Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 10:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf
Resource
win10v2004-20230915-en
General
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf
-
Size
62KB
-
MD5
bb973c3280643cb3da16e508325158ba
-
SHA1
76632193c1757813bd396f6c93ab597ce8ab357b
-
SHA256
576aeff7f1272f505d250f9ffa5e0a470a83aa42daa88533aa1cb0f9447145cf
-
SHA512
a962a8c34d0ea8125bb77b09b26ebacd86df489246d9e613d0bc284fe44976997b494d500c3ae0b91bcfb3e4bc46b04e75ab12391ab56e0e0ba74c0914697869
-
SSDEEP
768:EXwAbZSibMX9gRWjQ1LEEZLpPosZrw72fy:uwAlRPpEErPoCw7Cy
Malware Config
Extracted
formbook
4.1
o5gu
jonathanvuportfolio.website
moneyboost.net
imikecutyou.com
toollessassembling.com
keoinfra.com
mackenziejamesphoto.com
zenovaa.com
ngmnetwork.com
odropoficial.com
huyangli.company
ganjajuice.info
promptmechanic.xyz
crispyjoy.com
dinevintageshirts.com
heyxop.online
hopefinancialmarketingph.com
weeklyvolcano.app
consultoriopmn.com
seetheratequote.com
ftds77.com
neuepilates.com
akaegostudios.com
solhealthglobal.com
edelweiss45.online
getalign.info
playermaveric.click
osuszdom.com
eastern-prime.com
4zc.lat
ssongg3888.cfd
polar-tours.com
herbahis239.com
funeral-services.com
chawlaaluminium.com
aintrepreneurship.com
chiefsuppliesllc.com
easyhub.xyz
umaylek.site
menofthehouse.store
11cmace.vip
mostbet-wcx4.top
robbiexgeorgie.com
elliotlakefield.com
marcjacobssalecanada.com
barbiealien.com
mcfeeinsurance.com
hk-newbie.com
sportscolorslove.com
zabarofficial.com
seva.fund
lion-sales.com
jebwallet.app
appsrocky.top
viruceaseusa.com
aaronlea.design
lyftpassengerslawyers.com
defiacquisition.com
iuzswq.top
acreeksis.online
rkautomationservice.com
pkn910.com
sykdnxjxbyu.xyz
hegre-shaved-girls.com
scentwithluv.com
felix-froehlich.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/1356-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1356-40-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2176-45-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2176-47-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2940 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2704 owenenfj578956.exe 1356 owenenfj578956.exe -
Loads dropped DLL 1 IoCs
pid Process 2940 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2704 set thread context of 1356 2704 owenenfj578956.exe 35 PID 1356 set thread context of 1424 1356 owenenfj578956.exe 7 PID 2176 set thread context of 1424 2176 NAPSTAT.EXE 7 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2940 EQNEDT32.EXE -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2020 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1356 owenenfj578956.exe 1356 owenenfj578956.exe 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1424 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1356 owenenfj578956.exe 1356 owenenfj578956.exe 1356 owenenfj578956.exe 2176 NAPSTAT.EXE 2176 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1356 owenenfj578956.exe Token: SeDebugPrivilege 2176 NAPSTAT.EXE Token: SeShutdownPrivilege 1424 Explorer.EXE Token: SeShutdownPrivilege 1424 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2020 WINWORD.EXE 2020 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2704 2940 EQNEDT32.EXE 29 PID 2940 wrote to memory of 2704 2940 EQNEDT32.EXE 29 PID 2940 wrote to memory of 2704 2940 EQNEDT32.EXE 29 PID 2940 wrote to memory of 2704 2940 EQNEDT32.EXE 29 PID 2020 wrote to memory of 2580 2020 WINWORD.EXE 32 PID 2020 wrote to memory of 2580 2020 WINWORD.EXE 32 PID 2020 wrote to memory of 2580 2020 WINWORD.EXE 32 PID 2020 wrote to memory of 2580 2020 WINWORD.EXE 32 PID 2704 wrote to memory of 1356 2704 owenenfj578956.exe 35 PID 2704 wrote to memory of 1356 2704 owenenfj578956.exe 35 PID 2704 wrote to memory of 1356 2704 owenenfj578956.exe 35 PID 2704 wrote to memory of 1356 2704 owenenfj578956.exe 35 PID 2704 wrote to memory of 1356 2704 owenenfj578956.exe 35 PID 2704 wrote to memory of 1356 2704 owenenfj578956.exe 35 PID 2704 wrote to memory of 1356 2704 owenenfj578956.exe 35 PID 1424 wrote to memory of 2176 1424 Explorer.EXE 36 PID 1424 wrote to memory of 2176 1424 Explorer.EXE 36 PID 1424 wrote to memory of 2176 1424 Explorer.EXE 36 PID 1424 wrote to memory of 2176 1424 Explorer.EXE 36 PID 2176 wrote to memory of 1704 2176 NAPSTAT.EXE 37 PID 2176 wrote to memory of 1704 2176 NAPSTAT.EXE 37 PID 2176 wrote to memory of 1704 2176 NAPSTAT.EXE 37 PID 2176 wrote to memory of 1704 2176 NAPSTAT.EXE 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2580
-
-
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"3⤵PID:1704
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5f4f552e95269fbdbc1f8f345261f9101
SHA1e1e09291f3601432fbb4637810a34cc76d41c523
SHA25687cff73ac084acf5e7822bb02868e5f553fdb752f67c669c370f0dbfa97404fe
SHA512d84d25748e4e623a6ba7eb8abdcba43a63455469894a5bf6275920bae8fc39ce1a26d2d2f5c0cfabfd9858bd6a4f441bf1b703aa5ff8032fadb21dd4e585647f
-
Filesize
588KB
MD547ea784b5aa582da550a12add7ccd74d
SHA15b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e
-
Filesize
588KB
MD547ea784b5aa582da550a12add7ccd74d
SHA15b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e
-
Filesize
588KB
MD547ea784b5aa582da550a12add7ccd74d
SHA15b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e
-
Filesize
588KB
MD547ea784b5aa582da550a12add7ccd74d
SHA15b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e
-
Filesize
588KB
MD547ea784b5aa582da550a12add7ccd74d
SHA15b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e