Analysis
-
max time kernel
105s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 13:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.4196.9009.rtf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.4196.9009.rtf
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.4196.9009.rtf
-
Size
3KB
-
MD5
be3b9a7ca16d063b9b2b3c132edb0f79
-
SHA1
045318816244ba901aeb001c114ec5d97b18b6cd
-
SHA256
6841bbfdc2ef1768e7b3bca495a17b425726362e086456be2e0ba97a16c97852
-
SHA512
b597ace309591d07e54d10918077043f4d5ba1105ac66be77efbf7d4aa3b05587bc16811f15098f298702955f94bc350207c5080b1759ef02af77e3b1cb6cd89
Malware Config
Extracted
warzonerat
baramac.duckdns.org:6269
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1356-76-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1616 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
word.exexcfoyif.exexcfoyif.exepid process 1388 word.exe 1836 xcfoyif.exe 1356 xcfoyif.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEword.exexcfoyif.exepid process 1616 EQNEDT32.EXE 1388 word.exe 1836 xcfoyif.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
xcfoyif.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\gjtm = "C:\\Users\\Admin\\AppData\\Roaming\\rojm\\yfuakto.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xcfoyif.exe\" C:\\Users\\Admin\\AppData\\Local\\Temp\\" xcfoyif.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xcfoyif.exedescription pid process target process PID 1836 set thread context of 1356 1836 xcfoyif.exe xcfoyif.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\word.exe nsis_installer_1 \Users\Admin\AppData\Roaming\word.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1600 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
xcfoyif.exepid process 1836 xcfoyif.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXExcfoyif.exepid process 1600 WINWORD.EXE 1600 WINWORD.EXE 1356 xcfoyif.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEword.exexcfoyif.exeWINWORD.EXEdescription pid process target process PID 1616 wrote to memory of 1388 1616 EQNEDT32.EXE word.exe PID 1616 wrote to memory of 1388 1616 EQNEDT32.EXE word.exe PID 1616 wrote to memory of 1388 1616 EQNEDT32.EXE word.exe PID 1616 wrote to memory of 1388 1616 EQNEDT32.EXE word.exe PID 1388 wrote to memory of 1836 1388 word.exe xcfoyif.exe PID 1388 wrote to memory of 1836 1388 word.exe xcfoyif.exe PID 1388 wrote to memory of 1836 1388 word.exe xcfoyif.exe PID 1388 wrote to memory of 1836 1388 word.exe xcfoyif.exe PID 1836 wrote to memory of 1356 1836 xcfoyif.exe xcfoyif.exe PID 1836 wrote to memory of 1356 1836 xcfoyif.exe xcfoyif.exe PID 1836 wrote to memory of 1356 1836 xcfoyif.exe xcfoyif.exe PID 1836 wrote to memory of 1356 1836 xcfoyif.exe xcfoyif.exe PID 1836 wrote to memory of 1356 1836 xcfoyif.exe xcfoyif.exe PID 1600 wrote to memory of 1684 1600 WINWORD.EXE splwow64.exe PID 1600 wrote to memory of 1684 1600 WINWORD.EXE splwow64.exe PID 1600 wrote to memory of 1684 1600 WINWORD.EXE splwow64.exe PID 1600 wrote to memory of 1684 1600 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.4196.9009.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xcfoyif.exe"C:\Users\Admin\AppData\Local\Temp\xcfoyif.exe" C:\Users\Admin\AppData\Local\Temp\rrchmtd.ihc3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xcfoyif.exe"C:\Users\Admin\AppData\Local\Temp\xcfoyif.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kmxqftqk.qphFilesize
98KB
MD56c84aab264b84f7b49e3469dadc6fd2e
SHA1b504d78a83fc55921d8696019d1ba3117358e71d
SHA256814b2671e7062d4a1a0de38d9c5bf5dc0195af248397b39e65300993066d99f9
SHA512c7f0a6145160e1692f24fea49340b884636393138114765bdd93f469fb30c131e004527b0205c8549da4c77d16b556900c58e182485ba65b1dcffa2a49948b3a
-
C:\Users\Admin\AppData\Local\Temp\rrchmtd.ihcFilesize
7KB
MD588c3926cb29745d988b0e794378e4728
SHA18b58f03f1542aa30878619e52a800037538639cb
