Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 6, 2024, 10:31 a.m.	Jan. 6, 2024, 10:47 a.m.

Size	154.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: wound, Template: Normal.dotm, Last Saved By: wound, Revision Number: 36, Name of Creating Application: Microsoft Office Word, Total Editing Time: 07:58:00, Create Time/Date: Sun Dec 17 11:57:00 2023, Last Saved Time/Date: Sun Dec 17 19:55:00 2023, Number of Pages: 1, Number of Words: 191, Number of Characters: 1094, Security: 0
MD5	`794004e79c07dbba60e1307549c04c3d`
SHA256	`9455bee3d642e0ce7949e5df1996a90621e76e991ae973da4dbae5d0e93ce33b`
CRC32	`B31BD5AB`
ssdeep	`1536:by5jhc8ldaJdz369DfxVv4TEbWdDZ4nW1Bh4JUF0M+I6xKVh0EFzHByYyFtdOvJa:kWKaAGgbsFlW4x6MdBHwYHvJFCNu`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\test2.doc
808
- cmd.exe cMd /c C:\Users\Public\window.vbs
  2224
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\window.vbs"
    2304

Name	Response	Post-Analysis Lookup
configure.syscatec.com	A 69.46.5.226	69.46.5.226

IP Address	Status	Action
164.124.101.2	Active	Moloch
69.46.5.226	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.103:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.103:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.103:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.103:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49187 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.103:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 6, 2024, 10:31 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x69eca648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456 0x67933c _MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49 _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0x2e15c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x2e1558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2019164 registers.edi: 2019328 registers.eax: 2019164 registers.ebp: 2019244 registers.edx: 0 registers.ebx: 2020380 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 6, 2024, 10:31 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a
SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x69eca648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456
0x67933c
_MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0x2e15c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x2e1558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 2019164
registers.edi: 2019328
registers.eax: 2019164
registers.ebp: 2019244
registers.edx: 0
registers.ebx: 2020380
registers.esi: 3221549073
registers.ecx: 2147483648

