Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.13523.31964.rtf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.13523.31964.rtf
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.13523.31964.rtf
-
Size
138KB
-
MD5
12135005a3185366b4b27c706f1d0526
-
SHA1
11c701479e96c20ce16c3eb6e0e3d2249fd25ba0
-
SHA256
13b1f7955a9cf96f79b39effd8d08940cc7998c3aa934047a48ed3157d5a6db9
-
SHA512
3259b2c6b3aa8cf195521c9d85c899a3ebc9328597833ba5181bcd2421a9b5d65fcf468050b57933de5158e8501b8b00a1101a52fef7a0b6eebb25dcebf8a35a
-
SSDEEP
768:ewAbZSibMX9gRWjtwAbZSibMX9gRWjhxsceh5IohhYZK3rad35:ewAlRkwAlR6Kh5HhhGK3ud35
Malware Config
Extracted
formbook
4.1
sg36
cookfranschhoek.com
rajaslot138.today
eightfigureroundtable.com
sdklwdz.com
novaturienthealth.com
sk87k.xyz
defoutenmakers.online
eadsanuncios.com
drewkav.com
car-insurance-94416.bond
m3nm.site
6vab.site
towing-barnesville.top
authentifizierung-beginnen.com
thejmfc.com
beggiapizza.site
gttsfibermill.com
cdugood.com
dominiongeneralcontractors.com
deprepagos.com
writetoday.app
kinleysbeatyreveiws.com
ah-ysdl.com
pj2698.com
prosource-eu.com
realizzazionesitiinternet.net
hoidap360.com
poncetruckingshop.online
momsmobilegrooming.com
ghafirer.store
dhl.cyou
dalvalynch.net
14wow.com
bulletinod.lat
aisubrosa.com
ligneap.pics
nobusinessplan.com
callumwallace.com
kaisen-ebizo.com
bouhabba.com
onlyrl.com
dancokerss.online
sustainablepartners-la.com
wqks7.site
bzxtor.xyz
tecgulf.com
dailydei.com
summitpointkeyword.top
aniba.foundation
coolfashions.shop
bestmindbodyhealingpodcast.com
fulfide.com
va4is5w.sbs
reddy-fairplay.shop
bitflyer.global
menomonietowing.top
vwjq3.site
bbetslo.top
goldwin-open.online
totalpriceforyourhome.com
realestateadvice.site
dip2024.com
ashvalueprofilereport.com
mcdowelltowing.top
ldvicecream.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1824-34-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1824-39-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2164-45-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2164-47-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2816 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
softbin93005.exesoftbin93005.exesoftbin93005.exepid process 2960 softbin93005.exe 2516 softbin93005.exe 1824 softbin93005.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2816 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
softbin93005.exesoftbin93005.exewlanext.exedescription pid process target process PID 2960 set thread context of 1824 2960 softbin93005.exe softbin93005.exe PID 1824 set thread context of 1204 1824 softbin93005.exe Explorer.EXE PID 2164 set thread context of 1204 2164 wlanext.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2760 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
softbin93005.exesoftbin93005.exewlanext.exepid process 2960 softbin93005.exe 2960 softbin93005.exe 1824 softbin93005.exe 1824 softbin93005.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe 2164 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
softbin93005.exewlanext.exepid process 1824 softbin93005.exe 1824 softbin93005.exe 1824 softbin93005.exe 2164 wlanext.exe 2164 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
