Malware Analysis Report

2025-01-22 16:05

Sample ID 220713-nat7cagec4
Target DETAILS_8352154452_1.xls
SHA256 30e225c474caca0c8a3946a303d4b8a6c0bdb5bb0d4a55c9c9944ac4c7cdddd4
Tags
macro xlm emotet epoch5 banker suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30e225c474caca0c8a3946a303d4b8a6c0bdb5bb0d4a55c9c9944ac4c7cdddd4

Threat Level: Known bad

The file DETAILS_8352154452_1.xls was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker suricata trojan

Emotet

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Process spawned unexpected child process

Downloads MZ/PE file

Suspicious Office macro

Loads dropped DLL

Gathers system information

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Gathers network information

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-13 11:12

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-13 11:12

Reported

2022-07-13 11:15

Platform

win7-20220414-en

Max time kernel

184s

Max time network

199s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\DETAILS_8352154452_1.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3

suricata

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1504 wrote to memory of 1440 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1504 wrote to memory of 1440 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1504 wrote to memory of 1440 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1504 wrote to memory of 1440 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1504 wrote to memory of 1440 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1504 wrote to memory of 1440 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1504 wrote to memory of 1440 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1440 wrote to memory of 1876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1440 wrote to memory of 1876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1440 wrote to memory of 1876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1440 wrote to memory of 1876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1440 wrote to memory of 1876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1464 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 1624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 1624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 1624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 1624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 1624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 1624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 1624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 1280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 1280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 1280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 1280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1624 wrote to memory of 1280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\systeminfo.exe
PID 1280 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\systeminfo.exe
PID 1280 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\systeminfo.exe
PID 1280 wrote to memory of 608 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\ipconfig.exe
PID 1280 wrote to memory of 608 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\ipconfig.exe
PID 1280 wrote to memory of 608 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\ipconfig.exe
PID 1280 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\nltest.exe
PID 1280 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\nltest.exe
PID 1280 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\nltest.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\DETAILS_8352154452_1.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx

C:\Windows\system32\regsvr32.exe

/S ..\soci2.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BCGhxC\uXKOKHCxMLKp.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx

C:\Windows\system32\regsvr32.exe

/S ..\soci4.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SoWRTqqVDOTMgpA\QTuKnnlH.dll"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\nltest.exe

nltest /dclist:

Network

Country Destination Domain Proto
US 8.8.8.8:53 cointrade.world udp
IN 36.255.3.209:443 cointrade.world tcp
US 8.8.8.8:53 www.garantihaliyikama.com udp
TR 213.128.75.146:80 www.garantihaliyikama.com tcp
US 8.8.8.8:53 haircutbar.com udp
US 198.98.48.208:80 haircutbar.com tcp
US 8.8.8.8:53 airhobi.com udp
TR 193.53.245.52:80 airhobi.com tcp
US 174.138.33.49:7080 174.138.33.49 tcp
FR 188.165.79.151:443 188.165.79.151 tcp
US 174.138.33.49:7080 174.138.33.49 tcp
US 174.138.33.49:7080 174.138.33.49 tcp
ID 203.217.140.239:8080 203.217.140.239 tcp

Files

memory/1464-54-0x000000002FF01000-0x000000002FF04000-memory.dmp

memory/1464-55-0x0000000070E01000-0x0000000070E03000-memory.dmp

memory/1464-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1464-57-0x0000000071DED000-0x0000000071DF8000-memory.dmp

memory/1464-58-0x0000000075501000-0x0000000075503000-memory.dmp

memory/1464-59-0x0000000071DED000-0x0000000071DF8000-memory.dmp

memory/588-60-0x0000000000000000-mapping.dmp

memory/1504-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\soci2.ocx

MD5 9551efaddbb1c08372ab3e202f251998
SHA1 1b08133497b3198c1766a6ebb6cc45984a2df9f0
SHA256 eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f
SHA512 a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9

\Users\Admin\soci2.ocx

MD5 9551efaddbb1c08372ab3e202f251998
SHA1 1b08133497b3198c1766a6ebb6cc45984a2df9f0
SHA256 eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f
SHA512 a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9

memory/1440-66-0x0000000000000000-mapping.dmp

memory/1440-67-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

\Users\Admin\soci2.ocx

MD5 9551efaddbb1c08372ab3e202f251998
SHA1 1b08133497b3198c1766a6ebb6cc45984a2df9f0
SHA256 eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f
SHA512 a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9

memory/1440-69-0x0000000001DB0000-0x0000000001E0E000-memory.dmp

memory/1876-73-0x0000000000000000-mapping.dmp

memory/1392-79-0x0000000000000000-mapping.dmp

memory/1408-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\soci4.ocx

MD5 615f4fc0eb24ecb044f532a4c1cf20e1
SHA1 738f9243e0b115a51826820c0ed92040b64615c5
SHA256 b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6
SHA512 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822

