Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 27, 2021, 5:52 p.m.	Oct. 27, 2021, 5:54 p.m.

Size	26.6KB
Type	Rich Text Format data, unknown version
MD5	`18dd40cd43c42c1fb35bea3f13b4056a`
SHA256	`dba4aece8605ee17c1560428142fd548f00606ef0b4cdf73f9ceb320e829dfa9`
CRC32	`92E7030F`
ssdeep	`768:Rqy2GvbDNR8fIm4HBFVCEyUKjX/y/OV1hm1WtIiUa:RpzEwm4hF8EyfjIOV1h8WtIib`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\inv_009000987.wbk
672

Name	Response	Post-Analysis Lookup
secure01-redirect.net	A 193.38.51.112	193.38.51.112

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.38.51.112	Active	Moloch
202.55.132.141	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49181 -> 193.38.51.112:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49181 -> 193.38.51.112:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 193.38.51.112:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49183 -> 193.38.51.112:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 193.38.51.112:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49181 -> 193.38.51.112:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49183 -> 193.38.51.112:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49181 -> 193.38.51.112:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 193.38.51.112:80 -> 192.168.56.102:49183	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.102:49185 -> 193.38.51.112:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49185 -> 193.38.51.112:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 193.38.51.112:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 193.38.51.112:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 193.38.51.112:80 -> 192.168.56.102:49185	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.102:49176 -> 202.55.132.141:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49176 -> 202.55.132.141:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 202.55.132.141:80 -> 192.168.56.102:49176	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 202.55.132.141:80 -> 192.168.56.102:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 202.55.132.141:80 -> 192.168.56.102:49176	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 202.55.132.141:80 -> 192.168.56.102:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 193.38.51.112:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49182 -> 193.38.51.112:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49182 -> 193.38.51.112:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49182 -> 193.38.51.112:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 27, 2021, 5:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x756e1414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x752ab727 registers.esp: 2740900 registers.edi: 1969945104 registers.eax: 2740900 registers.ebp: 2740980 registers.edx: 0 registers.ebx: 4084532 registers.esi: 2147944126 registers.ecx: 1398806547	1	0	0
__exception__ Oct. 27, 2021, 5:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x7569b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x7569b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x7569b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x7569a66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7571a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x756f77e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x756e14b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x752ab727 registers.esp: 2740592 registers.edi: 1969945104 registers.eax: 2740592 registers.ebp: 2740672 registers.edx: 0 registers.ebx: 4084028 registers.esi: 2147944122 registers.ecx: 1398806547	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 27, 2021, 5:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x756e1414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x752ab727
registers.esp: 2740900
registers.edi: 1969945104
registers.eax: 2740900
registers.ebp: 2740980
registers.edx: 0
registers.ebx: 4084532
registers.esi: 2147944126
registers.ecx: 1398806547

__exception__

Oct. 27, 2021, 5:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x7569b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x7569b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x7569b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x7569a66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7571a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x756f77e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x756e14b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x752ab727
registers.esp: 2740592
registers.edi: 1969945104
registers.eax: 2740592
registers.ebp: 2740672
registers.edx: 0
registers.ebx: 4084028
registers.esi: 2147944122
registers.ecx: 1398806547

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://202.55.132.141/0091/vbc.exe
suspicious_features	POST method with no referer header, HTTP version 1.0 used				suspicious_request	POST http://secure01-redirect.net/ga21/fre.php

Performs some HTTP requests (2 events)

request	GET http://202.55.132.141/0091/vbc.exe
request	POST http://secure01-redirect.net/ga21/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://secure01-redirect.net/ga21/fre.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 27, 2021, 5:52 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x696c4000 process_handle: 0xffffffff	1	0	0

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 672 crashed
__exception__ Oct. 27, 2021, 5:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x756e1414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x752ab727 registers.esp: 2740900 registers.edi: 1969945104 registers.eax: 2740900 registers.ebp: 2740980 registers.edx: 0 registers.ebx: 4084532 registers.esi: 2147944126 registers.ecx: 1398806547	1	0	0
__exception__ Oct. 27, 2021, 5:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x7569b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x7569b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x7569b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x7569a66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7571a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x756f77e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x756e14b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x752ab727 registers.esp: 2740592 registers.edi: 1969945104 registers.eax: 2740592 registers.ebp: 2740672 registers.edx: 0 registers.ebx: 4084028 registers.esi: 2147944122 registers.ecx: 1398806547	1	0	0

Application Crash

Process WINWORD.EXE with pid 672 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 27, 2021, 5:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x756e1414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5

__exception__

Oct. 27, 2021, 5:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x751b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7579f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x751c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7579c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x756998ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x7569b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x7569b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x7569b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x7569a66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7571a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x756f77e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x756e14b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x756f7b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x729e515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x7255c80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7251f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7250b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72509e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x7255994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x72559436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x720e42ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f12a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x72136ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721297ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x726eeb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x72439b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x720edd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71ee7fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71ee533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fed1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fed159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74dc33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x752ab727
registers.esp: 2740592
registers.edi: 1969945104
registers.eax: 2740592
registers.ebp: 2740672
registers.edx: 0
registers.ebx: 4084028
registers.esi: 2147944122
registers.ecx: 1398806547

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 27, 2021, 5:52 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000448 filepath: C:\Users\test22\AppData\Local\Temp\~$v_009000987.wbk desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$v_009000987.wbk create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

RTF file has an unknown version (1 event)

filetype_details

Rich Text Format data, unknown version

filename

inv_009000987.wbk

Communicates with host for which no DNS query was performed (1 event)

host

202.55.132.141

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

MicroWorld-eScan	Exploit.RTF-ObfsStrm.Gen
FireEye	Exploit.RTF-ObfsStrm.Gen
McAfee	Exploit-CVE2017-11882.z
Sangfor	Malware.Generic-RTF.Save.c5a892ae
K7AntiVirus	Trojan ( 0057b3a91 )
K7GW	Trojan ( 0057b3a91 )
Arcabit	Exploit.RTF-ObfsStrm.Gen
Cyren	RTF/CVE-2017-11882.R.gen!Camelot
Symantec	Bloodhound.RTF.20
ESET-NOD32	a variant of DOC/Abnormal.B
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
Ad-Aware	Exploit.RTF-ObfsStrm.Gen
DrWeb	Exploit.Rtf.Obfuscated.32
TrendMicro	HEUR_RTFMALFORM
McAfee-GW-Edition	Exploit-CVE2017-11882.z
Emsisoft	Exploit.RTF-ObfsStrm.Gen (B)
Avira	HEUR/Rtf.Malformed
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Generic.ASDOH.22A
GData	Exploit.RTF-ObfsStrm.Gen
Cynet	Malicious (score: 99)
AhnLab-V3	RTF/Malform-A.Gen
TACHYON	Trojan-Exploit/RTF.CVE-2017-11882
Zoner	Probably Heur.RTFBadVersion
Ikarus	Exploit.CVE-2017-11882
Fortinet	RTF/GenericKD.47107450!tr

inv_009000987.wbk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All