Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 26, 2023, 5:48 p.m.	May 26, 2023, 5:51 p.m.

Size	25.6KB
Type	Rich Text Format data, version 1, unknown character set
MD5	`211091ff25b68364c7973844af7a44d4`
SHA256	`862400f8d31c7038f3a68b6a21c51a859dba79c46f1a645f793cbc1edf4420eb`
CRC32	`3D6EF82E`
ssdeep	`768:ce4OR1mPi1FgbPGOEHxL++oeQNCU1xKM2t/vLl:dlFWPGOmAjNC0DGvLl`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\jijijijiiiiji###########################################jijijiji.doc
3048

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.246.220.85	Active	Moloch
192.3.189.133	Active	Moloch
192.30.89.67	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 192.3.189.133:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49173 -> 185.246.220.85:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49173 -> 185.246.220.85:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.3.189.133:80 -> 192.168.56.102:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.3.189.133:80 -> 192.168.56.102:49162	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49173 -> 185.246.220.85:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 185.246.220.85:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 185.246.220.85:80 -> 192.168.56.102:49173	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.102:49169 -> 185.246.220.85:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49169 -> 185.246.220.85:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 185.246.220.85:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 185.246.220.85:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 185.246.220.85:80 -> 192.168.56.102:49169	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.3.189.133:80 -> 192.168.56.102:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.3.189.133:80 -> 192.168.56.102:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 192.3.189.133:80 -> 192.168.56.102:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 185.246.220.85:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 185.246.220.85:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 185.246.220.85:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 185.246.220.85:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.102:49168 -> 185.246.220.85:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49168 -> 185.246.220.85:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 185.246.220.85:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49168 -> 185.246.220.85:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2f091602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f09159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4182352 registers.edi: 1974270480 registers.eax: 4182352 registers.ebp: 4182432 registers.edx: 0 registers.ebx: 9066444 registers.esi: 2147944126 registers.ecx: 3099811236	1
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75abb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75abb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75abb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75aba66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75b3a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75b177e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75b014b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2f091602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f09159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4182044 registers.edi: 1974270480 registers.eax: 4182044 registers.ebp: 4182124 registers.edx: 0 registers.ebx: 9065940 registers.esi: 2147944122 registers.ecx: 3099811236	1
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x694b85c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 109637780 registers.edi: 109637944 registers.eax: 109637780 registers.ebp: 109637860 registers.edx: 0 registers.ebx: 109638996 registers.esi: 2147942523 registers.ecx: 2147483648	1
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x694df7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf1bbe mso+0xff4ac4 @ 0x709c4ac4 DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2f091602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f09159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4244992 registers.edi: 4245156 registers.eax: 4244992 registers.ebp: 4245072 registers.edx: 0 registers.ebx: 4246208 registers.esi: 3221549073 registers.ecx: 2147483648	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://192.3.189.133/277/IE_NET.exe
suspicious_features	POST method with no referer header, HTTP version 1.0 used, Connection to IP address				suspicious_request	POST http://185.246.220.85/line/five/fre.php

Performs some HTTP requests (2 events)

request	GET http://192.3.189.133/277/IE_NET.exe
request	POST http://185.246.220.85/line/five/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://185.246.220.85/line/five/fre.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69d24000 process_handle: 0xffffffff	1	0	0

An application raised an exception which may be indicative of an exploit crash (5 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 3048 crashed
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2f091602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f09159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4182352 registers.edi: 1974270480 registers.eax: 4182352 registers.ebp: 4182432 registers.edx: 0 registers.ebx: 9066444 registers.esi: 2147944126 registers.ecx: 3099811236	1	0	0
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75abb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75abb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75abb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75aba66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75b3a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75b177e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75b014b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2f091602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f09159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4182044 registers.edi: 1974270480 registers.eax: 4182044 registers.ebp: 4182124 registers.edx: 0 registers.ebx: 9065940 registers.esi: 2147944122 registers.ecx: 3099811236	1	0	0
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x694b85c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 109637780 registers.edi: 109637944 registers.eax: 109637780 registers.ebp: 109637860 registers.edx: 0 registers.ebx: 109638996 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ May 26, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x694df7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf1bbe mso+0xff4ac4 @ 0x709c4ac4 DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2f091602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f09159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4244992 registers.edi: 4245156 registers.eax: 4244992 registers.ebp: 4245072 registers.edx: 0 registers.ebx: 4246208 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$jijijiiiiji###########################################jijijiji.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 26, 2023, 5:46 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000458 filepath: C:\Users\test22\AppData\Local\Temp\~$jijijiiiiji###########################################jijijiji.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$jijijiiiiji###########################################jijijiji.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

RTF file has an unknown character set (1 event)

filetype_details

Rich Text Format data, version 1, unknown character set

filename

jijijijiiiiji###########################################jijijiji.doc

Communicates with host for which no DNS query was performed (3 events)

host	185.246.220.85
host	192.3.189.133
host	192.30.89.67

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.MSOffice.Generic.4!c
MicroWorld-eScan	Exploit.RTF-ObfsStrm.Gen
FireEye	Exploit.RTF-ObfsStrm.Gen
CAT-QuickHeal	Exp.RTF.Obfus.Gen
Sangfor	Exploit.Generic-Doc.Save.6f42a31e
Arcabit	Exploit.RTF-ObfsStrm.Gen
Cyren	CVE-2017-11882.D.gen!Camelot
Symantec	Exp.CVE-2017-11882!g2
ESET-NOD32	Win32/Exploit.CVE-2017-0199.EX
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
Tencent	Exp.Ole.CVE-2017-11882.a
Emsisoft	Exploit.RTF-ObfsStrm.Gen (B)
F-Secure	Heuristic.HEUR/Rtf.Malformed
DrWeb	Exploit.Rtf.Obfuscated.32
VIPRE	Exploit.RTF-ObfsStrm.Gen
TrendMicro	HEUR_RTFMALFORM
McAfee-GW-Edition	Exploit-CVE2017-11882.z
Sophos	Troj/RtfExp-EQ
Ikarus	Exploit.CVE-2017-11882
Avira	HEUR/Rtf.Malformed
Antiy-AVL	Trojan[Exploit]/OLE.CVE-2017-11882
Microsoft	Trojan:Script/Woreflint.A!cl
ZoneAlarm	HEUR:Exploit.MSOffice.Generic
GData	Exploit.RTF-ObfsStrm.Gen
Google	Detected
AhnLab-V3	RTF/Malform-A.Gen
McAfee	Exploit-CVE2017-11882.z
Zoner	Probably Heur.RTFObfuscation
MAX	malware (ai score=84)
AVG	Other:Malware-gen [Trj]

jijijijiiiiji###########################################jijijiji.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All