\Users\Admin\soci4.ocx

MD5 615f4fc0eb24ecb044f532a4c1cf20e1
SHA1 738f9243e0b115a51826820c0ed92040b64615c5
SHA256 b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6
SHA512 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822

memory/1624-85-0x0000000000000000-mapping.dmp

\Users\Admin\soci4.ocx

MD5 615f4fc0eb24ecb044f532a4c1cf20e1
SHA1 738f9243e0b115a51826820c0ed92040b64615c5
SHA256 b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6
SHA512 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 589c442fc7a0c70dca927115a700d41e
SHA1 66a07dace3afbfd1aa07a47e6875beab62c4bb31
SHA256 2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a
SHA512 1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7377688808f7f2453721176f7c9174fc
SHA1 c00c854952d2f5410ba749aeece73bf827368df4
SHA256 995944245b57bd623ef8da87beaca5022d8582611127296d00937fd52f1ee3d5
SHA512 66ff94e247b10aba51c9f94bca5e63de4b6bfb628f98a0562cb413a1b2a2d1dcd05183f159016555561aa199189cf52a82cde017704004fe01c424ddb19b0409

memory/1280-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e76f04b46dad720a948940d1815a045
SHA1 c3b9d8b57d1348a2dc9b545578536d16cb9b79d5
SHA256 3aea9cd9831a2dade0ed7dd68a6297c7594088b4574eb749736698111a2eb86b
SHA512 45c716fc299785f8aed7fa9c6e500cfaca7ab8d12e5611077fec58c027873040a42f49a34c3e550f94976dea4664442b222f9da32b5c8eb1219ab14d083b9e4a

memory/1280-101-0x00000000024F0000-0x0000000002513000-memory.dmp

memory/1936-102-0x0000000000000000-mapping.dmp

memory/608-103-0x0000000000000000-mapping.dmp

memory/428-104-0x0000000000000000-mapping.dmp

memory/1280-105-0x00000000024F0000-0x0000000002513000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-13 11:12

Reported

2022-07-13 11:15

Platform

win10v2004-20220414-en

Max time kernel

153s

Max time network

173s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DETAILS_8352154452_1.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3

suricata

Downloads MZ/PE file

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 4464 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 5112 wrote to memory of 4464 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4464 wrote to memory of 1540 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4464 wrote to memory of 1540 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5112 wrote to memory of 3344 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 5112 wrote to memory of 3344 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 3344 wrote to memory of 228 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3344 wrote to memory of 228 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5112 wrote to memory of 1708 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 5112 wrote to memory of 1708 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1708 wrote to memory of 1776 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1708 wrote to memory of 1776 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5112 wrote to memory of 2500 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 5112 wrote to memory of 2500 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2500 wrote to memory of 1588 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2500 wrote to memory of 1588 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1540 wrote to memory of 3508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\systeminfo.exe
PID 1540 wrote to memory of 3508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\systeminfo.exe
PID 1540 wrote to memory of 4212 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\ipconfig.exe
PID 1540 wrote to memory of 4212 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\ipconfig.exe
PID 1540 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\nltest.exe
PID 1540 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\nltest.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DETAILS_8352154452_1.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DzEab\YXKrWYWkBKlKe.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UAEXcmIhUfT\fBddfxltlQzXxV.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HbeWy\VNCZIWyKC.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FAQnAL\CECcH.dll"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\nltest.exe

nltest /dclist:

Network

Country Destination Domain Proto
NL 20.190.160.73:443 tcp
NL 104.97.14.81:80 tcp
NL 20.50.201.200:443 tcp
IE 20.54.110.249:443 tcp
US 8.8.8.8:53 cointrade.world udp
IN 36.255.3.209:443 cointrade.world tcp
US 8.8.8.8:53 ocsp.starfieldtech.com udp
US 192.124.249.24:80 ocsp.starfieldtech.com tcp
US 8.8.8.8:53 www.garantihaliyikama.com udp
TR 213.128.75.146:80 www.garantihaliyikama.com tcp
NL 20.190.160.67:443 tcp
US 8.8.8.8:53 haircutbar.com udp
US 198.98.48.208:80 haircutbar.com tcp
US 8.8.8.8:53 airhobi.com udp
TR 193.53.245.52:80 airhobi.com tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 20.190.160.2:443 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 174.138.33.49:7080 tcp
US 174.138.33.49:7080 tcp
US 174.138.33.49:7080 tcp
US 174.138.33.49:7080 174.138.33.49 tcp
NL 20.190.160.136:443 tcp
FR 188.165.79.151:443 188.165.79.151 tcp
FR 188.165.79.151:443 188.165.79.151 tcp
FR 188.165.79.151:443 188.165.79.151 tcp
FR 188.165.79.151:443 188.165.79.151 tcp
AU 58.96.74.42:443 tcp
DE 165.227.153.100:8080 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.6:443 tcp
US 159.65.163.220:443 tcp

