emotet | b9c6743b8e98fc7aae2d9bb9bb21d80fb917153c7eca95982896150969e94824

General

Target

W-9 form.xls
Size

94KB
MD5

45d272a4368eb90569243254c9261d2e
SHA1

c078279a10fe4819f0579be8a2b590ff76c9d423
SHA256

969acc76616662a5319380f3a3bf6dc82db768ce1173a54409cb65e0d403c94a
SHA512

8abd54d77356e7fcccd897d1aa43ab5059ff317763a480eb417b19c738fed1a153b23e99430067073a4f5d258d5f5e032cbf15ee418b28917dfbfdf87fa7f14b

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://www.fcstradesolutions.com/cgi-bin/EKrh/

xlm40.dropper

https://www.reneetten.nl/Menu/jKiBaSmhgyBD3/

xlm40.dropper

https://www.financialchile.com/art/nTXsGe8VHFLC5yH/

xlm40.dropper

https://www.periodistesgolf.cat/tmp/c71/

Extracted

Family

emotet

Botnet

Epoch4

C2

172.104.251.154:8080

51.161.73.194:443

101.50.0.91:8080

91.207.28.33:8080

119.193.124.41:7080

150.95.66.124:8080

103.132.242.26:8080

37.187.115.122:8080

172.105.226.75:8080

131.100.24.231:80

196.218.30.83:443

79.137.35.198:8080

103.75.201.2:443

82.223.21.224:8080

153.126.146.25:7080

146.59.226.45:443

209.97.163.214:443

186.194.240.217:443

197.242.150.244:8080

45.118.115.99:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	364	1008	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1628	1008	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1092	1008	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	304	1008	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

364 regsvr32.exe
652 regsvr32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
364	regsvr32.exe
652	regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1008 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

652 regsvr32.exe
1784 regsvr32.exe
1784 regsvr32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1008 EXCEL.EXE
1008 EXCEL.EXE
1008 EXCEL.EXE

pid	process
1008	EXCEL.EXE

pid	process
652	regsvr32.exe
1784	regsvr32.exe
1784	regsvr32.exe

pid	process
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1008 wrote to memory of 364	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 364	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 364	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 364	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 364	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 364	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 364	1008	EXCEL.EXE	regsvr32.exe
PID 364 wrote to memory of 652	364	regsvr32.exe	regsvr32.exe
PID 364 wrote to memory of 652	364	regsvr32.exe	regsvr32.exe
PID 364 wrote to memory of 652	364	regsvr32.exe	regsvr32.exe
PID 364 wrote to memory of 652	364	regsvr32.exe	regsvr32.exe
PID 364 wrote to memory of 652	364	regsvr32.exe	regsvr32.exe
PID 364 wrote to memory of 652	364	regsvr32.exe	regsvr32.exe
PID 364 wrote to memory of 652	364	regsvr32.exe	regsvr32.exe
PID 652 wrote to memory of 1784	652	regsvr32.exe	regsvr32.exe
PID 652 wrote to memory of 1784	652	regsvr32.exe	regsvr32.exe
PID 652 wrote to memory of 1784	652	regsvr32.exe	regsvr32.exe
PID 652 wrote to memory of 1784	652	regsvr32.exe	regsvr32.exe
PID 652 wrote to memory of 1784	652	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1628	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1628	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1628	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1628	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1628	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1628	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1628	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1092	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1092	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1092	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1092	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1092	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1092	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 1092	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 304	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 304	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 304	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 304	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 304	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 304	1008	EXCEL.EXE	regsvr32.exe
PID 1008 wrote to memory of 304	1008	EXCEL.EXE	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\W-9 form.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\system32\regsvr32.exe
    /S ..\sctm1.ocx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NSryyUCwG\ByRYdDch.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1784
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm2.ocx
  2⤵
  - Process spawned unexpected child process
  PID:1628
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm3.ocx
  2⤵
  - Process spawned unexpected child process
  PID:1092
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm4.ocx
  2⤵
  - Process spawned unexpected child process
  PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
c2058f65bae099714b835e6141c9679e

SHA1
f47837eb1f397025202341f1566d17f5bb137f05

SHA256
ec19d171a9ee6b173ff25ca5275e6a0fb0bef52874f3d3c09460b29055fa19dc

SHA512
d400f9b1722152c04aa6ba8517c3b271c82040148a5b3e68c26c0b3d005ece374ab4476d10c88a1b205201ec5bea5e90dfffc6d2a77c68ab8d48d6d2571e5bc2

Download Submit
C:\Users\Admin\sctm1.ocx

Filesize
425KB

MD5
7b45baa55e5448f62e1812e514da76fb

SHA1
9850a1a0b3ab4fbf9def7bebdebf3bb16d432ffd

SHA256
5b94f80d25ec35fe962a252c4eb7371b26f443c08ba6aa1c380460a7f0938c6b

SHA512
92610bc434efb2bb392eccfd8ff8d5d6984b5ccfbcabf2fafa9d3b9def2ce74b001a752cc7bea0071fe022ba4f81bc37d4a1c5c9adbb0fb948739f6285ec36d4

Download Submit
\Users\Admin\sctm1.ocx

Filesize
425KB

MD5
7b45baa55e5448f62e1812e514da76fb

SHA1
9850a1a0b3ab4fbf9def7bebdebf3bb16d432ffd

SHA256
5b94f80d25ec35fe962a252c4eb7371b26f443c08ba6aa1c380460a7f0938c6b

SHA512
92610bc434efb2bb392eccfd8ff8d5d6984b5ccfbcabf2fafa9d3b9def2ce74b001a752cc7bea0071fe022ba4f81bc37d4a1c5c9adbb0fb948739f6285ec36d4

Download Submit
\Users\Admin\sctm1.ocx

Filesize
425KB

MD5
7b45baa55e5448f62e1812e514da76fb

SHA1
9850a1a0b3ab4fbf9def7bebdebf3bb16d432ffd

SHA256
5b94f80d25ec35fe962a252c4eb7371b26f443c08ba6aa1c380460a7f0938c6b

SHA512
92610bc434efb2bb392eccfd8ff8d5d6984b5ccfbcabf2fafa9d3b9def2ce74b001a752cc7bea0071fe022ba4f81bc37d4a1c5c9adbb0fb948739f6285ec36d4

Download Submit
memory/304-81-0x0000000000000000-mapping.dmp

Download
memory/364-59-0x0000000000000000-mapping.dmp

Download
memory/652-66-0x0000000000600000-0x0000000000654000-memory.dmp

Filesize
336KB

Download
memory/652-63-0x0000000000000000-mapping.dmp

Download
memory/652-64-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/1008-58-0x000000007222D000-0x0000000072238000-memory.dmp

Filesize
44KB

Download
memory/1008-54-0x000000002F0B1000-0x000000002F0B4000-memory.dmp

Filesize
12KB

Download
memory/1008-80-0x000000007222D000-0x0000000072238000-memory.dmp

Filesize
44KB

Download
memory/1008-57-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1008-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1008-55-0x0000000071241000-0x0000000071243000-memory.dmp

Filesize
8KB

Download
memory/1092-78-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000000000-mapping.dmp

Download
memory/1784-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads