Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 22, 2022, 9:23 a.m.	July 22, 2022, 9:37 a.m.

Size	138.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: temp, Last Saved By: Windows, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Jul 9 05:35:00 2022, Last Saved Time/Date: Sat Jul 9 05:35:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5	`b059ab7a19bc94ce84c615b83cecaecb`
SHA256	`7d2ec4837172db84721093fa6806bc2b61a9ea7169818a6e0ea1c92ed0f602ff`
CRC32	`093D7841`
ssdeep	`3072:RKdSoIlXPNPujkhsXCr6W+khGsrZyV2NbsEMliO:3PPgkhsyr6W+EMlH`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\dod-upload.dodortar.ru
2324

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 22, 2022, 9:23 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6a2ba648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456 0x1fa29c5 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0x9815c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x981558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3526072 registers.edi: 3526236 registers.eax: 3526072 registers.ebp: 3526152 registers.edx: 0 registers.ebx: 3527288 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 22, 2022, 9:23 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6a2ba648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456
0x1fa29c5
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0x9815c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x981558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 3526072
registers.edi: 3526236
registers.eax: 3526072
registers.ebp: 3526152
registers.edx: 0
registers.ebx: 3527288
registers.esi: 3221549073
registers.ecx: 2147483648

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2022, 9:23 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a5ed000 process_handle: 0xffffffff	1	0	0

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2324 crashed
__exception__ July 22, 2022, 9:23 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6a2ba648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456 0x1fa29c5 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0x9815c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x981558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3526072 registers.edi: 3526236 registers.eax: 3526072 registers.ebp: 3526152 registers.edx: 0 registers.ebx: 3527288 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 2324 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

July 22, 2022, 9:23 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6a2ba648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456
0x1fa29c5
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0x9815c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x981558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 22, 2022, 9:23 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a8 filepath: C:\Users\test22\AppData\Local\Temp\~$d-upload.dodortar.ru desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$d-upload.dodortar.ru create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2022, 9:23 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.MSWord.Kryo.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	VBA.Heur.Kryo.1.E0647993.Gen
FireEye	VBA.Heur.Kryo.1.E0647993.Gen
ALYac	VBA.Heur.Kryo.1.E0647993.Gen
VIPRE	VBA.Heur.Kryo.1.E0647993.Gen
Arcabit	HEUR.VBA.C.2
VirIT	W97M/Downloader.AR
Symantec	Trojan.Gen.MBT
Avast	MO97:Dropper-AJ
Kaspersky	UDS:Backdoor.OLE2.Carbanak.gen
BitDefender	VBA.Heur.Kryo.1.E0647993.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Tencent	Heur.Macro.Generic.a.e42f78ae
Ad-Aware	VBA.Heur.Kryo.1.E0647993.Gen
TACHYON	Suspicious/W97M.DRP.Gen
Emsisoft	VBA.Heur.Kryo.1.E0647993.Gen (B)
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.cg
SentinelOne	Static AI - Malicious OLE
Antiy-AVL	Trojan/Generic.ASHMacro.650
Microsoft	Trojan:Script/Woreflint.A!cl
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
GData	VBA.Heur.Kryo.1.E0647993.Gen
Acronis	suspicious
MAX	malware (ai score=84)
Rising	Downloader.Agent/VBA!1.A519 (CLASSIC)
Ikarus	Trojan.Office.Doc
AVG	MO97:Dropper-AJ

dod-upload.dodortar.ru

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All