softbin93005.exesoftbin93005.exewlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2960 softbin93005.exe Token: SeDebugPrivilege 1824 softbin93005.exe Token: SeDebugPrivilege 2164 wlanext.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2760 WINWORD.EXE 2760 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEsoftbin93005.exeExplorer.EXEwlanext.exedescription pid process target process PID 2816 wrote to memory of 2960 2816 EQNEDT32.EXE softbin93005.exe PID 2816 wrote to memory of 2960 2816 EQNEDT32.EXE softbin93005.exe PID 2816 wrote to memory of 2960 2816 EQNEDT32.EXE softbin93005.exe PID 2816 wrote to memory of 2960 2816 EQNEDT32.EXE softbin93005.exe PID 2760 wrote to memory of 1148 2760 WINWORD.EXE splwow64.exe PID 2760 wrote to memory of 1148 2760 WINWORD.EXE splwow64.exe PID 2760 wrote to memory of 1148 2760 WINWORD.EXE splwow64.exe PID 2760 wrote to memory of 1148 2760 WINWORD.EXE splwow64.exe PID 2960 wrote to memory of 2516 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 2516 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 2516 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 2516 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 1824 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 1824 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 1824 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 1824 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 1824 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 1824 2960 softbin93005.exe softbin93005.exe PID 2960 wrote to memory of 1824 2960 softbin93005.exe softbin93005.exe PID 1204 wrote to memory of 2164 1204 Explorer.EXE wlanext.exe PID 1204 wrote to memory of 2164 1204 Explorer.EXE wlanext.exe PID 1204 wrote to memory of 2164 1204 Explorer.EXE wlanext.exe PID 1204 wrote to memory of 2164 1204 Explorer.EXE wlanext.exe PID 2164 wrote to memory of 1808 2164 wlanext.exe cmd.exe PID 2164 wrote to memory of 1808 2164 wlanext.exe cmd.exe PID 2164 wrote to memory of 1808 2164 wlanext.exe cmd.exe PID 2164 wrote to memory of 1808 2164 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.13523.31964.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\softbin93005.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\softbin93005.exe"C:\Users\Admin\AppData\Roaming\softbin93005.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\softbin93005.exe"C:\Users\Admin\AppData\Roaming\softbin93005.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\softbin93005.exe"C:\Users\Admin\AppData\Roaming\softbin93005.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD504dad4e3db2cded1a942e2c901e0061a
SHA1c66bfeabc7476eb125873d49e458cba37c1bd709
SHA2568fe12ce87c5586d28bb862c4aa7b59c1770b9d40c37c5f2d0f7a66c3f89dd7a7
SHA512b5d970353c400de0374b649b847b18bf7c547009a1b646407785cc73048c5cca776b15b327e696a5b447b202e43686165c9ee313151c62f5a4ec6c9406e18a2c
-
C:\Users\Admin\AppData\Roaming\softbin93005.exeFilesize
159KB
MD5400a6c8b240c7e185647090c7508bcd4
SHA1e45965de1c178fa5f8b4302be6ae6afb794a76ba
SHA25692b41cdb39231cb4c0de3bad45a641263645099d4a08011c3aa5f4829dc1c438
SHA512d45b87b490323004c22c9153b820250a3448b1d14907c3836db51b9c3a5feb6f12ea7f8ffcdd90928a05a08ba4c2dbb11ba29620dd5265f13f7b2c85ac7e51eb
-
C:\Users\Admin\AppData\Roaming\softbin93005.exeFilesize
192KB
MD57596bc7d062f0dd1bd55e62ca08155cf
SHA103f67eb9a626d79a383c1becea457000b7ffa110
SHA256f2c7fd4bef9703ffcfa2bd78cd69ca33b51c8e7fc7e5a37a0df9f67817a0d9aa
SHA51249518cc7052e92022f83fa5f119125e0bb89bf6b7948f74c364cca96e153b01b5e51aa91c90b122192cb836c170b2ebb6b48341c9d85e8f8283fbdd2a50bef92
-
C:\Users\Admin\AppData\Roaming\softbin93005.exeFilesize
92KB
MD5555e2ded41b69293da5e7acc830beb6d
SHA1ee921a9279ff82b7826fe8a24e6f03d3a0eefad3
SHA256520bd8037626b8eb0a4209477e169afc16c928f4b670d179c886afc4302a7f7c
