popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

0011.wbk

doc RTF File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 30, 2021, 11:57 a.m. Oct. 30, 2021, noon
Size 20.6KB
Type Rich Text Format data, unknown version
MD5 6c4a4577b05acbeb2d7daecf27658d03
SHA256 3b581601796d4459571b4079419ea4e33065675c4dfb309877bace18fc8d1f63
CRC32 0F271631
ssdeep 384:/8prEPKGGZujaDypqyg9e8GX9KN7JsJcohcIERHm/eyzqO7aQ/naiEec:/8prIKGGZujaDyAFtyJcohcIqm/1PN9w
Yara
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49200 -> 103.171.0.220:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49200 -> 103.171.0.220:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 103.171.0.220:80 -> 192.168.56.101:49200 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 103.171.0.220:80 -> 192.168.56.101:49200 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 103.171.0.220:80 -> 192.168.56.101:49200 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 192.168.56.101:49215 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 103.171.0.220:80 -> 192.168.56.101:49200 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 108.179.232.90:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 108.179.232.90:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 108.179.232.90:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 3.223.115.185:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 3.223.115.185:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 3.223.115.185:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 217.160.0.187:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 217.160.0.187:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 217.160.0.187:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 139.162.127.18:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 139.162.127.18:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 139.162.127.18:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 172.67.187.226:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 172.67.187.226:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 172.67.187.226:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 156.67.72.160:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 156.67.72.160:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 156.67.72.160:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 15.197.142.173:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 15.197.142.173:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 15.197.142.173:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7071e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x706d168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x6fb6a431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x6fb5876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x6fb549e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fee15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fee155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3165956
registers.edi: 1957755408
registers.eax: 3165956
registers.ebp: 3166036
registers.edx: 0
registers.ebx: 4043396
registers.esi: 2147944126
registers.ecx: 2725071333
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7071e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x706d168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x6fb6a431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x6fb5876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x6fb549e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fee15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fee155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3165648
registers.edi: 1957755408
registers.eax: 3165648
registers.ebp: 3165728
registers.edx: 0
registers.ebx: 4043612
registers.esi: 2147944122
registers.ecx: 2725071333
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://103.171.0.220/0011/vbc.exe
suspicious_features GET method with no useragent header suspicious_request GET http://www.esd66.com/euzn/?GPJ=IQD8yqUxjaKbmWvxY5YgKaEhD1SzG9nYqUof4YAZsyxYzAzp9zRFmOd/JMKDibdr94YK0rFj&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.mecasso.store/euzn/?GPJ=5V4tZ993so02mJc3sFQ1G2n5zFyOyfQP63UMvRPf7Sx02fgR5BEy180KOo1jDAfLNmzZkM90&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.235296tyc.com/euzn/?GPJ=qPG280hY3bVwFWYgPYUPmF0yLOv8ZOX3N77VjzujjWFTLW7L05+D5h5Mp3mfBnzq5vwwDWs5&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.chaoxy.com/euzn/?GPJ=p54zT/BC/x4SoLDl4CDH46eZzoug/1aAOGG+RO71GifqYqkWwddMiniK8tFlkYqJGNGj/CA6&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.newbeautydk.com/euzn/?GPJ=6sAauxhCLdP7c3t2Bq+0dcztdOu3qC96/c3RA+P4V1r5NX6fjKtAwrvy/oq5eYG/IMq0e3QV&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.aidenb.tech/euzn/?GPJ=1IX3VtbgCTbtlwCwA2UuwAMw7IFESF9lL1UJSvXyFA7beRMLnuzxa3L8x0fgk6lRopDxesZY&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.longshifa.online/euzn/?GPJ=uAv+hDNIaWKTJHmotFieJseyqVavRyN/hzmyr84dVQggb+iPx2yKvWnxBifTpegawz+9IKiJ&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.jakital.com/euzn/?GPJ=GUGPZqYkRSeqmYe7e5IS+Ei9iGFRID/i/07dgdYcr1Gx3jMum/GSR7RR4tExlRct2vCBg0O1&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.arceprojects.com/euzn/?GPJ=YRXSBiSDQSCZhMMUR8bbHnyPN+rRNpjXZ/H6tz5eiGlkZ6MPFWs4UspiD2SvKhVY+KpYofGz&oX=Txo8nZfpM8h4
suspicious_features GET method with no useragent header suspicious_request GET http://www.chezvitoria.com/euzn/?GPJ=GKdzzMH8ErMYBxlRei+3JyrXRgQOuFc7CB7CFsqySz81sLyYG5Fwl1ZfLnJdq0KjlXe5fq5T&oX=Txo8nZfpM8h4
