emotet | 1e2c8ebf40d4102193dd68bcfecc15dee112321c579e9bf88bac19a13f1f8ce3

Analysis

max time kernel
103s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KL-5216 report.xls
Size

67KB
MD5

06f5b0abbdbc2f81e68ead7782176ee1
SHA1

4408e9220b0a5e88f5e190958ed70c45f965d2a3
SHA256

1e2c8ebf40d4102193dd68bcfecc15dee112321c579e9bf88bac19a13f1f8ce3
SHA512

3802814eb60c2ef400bad36642a3821d32139266680b8df134e96632ee059cf743eeb1709890a0ab00b77e07607f15f4c2830b92cb129d53ad92b08b1a4bc77d

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://microlent.com/admin/3/

xlm40.dropper

http://kuluckaci.com/yarisma/cgi-bin/aIuI4Ukdtl730sP1F/

xlm40.dropper

http://mcapublicschool.com/Achievements/r4psv/

xlm40.dropper

http://moorworld.com/aspnet_client/fTDJOdTa1USKl43wFtnb/

Extracted

Family

emotet

Botnet

Epoch4

212.24.98.99:8080

51.91.76.89:8080

94.23.45.86:4143

101.50.0.91:8080

103.43.75.120:443

212.237.17.99:8080

158.69.222.101:443

51.254.140.238:7080

1.234.2.232:8080

91.207.28.33:8080

167.172.253.162:8080

45.235.8.30:8080

115.68.227.76:8080

134.122.66.193:8080

89.29.244.7:443

197.242.150.244:8080

164.68.99.3:8080

5.9.116.246:8080

1.234.21.73:7080

131.100.24.231:80

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1328	1708	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1712	1708	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1648	1708	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1504	1708	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 8 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

1328 regsvr32.exe
1008 regsvr32.exe
1712 regsvr32.exe
1444 regsvr32.exe
1648 regsvr32.exe
1728 regsvr32.exe
1504 regsvr32.exe
1884 regsvr32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1328	regsvr32.exe
1008	regsvr32.exe
1712	regsvr32.exe
1444	regsvr32.exe
1648	regsvr32.exe
1728	regsvr32.exe
1504	regsvr32.exe
1884	regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1708 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

1296 regsvr32.exe
1548 regsvr32.exe
1568 regsvr32.exe
560 regsvr32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1708 EXCEL.EXE
1708 EXCEL.EXE
1708 EXCEL.EXE

pid	process
1708	EXCEL.EXE

pid	process
1296	regsvr32.exe
1548	regsvr32.exe
1568	regsvr32.exe
560	regsvr32.exe

pid	process
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1708 wrote to memory of 1328	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1328	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1328	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1328	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1328	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1328	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1328	1708	EXCEL.EXE	regsvr32.exe
PID 1328 wrote to memory of 1008	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 1008	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 1008	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 1008	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 1008	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 1008	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 1008	1328	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1296	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1296	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1296	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1296	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1296	1008	regsvr32.exe	regsvr32.exe
PID 1708 wrote to memory of 1712	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1712	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1712	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1712	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1712	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1712	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1712	1708	EXCEL.EXE	regsvr32.exe
PID 1712 wrote to memory of 1444	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1444	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1444	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1444	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1444	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1444	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1444	1712	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 1548	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 1548	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 1548	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 1548	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 1548	1444	regsvr32.exe	regsvr32.exe
PID 1708 wrote to memory of 1648	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1648	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1648	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1648	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1648	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1648	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1648	1708	EXCEL.EXE	regsvr32.exe
PID 1648 wrote to memory of 1728	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 1728	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 1728	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 1728	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 1728	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 1728	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 1728	1648	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 1568	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 1568	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 1568	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 1568	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 1568	1728	regsvr32.exe	regsvr32.exe
PID 1708 wrote to memory of 1504	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1504	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1504	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1504	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1504	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1504	1708	EXCEL.EXE	regsvr32.exe
PID 1708 wrote to memory of 1504	1708	EXCEL.EXE	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\KL-5216 report.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\regsvr32.exe
/S ..\uxevr1.ocx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OYPSaiuaILtFp\dzgyOInajhSx.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\regsvr32.exe
/S ..\uxevr2.ocx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BZRIqNCqYrseXZCF\RUChj.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\regsvr32.exe
/S ..\uxevr3.ocx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GVbwQg\eLeEGAZXGvFlpWS.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1504

C:\Windows\system32\regsvr32.exe
/S ..\uxevr4.ocx
3⤵
- Loads dropped DLL
PID:1884

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JsukMmSrHZRqpFFC\TxyipSacHs.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e7f2e9b83c6d68fb6341720ae900e722

SHA1
4b2ae069cb3431316b6e8196331da069f2f9efbc

SHA256
5771b99236095047760ba3778e79139bd325a0a34f517631d8508fec17d26c0b

SHA512
8f3fd6044ffacd105c5c1a09c423fd2fe3f53e4082d1ea849077419aac0960ed8dd50f573aba41d2804d5e5eb32502811ba0b60de647ff71ee265d3f9a0c4757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c578e6bd09615712974936017bf0f9ed