SHA2565ef5687c9cfc258ff4283ce3b67eef061bfedb2e7b81f76392a3ffdcc5a061ca
SHA512b3cd557f2ba7325f07ba2004365959d02dbb4b63607b807e652c409876effbe9e4e393d44cf9d9d827ceec21f24f93a72e3fb3926fb07269f751a2a162480fef
-
C:\Users\Admin\AppData\Local\Temp\xcfoyif.exeFilesize
13KB
MD5a76eebf673691ad96288a99825e4c5c6
SHA1e82d6bd4d1f3b19fe88f0e53f811260fb89fc2c1
SHA256266237fe1dfb6f03610b7c3311d6122963787f64e2a6ef374a7d043921b30f74
SHA51234d0535d4f9a08fa7233e4a1e4e2fbc8e5322f089568fe343e2273f99164cdafc322a08fe8dc0847e48389cf3394292a873147540991b303171aad8189ccd596
-
C:\Users\Admin\AppData\Local\Temp\xcfoyif.exeFilesize
13KB
MD5a76eebf673691ad96288a99825e4c5c6
SHA1e82d6bd4d1f3b19fe88f0e53f811260fb89fc2c1
SHA256266237fe1dfb6f03610b7c3311d6122963787f64e2a6ef374a7d043921b30f74
SHA51234d0535d4f9a08fa7233e4a1e4e2fbc8e5322f089568fe343e2273f99164cdafc322a08fe8dc0847e48389cf3394292a873147540991b303171aad8189ccd596
-
C:\Users\Admin\AppData\Local\Temp\xcfoyif.exeFilesize
13KB
MD5a76eebf673691ad96288a99825e4c5c6
SHA1e82d6bd4d1f3b19fe88f0e53f811260fb89fc2c1
SHA256266237fe1dfb6f03610b7c3311d6122963787f64e2a6ef374a7d043921b30f74
SHA51234d0535d4f9a08fa7233e4a1e4e2fbc8e5322f089568fe343e2273f99164cdafc322a08fe8dc0847e48389cf3394292a873147540991b303171aad8189ccd596
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
328KB
MD533cfde0badba18cca2d44476d7d45edc
SHA1290003e3266acffa2e669e50ff0aad8f3974b214
SHA2563650e941f589db93a518d602e4b0ddd9a54c7c42f3d1d06bdda467651cbb95f7
SHA5129ee920f4b040d54b48bd80bf1cf29a9ce8572fbf75c737f55fdf8fc7127b63d900e3690af85124b40593e1a30142bce7235c8df025c7e1ec71f97e8cf4478dc5
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
328KB
MD533cfde0badba18cca2d44476d7d45edc
SHA1290003e3266acffa2e669e50ff0aad8f3974b214
SHA2563650e941f589db93a518d602e4b0ddd9a54c7c42f3d1d06bdda467651cbb95f7
SHA5129ee920f4b040d54b48bd80bf1cf29a9ce8572fbf75c737f55fdf8fc7127b63d900e3690af85124b40593e1a30142bce7235c8df025c7e1ec71f97e8cf4478dc5
-
\Users\Admin\AppData\Local\Temp\xcfoyif.exeFilesize
13KB
MD5a76eebf673691ad96288a99825e4c5c6
SHA1e82d6bd4d1f3b19fe88f0e53f811260fb89fc2c1
SHA256266237fe1dfb6f03610b7c3311d6122963787f64e2a6ef374a7d043921b30f74
SHA51234d0535d4f9a08fa7233e4a1e4e2fbc8e5322f089568fe343e2273f99164cdafc322a08fe8dc0847e48389cf3394292a873147540991b303171aad8189ccd596
-
\Users\Admin\AppData\Local\Temp\xcfoyif.exeFilesize
13KB
MD5a76eebf673691ad96288a99825e4c5c6
SHA1e82d6bd4d1f3b19fe88f0e53f811260fb89fc2c1
SHA256266237fe1dfb6f03610b7c3311d6122963787f64e2a6ef374a7d043921b30f74
SHA51234d0535d4f9a08fa7233e4a1e4e2fbc8e5322f089568fe343e2273f99164cdafc322a08fe8dc0847e48389cf3394292a873147540991b303171aad8189ccd596
-
\Users\Admin\AppData\Roaming\word.exeFilesize
328KB
MD533cfde0badba18cca2d44476d7d45edc
SHA1290003e3266acffa2e669e50ff0aad8f3974b214
SHA2563650e941f589db93a518d602e4b0ddd9a54c7c42f3d1d06bdda467651cbb95f7
SHA5129ee920f4b040d54b48bd80bf1cf29a9ce8572fbf75c737f55fdf8fc7127b63d900e3690af85124b40593e1a30142bce7235c8df025c7e1ec71f97e8cf4478dc5
-
memory/1356-76-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1356-73-0x0000000000405738-mapping.dmp
-
memory/1388-61-0x0000000000000000-mapping.dmp
-
memory/1600-57-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB
-
memory/1600-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1600-55-0x00000000700C1000-0x00000000700C3000-memory.dmpFilesize
8KB
-
memory/1600-58-0x00000000710AD000-0x00000000710B8000-memory.dmpFilesize
44KB
-
memory/1600-54-0x0000000072641000-0x0000000072644000-memory.dmpFilesize
12KB
-
memory/1600-77-0x00000000710AD000-0x00000000710B8000-memory.dmpFilesize
44KB
-
memory/1600-80-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1600-81-0x00000000710AD000-0x00000000710B8000-memory.dmpFilesize
44KB
-
memory/1684-78-0x0000000000000000-mapping.dmp
-
memory/1684-79-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmpFilesize
8KB
-
memory/1836-66-0x0000000000000000-mapping.dmp