request GET http://103.171.0.220/0011/vbc.exe
request POST http://www.esd66.com/euzn/
request GET http://www.esd66.com/euzn/?GPJ=IQD8yqUxjaKbmWvxY5YgKaEhD1SzG9nYqUof4YAZsyxYzAzp9zRFmOd/JMKDibdr94YK0rFj&oX=Txo8nZfpM8h4
request POST http://www.mecasso.store/euzn/
request GET http://www.mecasso.store/euzn/?GPJ=5V4tZ993so02mJc3sFQ1G2n5zFyOyfQP63UMvRPf7Sx02fgR5BEy180KOo1jDAfLNmzZkM90&oX=Txo8nZfpM8h4
request POST http://www.235296tyc.com/euzn/
request GET http://www.235296tyc.com/euzn/?GPJ=qPG280hY3bVwFWYgPYUPmF0yLOv8ZOX3N77VjzujjWFTLW7L05+D5h5Mp3mfBnzq5vwwDWs5&oX=Txo8nZfpM8h4
request POST http://www.chaoxy.com/euzn/
request GET http://www.chaoxy.com/euzn/?GPJ=p54zT/BC/x4SoLDl4CDH46eZzoug/1aAOGG+RO71GifqYqkWwddMiniK8tFlkYqJGNGj/CA6&oX=Txo8nZfpM8h4
request POST http://www.newbeautydk.com/euzn/
request GET http://www.newbeautydk.com/euzn/?GPJ=6sAauxhCLdP7c3t2Bq+0dcztdOu3qC96/c3RA+P4V1r5NX6fjKtAwrvy/oq5eYG/IMq0e3QV&oX=Txo8nZfpM8h4
request POST http://www.aidenb.tech/euzn/
request GET http://www.aidenb.tech/euzn/?GPJ=1IX3VtbgCTbtlwCwA2UuwAMw7IFESF9lL1UJSvXyFA7beRMLnuzxa3L8x0fgk6lRopDxesZY&oX=Txo8nZfpM8h4
request POST http://www.longshifa.online/euzn/
request GET http://www.longshifa.online/euzn/?GPJ=uAv+hDNIaWKTJHmotFieJseyqVavRyN/hzmyr84dVQggb+iPx2yKvWnxBifTpegawz+9IKiJ&oX=Txo8nZfpM8h4
request POST http://www.jakital.com/euzn/
request GET http://www.jakital.com/euzn/?GPJ=GUGPZqYkRSeqmYe7e5IS+Ei9iGFRID/i/07dgdYcr1Gx3jMum/GSR7RR4tExlRct2vCBg0O1&oX=Txo8nZfpM8h4
request POST http://www.arceprojects.com/euzn/
request GET http://www.arceprojects.com/euzn/?GPJ=YRXSBiSDQSCZhMMUR8bbHnyPN+rRNpjXZ/H6tz5eiGlkZ6MPFWs4UspiD2SvKhVY+KpYofGz&oX=Txo8nZfpM8h4
request POST http://www.chezvitoria.com/euzn/
request GET http://www.chezvitoria.com/euzn/?GPJ=GKdzzMH8ErMYBxlRei+3JyrXRgQOuFc7CB7CFsqySz81sLyYG5Fwl1ZfLnJdq0KjlXe5fq5T&oX=Txo8nZfpM8h4
request POST http://www.esd66.com/euzn/
request POST http://www.mecasso.store/euzn/
request POST http://www.235296tyc.com/euzn/
request POST http://www.chaoxy.com/euzn/
request POST http://www.newbeautydk.com/euzn/
request POST http://www.aidenb.tech/euzn/
request POST http://www.longshifa.online/euzn/
request POST http://www.jakital.com/euzn/
request POST http://www.arceprojects.com/euzn/
request POST http://www.chezvitoria.com/euzn/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x69961000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05910000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05910000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05920000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05930000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x697a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x697a4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
Application Crash Process WINWORD.EXE with pid 1868 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7071e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x706d168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x6fb6a431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x6fb5876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x6fb549e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fee15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fee155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3165956
registers.edi: 1957755408
registers.eax: 3165956
registers.ebp: 3166036
registers.edx: 0
registers.ebx: 4043396
registers.esi: 2147944126
registers.ecx: 2725071333
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x7071e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x706d168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x6fb6a431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x6fb5876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x6fb549e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fee15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fee155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3165648
registers.edi: 1957755408
registers.eax: 3165648
registers.ebp: 3165728
registers.edx: 0
registers.ebx: 4043612
registers.esi: 2147944122
registers.ecx: 2725071333
1 0 0
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000003ec
filepath: C:\Users\test22\AppData\Local\Temp\~$0011.wbk
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$0011.wbk
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
filetype_details Rich Text Format data, unknown version filename 0011.wbk
host 103.171.0.220
MicroWorld-eScan Exploit.RTF-ObfsStrm.Gen
FireEye Exploit.RTF-ObfsStrm.Gen
McAfee Exploit-CVE2017-11882.z
Sangfor Malware.Generic-RTF.Save.c5a892ae
K7AntiVirus Trojan ( 0057b3a91 )
K7GW Trojan ( 0057b3a91 )
Cyren RTF/CVE-2017-11882.R.gen!Camelot
Symantec Bloodhound.RTF.20
ESET-NOD32 multiple detections
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus Exploit.Rtf.Heuristic-rtf.dinbqn
Ad-Aware Exploit.RTF-ObfsStrm.Gen
Emsisoft Exploit.RTF-ObfsStrm.Gen (B)
DrWeb Exploit.Rtf.Obfuscated.32
TrendMicro HEUR_RTFMALFORM
McAfee-GW-Edition Exploit-CVE2017-11882.z
Sophos Troj/RtfExp-EQ
Avira HEUR/Rtf.Malformed
MAX malware (ai score=81)
Antiy-AVL Trojan/Generic.ASDOH.22A
Microsoft Trojan:Script/Sabsik.FL.B!ml
GData Exploit.RTF-ObfsStrm.Gen
Cynet Malicious (score: 99)
AhnLab-V3 RTF/Malform-A.Gen
TACHYON Trojan-Exploit/RTF.CVE-2017-11882
Zoner Probably Heur.RTFBadVersion
Ikarus Exploit.CVE-2017-11882
Fortinet RTF/GenericKD.47107450!tr