SHA1
1e8ebc4e58dad3f8ce4ca62d14d2b31077c09427

SHA256
56fbe72f43d64ea3c32b4938c766da8de0c39fb40d6ab904823ddd853a2bae77

SHA512
9c0e119ccf95da390ece6685c5e1367742a3487f3114db28de568efa2327e03e98c4ae4773a811052832f201bf6e27ee11e3d223db148a7f32f432719318b9f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
82c1e820e9ce04bc26ece4e9df6ad5b3

SHA1
6d34c0f34d1fb65caaf77796a4f5a8a9d32dbe78

SHA256
e4d17187d7bf39592e7cee42f041d6270e7983aba8fad45abf0bbb6234e73743

SHA512
147b65c5b69b82763fa09cd42f8aa6970bad21a7da7279677bc4bd3705e8f370433a4ea5a4bbbf8fc405e27251559af821bea90c4e30b804bb4136d5fedbcfbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
030576264220eb8c7a552da27ed49715

SHA1
c764ff76b3ba8798b44b8cfd930e0c908162a1bd

SHA256
58642cfb15c3be4ef10a62f0e6cc0a791df42195e3646fe4b575a6d16695f8ea

SHA512
a18a5a2132cb8dd3bcccc6b21569ef24620b6419612d89170ac7c267221b9af99d03651221945bac1dd3a13c24caa4637332c5916106f3fd8f11cc11f5148690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
e8651270c07e160f13d3be92ce52e7f7

SHA1
a527d1599e10f13af16d0cea2f80237dbaf4946a

SHA256
8e254888b6dd62dcd21493b6c69e0fd09241f352c1638754956c1a39bb3d4b7d

SHA512
8bf45ae29975d373de79a48af47427482ab5634498efffb74c6b31010e8598d5d8d7932ae34675c078a71c230163122de6b56275371566add53bab87207f9916

Download Submit
C:\Users\Admin\uxevr1.ocx
Filesize
356KB

MD5
f16e5996921b55a153c4766ea22d9032

SHA1
7337b69eb22e877470c9b5b33040e1103bd19ad7

SHA256
5c513bf214f90b066dabbfa3c92eafa7841934f7b682d58a1f383d3e2641fcfe

SHA512
9f43cdb30d1ecde4563b6e856fdd688377c4633e736d9287431849f47a2719b69de0ea0489dcecd9873c886de6c8ddbe5fd2d66e9a3d0c656a108d2f8eec14fd

Download Submit
C:\Users\Admin\uxevr2.ocx
Filesize
356KB

MD5
4024be9458eabc878cd263185d7ea007

SHA1
25fba9d3cbc8543b218ea60cd2e7f9c02f13ddd2

SHA256
310135cdfe333a091d400b1939be3a1404d3d6d399632c1848105f1a70c54ef6

SHA512
4faea29137f2fb9fef01fd5434861809e251ec8254727bc49bee7aa51386ca33830de89e50c0017833a57a8773ca1deff48637905110d6d03819739e1a82ee78

Download Submit
C:\Users\Admin\uxevr3.ocx
Filesize
356KB

MD5
0d77e48d483bc9ee864a93ace7422a94

SHA1
37aa070677816592fea7f3c645bfb13bc2a480e0

SHA256
6dc84795a6fa4389820fa39c402ff296e30c3bea5a736569c3739bbc710a8855

SHA512
154d13ce04ea3d74a63764efaf235fbbc1da34ff943b99237a2fa5a76b4fb7c535ed5182fdad70075b5ab92ab141644f4ebf30f9c343f782f56211d53557c6e6

Download Submit
C:\Users\Admin\uxevr4.ocx
Filesize
356KB

MD5
e77c54f186a2010102c333fa3a36ce0e

SHA1
23c20f14d3e054cece17a41fce36d0c65dc35b67

SHA256
e2879e6cb0d7b3af3e7d54b84c87a30599b864c7275113a906b63d34d8b3feba

SHA512
a8e609c25c9eef1970fb0679477fc6192c7d4d2375c0e10216d1e42f071840a29bacb589790d05c18667f0642b8bcdb3605fd38993f55c24fa9b620c4f039c73

Download Submit
\Users\Admin\uxevr1.ocx
Filesize
356KB

MD5
f16e5996921b55a153c4766ea22d9032

SHA1
7337b69eb22e877470c9b5b33040e1103bd19ad7

SHA256
5c513bf214f90b066dabbfa3c92eafa7841934f7b682d58a1f383d3e2641fcfe

SHA512
9f43cdb30d1ecde4563b6e856fdd688377c4633e736d9287431849f47a2719b69de0ea0489dcecd9873c886de6c8ddbe5fd2d66e9a3d0c656a108d2f8eec14fd

