Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 31, 2023, 10:47 a.m.	Aug. 31, 2023, 10:49 a.m.

Size	768.5KB
Type	ASCII text, with very long lines
MD5	`2735cd8e39f7e6ce667ab2722770931c`
SHA256	`01661afa5717fe897d158307176df84874e21adf696e3365685204538bd0a4e5`
CRC32	`30AC50DB`
ssdeep	`768:5stVBjHeY2xUSc2xoEYGZc+dySGri6CbEYKhqgbEYhhigbEYhh8gbEYuIQY7EH4z:5spHoC`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents. MS_RTF_Suspicious_documents - Suspicious documents using RTF document OLE object

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\wagnergroup.rtf
3068

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93

IP Address	Status	Action
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 31, 2023, 10:47 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fd31602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fd3159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80010105 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2020004 registers.edi: 1974270480 registers.eax: 2020004 registers.ebp: 2020084 registers.edx: 0 registers.ebx: 5749180 registers.esi: 2147549445 registers.ecx: 555114645	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 31, 2023, 10:47 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fd31602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fd3159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80010105
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 2020004
registers.edi: 1974270480
registers.eax: 2020004
registers.ebp: 2020084
registers.edx: 0
registers.ebx: 5749180
registers.esi: 2147549445
registers.ecx: 555114645

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 3068 crashed
__exception__ Aug. 31, 2023, 10:47 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fd31602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fd3159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80010105 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2020004 registers.edi: 1974270480 registers.eax: 2020004 registers.ebp: 2020084 registers.edx: 0 registers.ebx: 5749180 registers.esi: 2147549445 registers.ecx: 555114645	1	0	0

Application Crash

Process WINWORD.EXE with pid 3068 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 31, 2023, 10:47 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fd31602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fd3159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 31, 2023, 10:47 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000458 filepath: C:\Users\test22\AppData\Local\Temp\~$gnergroup.rtf desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$gnergroup.rtf create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.MSOffice.Generic.4!c
CAT-QuickHeal	Exp.Shell.Gen.DU
Sangfor	Exploit.Doc.CVE-2017-11882.b
Cyren	CVE-2017-11882.C.gen!Camelot
Symantec	Exp.CVE-2017-11882
ESET-NOD32	probably a variant of Win32/Exploit.CVE-2017-11882.A
TrendMicro-HouseCall	Trojan.W97M.CVE201711882.SMAL02
Avast	OLE:CVE-2017-11882 [Expl]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus	Exploit.OleNative.CVE-2017-11882.evenbv
MicroWorld-eScan	Exploit.RTF-ObfsStrm.Gen
Rising	Exploit.CVE-2017-11882!1.AEE3 (CLASSIC)
Emsisoft	Exploit.RTF-ObfsStrm.Gen (B)
Baidu	Win32.Exploit.CVE-2017-11882.b
F-Secure	Exploit.EXP/CVE-2017-11882.Gen
DrWeb	Exploit.Rtf.414
VIPRE	Exploit.RTF-ObfsStrm.Gen
TrendMicro	Trojan.W97M.CVE201711882.SMAL02
McAfee-GW-Edition	RTFObfustream.a!2735CD8E39F7
FireEye	Exploit.RTF-ObfsStrm.Gen
GData	Exploit.RTF-ObfsStrm.Gen
Avira	EXP/CVE-2017-11882.Gen
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Exploit]/OLE.CVE-2017-11882
Arcabit	Exploit.RTF-ObfsStrm.Gen
ZoneAlarm	HEUR:Exploit.MSOffice.Generic
Microsoft	Trojan:Win32/Leonem
Google	Detected
AhnLab-V3	RTF/Malform-A.Gen
McAfee	RTFObfustream.a!2735CD8E39F7
TACHYON	Trojan-Exploit/RTF.CVE-2017-11882
Zoner	Probably Heur.RTFBadHeader
Tencent	Office.Exploit.Generic.Lzfl
Ikarus	Exploit.CVE-2017-11882
Fortinet	MSOffice/CVE_2017_11882.A!exploit
AVG	OLE:CVE-2017-11882 [Expl]

wagnergroup.rtf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All