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6abdd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a7ee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c5a000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 808 crashed
__exception__ Jan. 6, 2024, 10:31 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x69eca648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456 0x67933c _MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49 _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0x2e15c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x2e1558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2019164 registers.edi: 2019328 registers.eax: 2019164 registers.ebp: 2019244 registers.edx: 0 registers.ebx: 2020380 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 808 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 6, 2024, 10:31 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a
SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x69eca648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456
0x67933c
_MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0x2e15c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x2e1558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$test2.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Jan. 6, 2024, 10:31 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a8 filepath: C:\Users\test22\AppData\Local\Temp\~$test2.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$test2.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Wscript.exe initiated network communications indicative of a script based payload download (24 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueZ¿cÚ³ßCåÍ\Ó¹Cí2=)>n1¬ÕnRÑ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e[ªx8¶ï»{ Æ=[¨ïéMÌY(ÞÍî ÿ socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e`ÓlÏ2uöSN6;Q¦¦ü{4T5Ï90¾u ÿ socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yuea¼Õ\|FCÎîFÁ7ë÷=9yÿvÀKI/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yuekÒnIÇË9Ý;\ý°Q>¨âkFmèËÔ5q</5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51ek.VíBBqo³ç¥@æèV NufÝü±ZJ ÿ socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51ev5%Ð6Cb*÷ç!ICëZçSÂ,ÑáV ÿ socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yuevma³@0¤÷/«"ü00°¢ÂZhÇM:gÏ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueÆv Kù3Âê¼ïçp7;6PSÏÙ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 380		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e->:ûäSYünSñ\<¹Å¹¥÷k ÿ socket: 380		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51eà±(B ²\|´ve³Ï?16 ñ ÐÞ'L`ö ÿ socket: 380		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue×ZÛéÃi¦Üð¢ 9þ[Cpp``k¹a/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 380		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue';ß^M>NÓÙÏRÊ!ãôìò`]%h % /5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 376		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e( MpÙ0@Bð_ó*¯ý 6)g. ÿ socket: 376		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¡K Ü4/°ÁIÆ2¶ªË¸àOÝ<hùÆ ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¡ÇÓM:b¦Z¯êµ4êiA$T¥ åsõ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¬õ%KZÆ õcûv_"Ó«J;Ä½0¶Ô/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¬Î×ó+ix\|gÛ5MËL Î«´9]G ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¶ ¾×{ú]ßv¼TÈ´±óVJÓçhØ¨µ×¶ ÿ socket: 460		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue·~OqñrÏäÃàPÝê_^^'*qó¦/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 460		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÁ÷EE &¹Ó(d¹±àVú¸\Gw]×#/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 460		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51eÂÃî9¥'ÑËw¤Z÷3´ÁãC¢Ùë SXG ÿ socket: 460		0	0
WSASend Jan. 6, 2024, 10:33 a.m.	buffer: 51eÌâUÈúá@ÚXqã§;ËZm«ô=>ÓLÖÿ ÿ socket: 460		0	0
WSASend Jan. 6, 2024, 10:33 a.m.	buffer: yueÌÉü][ê±x<¨l'Ý¢Y ¢g@HðD /5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 460		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (24 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueZ¿cÚ³ßCåÍ\Ó¹Cí2=)>n1¬ÕnRÑ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e[ªx8¶ï»{ Æ=[¨ïéMÌY(ÞÍî ÿ socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e`ÓlÏ2uöSN6;Q¦¦ü{4T5Ï90¾u ÿ socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yuea¼Õ\|FCÎîFÁ7ë÷=9yÿvÀKI/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yuekÒnIÇË9Ý;\ý°Q>¨âkFmèËÔ5q</5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51ek.VíBBqo³ç¥@æèV NufÝü±ZJ ÿ socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51ev5%Ð6Cb*÷ç!ICëZçSÂ,ÑáV ÿ socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yuevma³@0¤÷/«"ü00°¢ÂZhÇM:gÏ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 688		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueÆv Kù3Âê¼ïçp7;6PSÏÙ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 380		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e->:ûäSYünSñ\<¹Å¹¥÷k ÿ socket: 380		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51eà±(B ²\|´ve³Ï?16 ñ ÐÞ'L`ö ÿ socket: 380		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue×ZÛéÃi¦Üð¢ 9þ[Cpp``k¹a/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 380		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue';ß^M>NÓÙÏRÊ!ãôìò`]%h % /5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 376		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e( MpÙ0@Bð_ó*¯ý 6)g. ÿ socket: 376		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¡K Ü4/°ÁIÆ2¶ªË¸àOÝ<hùÆ ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¡ÇÓM:b¦Z¯êµ4êiA$T¥ åsõ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¬õ%KZÆ õcûv_"Ó«J;Ä½0¶Ô/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¬Î×ó+ix\|gÛ5MËL Î«´9]G ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¶ ¾×{ú]ßv¼TÈ´±óVJÓçhØ¨µ×¶ ÿ socket: 460		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue·~OqñrÏäÃàPÝê_^^'*qó¦/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 460		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÁ÷EE &¹Ó(d¹±àVú¸\Gw]×#/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 460		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51eÂÃî9¥'ÑËw¤Z÷3´ÁãC¢Ùë SXG ÿ socket: 460		0	0
WSASend Jan. 6, 2024, 10:33 a.m.	buffer: 51eÌâUÈúá@ÚXqã§;ËZm«ô=>ÓLÖÿ ÿ socket: 460		0	0
WSASend Jan. 6, 2024, 10:33 a.m.	buffer: yueÌÉü][ê±x<¨l'Ý¢Y ¢g@HðD /5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 460		0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

cMd /c C:\Users\Public\window.vbs

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2224 resumed a thread in remote process 2304
NtResumeThread Jan. 6, 2024, 10:31 a.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2304	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.MSWord.Amphitryon.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	VBA:Amphitryon.1693
Skyhigh	BehavesLike.OLE2.Downloader.cb
Symantec	Trojan.Gen.MBT
ESET-NOD32	VBA/TrojanDropper.Agent.CXV
Cynet	Malicious (score: 99)
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VBA:Amphitryon.1693
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Rising	Dropper.Agent/VBA!8.11766 (TOPIS:E0:nCOm0OIG1PI)
Emsisoft	VBA:Amphitryon.1693 (B)
F-Secure	Malware.W97M/Redcap.rbpfk
DrWeb	Exploit.Siggen3.44323
VIPRE	VBA:Amphitryon.1693
SentinelOne	Static AI - Malicious OLE
Avira	W97M/Redcap.rbpfk
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Win32/Leonem
Arcabit	VBA:Amphitryon.D69D
ZoneAlarm	HEUR:Trojan.MSOffice.SAgent.gen
GData	VBA:Amphitryon.1693
Varist	ABRisk.ROET-8
TACHYON	Suspicious/W97M.DRP.Gen
Tencent	Win32.Trojan.Malware.Szfl
Ikarus	VBA.Amphitryon
AVG	Script:SNH-gen [Trj]

test2.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All