Download Submit
\Users\Admin\uxevr1.ocx
Filesize
356KB

MD5
f16e5996921b55a153c4766ea22d9032

SHA1
7337b69eb22e877470c9b5b33040e1103bd19ad7

SHA256
5c513bf214f90b066dabbfa3c92eafa7841934f7b682d58a1f383d3e2641fcfe

SHA512
9f43cdb30d1ecde4563b6e856fdd688377c4633e736d9287431849f47a2719b69de0ea0489dcecd9873c886de6c8ddbe5fd2d66e9a3d0c656a108d2f8eec14fd

Download Submit
\Users\Admin\uxevr2.ocx
Filesize
356KB

MD5
4024be9458eabc878cd263185d7ea007

SHA1
25fba9d3cbc8543b218ea60cd2e7f9c02f13ddd2

SHA256
310135cdfe333a091d400b1939be3a1404d3d6d399632c1848105f1a70c54ef6

SHA512
4faea29137f2fb9fef01fd5434861809e251ec8254727bc49bee7aa51386ca33830de89e50c0017833a57a8773ca1deff48637905110d6d03819739e1a82ee78

Download Submit
\Users\Admin\uxevr2.ocx
Filesize
356KB

MD5
4024be9458eabc878cd263185d7ea007

SHA1
25fba9d3cbc8543b218ea60cd2e7f9c02f13ddd2

SHA256
310135cdfe333a091d400b1939be3a1404d3d6d399632c1848105f1a70c54ef6

SHA512
4faea29137f2fb9fef01fd5434861809e251ec8254727bc49bee7aa51386ca33830de89e50c0017833a57a8773ca1deff48637905110d6d03819739e1a82ee78

Download Submit
\Users\Admin\uxevr3.ocx
Filesize
356KB

MD5
0d77e48d483bc9ee864a93ace7422a94

SHA1
37aa070677816592fea7f3c645bfb13bc2a480e0

SHA256
6dc84795a6fa4389820fa39c402ff296e30c3bea5a736569c3739bbc710a8855

SHA512
154d13ce04ea3d74a63764efaf235fbbc1da34ff943b99237a2fa5a76b4fb7c535ed5182fdad70075b5ab92ab141644f4ebf30f9c343f782f56211d53557c6e6

Download Submit
\Users\Admin\uxevr3.ocx
Filesize
356KB

MD5
0d77e48d483bc9ee864a93ace7422a94

SHA1
37aa070677816592fea7f3c645bfb13bc2a480e0

SHA256
6dc84795a6fa4389820fa39c402ff296e30c3bea5a736569c3739bbc710a8855

SHA512
154d13ce04ea3d74a63764efaf235fbbc1da34ff943b99237a2fa5a76b4fb7c535ed5182fdad70075b5ab92ab141644f4ebf30f9c343f782f56211d53557c6e6

Download Submit
\Users\Admin\uxevr4.ocx
Filesize
356KB

MD5
e77c54f186a2010102c333fa3a36ce0e

SHA1
23c20f14d3e054cece17a41fce36d0c65dc35b67

SHA256
e2879e6cb0d7b3af3e7d54b84c87a30599b864c7275113a906b63d34d8b3feba

SHA512
a8e609c25c9eef1970fb0679477fc6192c7d4d2375c0e10216d1e42f071840a29bacb589790d05c18667f0642b8bcdb3605fd38993f55c24fa9b620c4f039c73

Download Submit
\Users\Admin\uxevr4.ocx
Filesize
356KB

MD5
e77c54f186a2010102c333fa3a36ce0e

SHA1
23c20f14d3e054cece17a41fce36d0c65dc35b67

SHA256
e2879e6cb0d7b3af3e7d54b84c87a30599b864c7275113a906b63d34d8b3feba

SHA512
a8e609c25c9eef1970fb0679477fc6192c7d4d2375c0e10216d1e42f071840a29bacb589790d05c18667f0642b8bcdb3605fd38993f55c24fa9b620c4f039c73

Download Submit
memory/560-114-0x0000000000000000-mapping.dmp

Download
memory/1008-66-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/1008-64-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/1008-63-0x0000000000000000-mapping.dmp

Download
memory/1296-69-0x0000000000000000-mapping.dmp

Download
memory/1328-59-0x0000000000000000-mapping.dmp

Download
memory/1444-78-0x0000000000000000-mapping.dmp

Download
memory/1504-104-0x0000000000000000-mapping.dmp

Download
memory/1548-84-0x0000000000000000-mapping.dmp

Download
memory/1568-99-0x0000000000000000-mapping.dmp

Download
memory/1648-89-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x000000002F941000-0x000000002F944000-memory.dmp

Filesize
12KB

Download
memory/1708-58-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/1708-57-0x000000007265D000-0x0000000072668000-memory.dmp

Filesize
44KB

Download
memory/1708-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1708-55-0x0000000071671000-0x0000000071673000-memory.dmp

Filesize
8KB

Download
memory/1712-74-0x0000000000000000-mapping.dmp

Download
memory/1728-93-0x0000000000000000-mapping.dmp

Download
memory/1884-108-0x0000000000000000-mapping.dmp

Download