CVE-2017-0199.equmby
F-Secure Malware.W2000/AVI.Agent.uppyf
Avira W2000/AVI.Agent.uppyf
GData Macro.Trojan.Agent.4PF354
Zoner Probably Heur.W97OleLink
Fortinet XML/Agent.EDC!tr.dldr
host 117.18.232.200