SHA512fa362adee89d6d30924656496cbb749d0cd19916baaf68d4bd794a04e31ea069832a92440cb0cddcd1e63e7221a298f75c372bb7e5f290e0509e7607f77722f1
-
C:\Users\Admin\AppData\Roaming\softbin93005.exeFilesize
902KB
MD5aa305fd0870aa227c16bd1060964d2b8
SHA1a29ba6abc7eb4752929a1c213ffc89770ff878e0
SHA25610b71b9870e8b389acdf0874c2d49d392a9d9d227fd37e9f12c290b217f95fc0
SHA512aaebd755fddaccdd29cb975db21e50e233deb7f367d99a7a0a8850231c15c609cec378975ae498d0682598321b5687af9422e3704e0cb8f57407c1119a2401e1
-
C:\Users\Admin\AppData\Roaming\softbin93005.exeFilesize
382KB
MD506f68e2fc358811f86700a3430fc80d1
SHA1f3ecc0e47bd2164402c5842bec9e77a326bbc057
SHA2566b55989810ba43bd27d87707c80917cbf0c16eb2c8235987a54073e272b90341
SHA5120a62be3507302f160d2a5f50532407e027be79c117861a432183fb20ad3a0ef4df5339a8d91458eaaec8f72da39068e81c1b5c12c857e5df1bac8766a85a00ee
-
\Users\Admin\AppData\Roaming\softbin93005.exeFilesize
704KB
MD51df21eee22c5106bfbe4800500f78504
SHA18b9a5a411c0905a1c6c708a5654ac03bedc6e163
SHA25698c4f68a126ca8c5915b185ce5845c092f48d92f9bc4de64d3a5ac72b1c779dc
SHA5129e9bc2790f30752d66a70165c3ec6aa86c787839aac9bec54228355d1aaed2d75ee196acbc0a11b8fa5922add578647948fca22ae016d2da2b83a7b6125e4ed6
-
memory/1204-51-0x00000000073B0000-0x00000000074A3000-memory.dmpFilesize
972KB
-
memory/1204-52-0x0000000004E10000-0x0000000004F02000-memory.dmpFilesize
968KB
-
memory/1204-50-0x00000000073B0000-0x00000000074A3000-memory.dmpFilesize
972KB
-
memory/1204-41-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/1204-42-0x0000000004E10000-0x0000000004F02000-memory.dmpFilesize
968KB
-
memory/1204-55-0x00000000073B0000-0x00000000074A3000-memory.dmpFilesize
972KB
-
memory/1824-37-0x0000000000AD0000-0x0000000000DD3000-memory.dmpFilesize
3.0MB
-
memory/1824-40-0x00000000001A0000-0x00000000001B4000-memory.dmpFilesize
80KB
-
memory/1824-39-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1824-34-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1824-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1824-30-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1824-28-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2164-44-0x0000000000600000-0x0000000000616000-memory.dmpFilesize
88KB
-
memory/2164-49-0x0000000001E80000-0x0000000001F13000-memory.dmpFilesize
588KB
-
memory/2164-45-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2164-43-0x0000000000600000-0x0000000000616000-memory.dmpFilesize
88KB
-
memory/2164-46-0x00000000020B0000-0x00000000023B3000-memory.dmpFilesize
3.0MB
-
memory/2164-47-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2760-79-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2760-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2760-24-0x00000000715BD000-0x00000000715C8000-memory.dmpFilesize
44KB
-
memory/2760-2-0x00000000715BD000-0x00000000715C8000-memory.dmpFilesize
44KB
-
memory/2760-0-0x000000002FCA1000-0x000000002FCA2000-memory.dmpFilesize
4KB
-
memory/2960-22-0x0000000000410000-0x000000000042C000-memory.dmpFilesize
112KB
-
memory/2960-17-0x0000000004E20000-0x0000000004E60000-memory.dmpFilesize
256KB
-
memory/2960-16-0x000000006B620000-0x000000006BD0E000-memory.dmpFilesize
6.9MB
-
memory/2960-15-0x0000000000850000-0x0000000000938000-memory.dmpFilesize
928KB
-
memory/2960-36-0x000000006B620000-0x000000006BD0E000-memory.dmpFilesize
6.9MB
-
memory/2960-25-0x0000000000440000-0x000000000044E000-memory.dmpFilesize
56KB
-
memory/2960-26-0x00000000053A0000-0x000000000540E000-memory.dmpFilesize
440KB