Malware Analysis Report

2025-08-10 22:11

Sample ID 231012-mntmasde3z
Target SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf
SHA256 576aeff7f1272f505d250f9ffa5e0a470a83aa42daa88533aa1cb0f9447145cf
Tags
formbook o5gu rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

576aeff7f1272f505d250f9ffa5e0a470a83aa42daa88533aa1cb0f9447145cf

Threat Level: Known bad

The file SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf was found to be: Known bad.

Malicious Activity Summary

formbook o5gu rat spyware stealer trojan

Formbook

Formbook payload

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Launches Equation Editor

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 10:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 10:37

Reported

2023-10-12 10:39

Platform

win7-20230831-en

Max time kernel

150s

Max time network

139s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2704 set thread context of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 1356 set thread context of 1424 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Windows\Explorer.EXE
PID 2176 set thread context of 1424 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\Explorer.EXE

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2704 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2940 wrote to memory of 2704 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2940 wrote to memory of 2704 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2940 wrote to memory of 2704 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2020 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2020 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2020 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2020 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 2704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\owenenfj578956.exe C:\Users\Admin\AppData\Roaming\owenenfj578956.exe
PID 1424 wrote to memory of 2176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1424 wrote to memory of 2176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1424 wrote to memory of 2176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1424 wrote to memory of 2176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 2176 wrote to memory of 1704 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1704 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1704 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1704 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\owenenfj578956.exe

"C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\owenenfj578956.exe

"C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"

C:\Windows\SysWOW64\NAPSTAT.EXE

"C:\Windows\SysWOW64\NAPSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\owenenfj578956.exe"

Network

Country Destination Domain Proto
NL 185.28.39.18:7777 185.28.39.18 tcp
US 8.8.8.8:53 www.herbahis239.com udp
IM 185.162.229.2:80 www.herbahis239.com tcp
US 8.8.8.8:53 www.defiacquisition.com udp
US 15.197.204.56:80 www.defiacquisition.com tcp
US 8.8.8.8:53 www.moneyboost.net udp
JP 162.43.116.130:80 www.moneyboost.net tcp

Files

memory/2020-0-0x000000002F4B1000-0x000000002F4B2000-memory.dmp

memory/2020-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2020-2-0x00000000710AD000-0x00000000710B8000-memory.dmp

\Users\Admin\AppData\Roaming\owenenfj578956.exe

MD5 47ea784b5aa582da550a12add7ccd74d
SHA1 5b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256 e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512 b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e

C:\Users\Admin\AppData\Roaming\owenenfj578956.exe

MD5 47ea784b5aa582da550a12add7ccd74d
SHA1 5b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256 e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512 b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e

C:\Users\Admin\AppData\Roaming\owenenfj578956.exe

MD5 47ea784b5aa582da550a12add7ccd74d
SHA1 5b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256 e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512 b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e

C:\Users\Admin\AppData\Roaming\owenenfj578956.exe

MD5 47ea784b5aa582da550a12add7ccd74d
SHA1 5b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256 e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512 b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e

memory/2704-15-0x0000000000C70000-0x0000000000D0A000-memory.dmp

memory/2704-16-0x000000006B260000-0x000000006B94E000-memory.dmp

memory/2704-17-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2704-18-0x00000000005B0000-0x00000000005CA000-memory.dmp

memory/2020-23-0x00000000710AD000-0x00000000710B8000-memory.dmp

memory/2704-24-0x000000006B260000-0x000000006B94E000-memory.dmp

memory/2704-25-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2704-27-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/2704-28-0x0000000004EA0000-0x0000000004F0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\owenenfj578956.exe

MD5 47ea784b5aa582da550a12add7ccd74d
SHA1 5b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256 e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512 b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e

memory/1356-35-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1356-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2704-37-0x000000006B260000-0x000000006B94E000-memory.dmp

memory/1356-31-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1356-29-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1356-38-0x0000000000810000-0x0000000000B13000-memory.dmp

memory/1356-40-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1424-42-0x0000000008770000-0x00000000088D9000-memory.dmp

memory/1356-41-0x0000000000380000-0x0000000000394000-memory.dmp

memory/2176-43-0x0000000000750000-0x0000000000796000-memory.dmp

memory/2176-44-0x0000000000750000-0x0000000000796000-memory.dmp

memory/2176-45-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2176-46-0x0000000001EE0000-0x00000000021E3000-memory.dmp

memory/2176-47-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1424-48-0x0000000008770000-0x00000000088D9000-memory.dmp

memory/2176-50-0x0000000001DF0000-0x0000000001E83000-memory.dmp

memory/1424-53-0x00000000072B0000-0x00000000073FD000-memory.dmp

memory/1424-54-0x00000000072B0000-0x00000000073FD000-memory.dmp

memory/1424-56-0x00000000072B0000-0x00000000073FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 f4f552e95269fbdbc1f8f345261f9101
SHA1 e1e09291f3601432fbb4637810a34cc76d41c523
SHA256 87cff73ac084acf5e7822bb02868e5f553fdb752f67c669c370f0dbfa97404fe
SHA512 d84d25748e4e623a6ba7eb8abdcba43a63455469894a5bf6275920bae8fc39ce1a26d2d2f5c0cfabfd9858bd6a4f441bf1b703aa5ff8032fadb21dd4e585647f

memory/2020-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2020-77-0x00000000710AD000-0x00000000710B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 10:37

Reported

2023-10-12 10:40

Platform

win10v2004-20230915-en

Max time kernel

147s

Max time network

162s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/3772-0-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-2-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-1-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-3-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-4-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-7-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-6-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-5-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-8-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-9-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-10-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-11-0x00007FFA58640000-0x00007FFA58650000-memory.dmp

memory/3772-12-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-13-0x00007FFA58640000-0x00007FFA58650000-memory.dmp

memory/3772-42-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-43-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-45-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-44-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

memory/3772-46-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-47-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

memory/3772-48-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp