popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

.---------------..-----------------......-....google.-------.wiz

doc RTF File AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 13, 2021, 6:30 p.m. Sept. 13, 2021, 6:32 p.m.
Size 15.5KB
Type data
MD5 a5fedf6b6cb4f47640a5f2d8e36d09e7
SHA256 46efc7f831c8c3c86457ccc7fe331317ae4638f5a7a56bdbb91bd151116ac072
CRC32 E01871F9
ssdeep 384:5Wo3/GzbMQ/LPAfJFQhFiax58EGmJ70av3NJpf6P5qy:r3/YAQDPwEhFiax58jmJ70K3NPIN
Yara
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero

Name Response Post-Analysis Lookup
doc-00-1c-docs.googleusercontent.com
A 172.217.161.161
CNAME googlehosted.l.googleusercontent.com
142.250.196.97
drive.google.com
A 172.217.25.238
142.250.199.110
IP Address Status Action
136.243.159.53 Active Moloch
164.124.101.2 Active Moloch
172.217.161.161 Active Moloch
172.217.25.238 Active Moloch
23.95.85.181 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49210 -> 172.217.25.238:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49204 -> 23.95.85.181:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49204 -> 23.95.85.181:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 23.95.85.181:80 -> 192.168.56.101:49204 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 23.95.85.181:80 -> 192.168.56.101:49204 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 23.95.85.181:80 -> 192.168.56.101:49204 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 23.95.85.181:80 -> 192.168.56.101:49204 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49211 -> 172.217.161.161:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49213 -> 136.243.159.53:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49212 -> 136.243.159.53:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49213 -> 136.243.159.53:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 136.243.159.53:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 136.243.159.53:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49214 -> 136.243.159.53:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 136.243.159.53:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.101:49212 -> 136.243.159.53:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.101:49213 -> 136.243.159.53:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.101:49212 -> 136.243.159.53:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.101:49214 -> 136.243.159.53:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 136.243.159.53:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49210
172.217.25.238:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.google.com ef:1f:1c:2c:41:c4:ed:3c:4e:60:4f:56:1b:ed:09:ba:e9:e1:39:2d
TLSv1
192.168.56.101:49211
172.217.161.161:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.googleusercontent.com c2:32:d6:56:55:c0:b4:21:45:21:7a:75:1d:7a:a2:fb:a5:1f:5f:ea

registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x70324e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x6fbefc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x6fbef886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x6fbef556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x6fc6ab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x6fc691c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x6fc6a4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x705260a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x6fbb2aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f4315d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f43155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1392484
registers.edi: 1957755408
registers.eax: 1392484
registers.ebp: 1392564
registers.edx: 2130566132
registers.ebx: 5051588
registers.esi: 2147944126
registers.ecx: 1231000655
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x70324e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x6fbefc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x6fbef886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x6fbef556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x6fc6ab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x6fc691c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x6fc6a4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x705260a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x6fbb2aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f4315d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f43155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1392176
registers.edi: 1957755408
registers.eax: 1392176
registers.ebp: 1392256
registers.edx: 2130566132
registers.ebx: 5006132
registers.esi: 2147944122
registers.ecx: 1231000655
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://23.95.85.181/http/vbc.exe
suspicious_features POST method with no referer header, HTTP version 1.0 used, Connection to IP address suspicious_request POST http://136.243.159.53/~element/page.php?id=429
request GET http://23.95.85.181/http/vbc.exe
request POST http://136.243.159.53/~element/page.php?id=429
request GET https://drive.google.com/uc?export=download&id=1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_
request GET https://doc-00-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/44otpfku4m84nv2baa4uts53scs88sf5/1631525475000/14552286414405439806/*/1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_?e=download
request POST http://136.243.159.53/~element/page.php?id=429
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x2f431000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fb51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6edd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6eeee000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd9e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ddb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e31a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75738000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72381000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72381000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72331000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b20000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02cd0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72202000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02d10000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02e90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c61000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72131000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6cb81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6cbdf000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6cbdf000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72311000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06090000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06090000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x060a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2252
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x060b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c8e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c8e4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
Application Crash Process WINWORD.EXE with pid 2252 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x70324e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x6fbefc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x6fbef886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x6fbef556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x6fc6ab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x6fc691c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x6fc6a4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x705260a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x6fbb2aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f4315d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f43155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1392484
registers.edi: 1957755408
registers.eax: 1392484
registers.ebp: 1392564
registers.edx: 2130566132
registers.ebx: 5051588
registers.esi: 2147944126
registers.ecx: 1231000655
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x70324e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x6fbefc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x6fbef886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x6fbef556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x6fc6ab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x6fc691c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x6fc6a4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x705260a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x6fbb2aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f4315d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f43155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1392176
registers.edi: 1957755408
registers.eax: 1392176
registers.ebp: 1392256
registers.edx: 2130566132
registers.ebx: 5006132
registers.esi: 2147944122
registers.ecx: 1231000655
1 0 0
domain drive.google.com
file C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000002d0
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000004ac
filepath: C:\Users\test22\AppData\Local\Temp\~$--------------..-----------------......-....google.-------.wiz
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$--------------..-----------------......-....google.-------.wiz
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 136.243.159.53
host 23.95.85.181
DrWeb Exploit.Rtf.Obfuscated.32
MicroWorld-eScan Exploit.RTF-ObfsStrm.Gen
K7AntiVirus Trojan ( 0057b3a91 )
K7GW Trojan ( 0057b3a91 )
Arcabit Exploit.RTF-ObfsStrm.Gen
Cyren RTF/CVE-2017-11882.R.gen!Camelot
Symantec Bloodhound.RTF.20
ESET-NOD32 a variant of DOC/Abnormal.B
Kaspersky HEUR:Exploit.MSOffice.Generic
BitDefender Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus Exploit.Rtf.Heuristic-rtf.dinbqn
Ad-Aware Exploit.RTF-ObfsStrm.Gen
Sophos Troj/RtfExp-EQ
TrendMicro Trojan.W97M.CVE201711882.SMYNBFR
McAfee-GW-Edition Artemis
FireEye Exploit.RTF-ObfsStrm.Gen
Emsisoft Exploit.RTF-ObfsStrm.Gen (B)
Ikarus Exploit.CVE-2017-11882
Avira HEUR/Rtf.Malformed
Antiy-AVL Trojan/Generic.ASDOH.22A
ZoneAlarm HEUR:Exploit.MSOffice.Generic
GData Exploit.RTF-ObfsStrm.Gen
Cynet Malicious (score: 99)
AhnLab-V3 RTF/Malform-A.Gen
McAfee RTFObfustream.e!A5FEDF6B6CB4
TACHYON Trojan-Exploit/RTF.CVE-2017-11882
Zoner Probably Heur.RTFBadHeader
MAX malware (ai score=80)
Fortinet RTF/CVE_2017_11882.C!exploit