Files

memory/5112-130-0x00007FFE32050000-0x00007FFE32060000-memory.dmp

memory/5112-131-0x00007FFE32050000-0x00007FFE32060000-memory.dmp

memory/5112-132-0x00007FFE32050000-0x00007FFE32060000-memory.dmp

memory/5112-133-0x00007FFE32050000-0x00007FFE32060000-memory.dmp

memory/5112-134-0x00007FFE32050000-0x00007FFE32060000-memory.dmp

memory/5112-135-0x00007FFE2FE50000-0x00007FFE2FE60000-memory.dmp

memory/5112-136-0x00007FFE2FE50000-0x00007FFE2FE60000-memory.dmp

memory/4464-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\soci1.ocx

MD5 428084ddd7fda274784813193441f113
SHA1 fca2693e5243ba87f28793b3860db62c72a551df
SHA256 d8011fc70a6c2d38b12db01fbed264e8372f3ca6ccf0d9ee282ce095cc0c0cbf
SHA512 e9c78c723938083b8849932d371966255b8f9adb88f0fff5739085e791a36f276a905a6a43faf1b185ab4b57cb8cea0cd6fb7b9e57677c35238853eab81acfa9

C:\Users\Admin\soci1.ocx

MD5 428084ddd7fda274784813193441f113
SHA1 fca2693e5243ba87f28793b3860db62c72a551df
SHA256 d8011fc70a6c2d38b12db01fbed264e8372f3ca6ccf0d9ee282ce095cc0c0cbf
SHA512 e9c78c723938083b8849932d371966255b8f9adb88f0fff5739085e791a36f276a905a6a43faf1b185ab4b57cb8cea0cd6fb7b9e57677c35238853eab81acfa9

memory/4464-140-0x00000000012C0000-0x000000000131E000-memory.dmp

memory/1540-144-0x0000000000000000-mapping.dmp

C:\Windows\System32\DzEab\YXKrWYWkBKlKe.dll

MD5 428084ddd7fda274784813193441f113
SHA1 fca2693e5243ba87f28793b3860db62c72a551df
SHA256 d8011fc70a6c2d38b12db01fbed264e8372f3ca6ccf0d9ee282ce095cc0c0cbf
SHA512 e9c78c723938083b8849932d371966255b8f9adb88f0fff5739085e791a36f276a905a6a43faf1b185ab4b57cb8cea0cd6fb7b9e57677c35238853eab81acfa9

memory/3344-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\soci2.ocx

MD5 9551efaddbb1c08372ab3e202f251998
SHA1 1b08133497b3198c1766a6ebb6cc45984a2df9f0
SHA256 eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f
SHA512 a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9

C:\Users\Admin\soci2.ocx

MD5 9551efaddbb1c08372ab3e202f251998
SHA1 1b08133497b3198c1766a6ebb6cc45984a2df9f0
SHA256 eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f
SHA512 a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9

memory/228-157-0x0000000000000000-mapping.dmp

C:\Windows\System32\UAEXcmIhUfT\fBddfxltlQzXxV.dll

MD5 9551efaddbb1c08372ab3e202f251998
SHA1 1b08133497b3198c1766a6ebb6cc45984a2df9f0
SHA256 eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f
SHA512 a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9

memory/1708-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\soci3.ocx

MD5 1c78d36579cb819a53deedea4ac9f8dd
SHA1 cbfac4c0a62dabf354d01edbb02c25c3b88f604c
SHA256 22c38fda96321b16ea796ed18f03625bbba4b7ffb5b7495f5c893768c6349f65
SHA512 2e12abd2f824fca5e3c4bf9b090df839e2f76154b616c365959e4e63186308b571150a792205ab24b014e964c2451be5dc47afbfe81cef5cf1cd188c8cb4057c

C:\Users\Admin\soci3.ocx

MD5 1c78d36579cb819a53deedea4ac9f8dd
SHA1 cbfac4c0a62dabf354d01edbb02c25c3b88f604c
SHA256 22c38fda96321b16ea796ed18f03625bbba4b7ffb5b7495f5c893768c6349f65
SHA512 2e12abd2f824fca5e3c4bf9b090df839e2f76154b616c365959e4e63186308b571150a792205ab24b014e964c2451be5dc47afbfe81cef5cf1cd188c8cb4057c

memory/1776-170-0x0000000000000000-mapping.dmp

C:\Windows\System32\HbeWy\VNCZIWyKC.dll

MD5 1c78d36579cb819a53deedea4ac9f8dd
SHA1 cbfac4c0a62dabf354d01edbb02c25c3b88f604c
SHA256 22c38fda96321b16ea796ed18f03625bbba4b7ffb5b7495f5c893768c6349f65
SHA512 2e12abd2f824fca5e3c4bf9b090df839e2f76154b616c365959e4e63186308b571150a792205ab24b014e964c2451be5dc47afbfe81cef5cf1cd188c8cb4057c

memory/2500-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\soci4.ocx

MD5 615f4fc0eb24ecb044f532a4c1cf20e1
SHA1 738f9243e0b115a51826820c0ed92040b64615c5
SHA256 b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6
SHA512 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822

C:\Users\Admin\soci4.ocx

MD5 615f4fc0eb24ecb044f532a4c1cf20e1
SHA1 738f9243e0b115a51826820c0ed92040b64615c5
SHA256 b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6
SHA512 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822

memory/1588-183-0x0000000000000000-mapping.dmp

C:\Windows\System32\FAQnAL\CECcH.dll

MD5 615f4fc0eb24ecb044f532a4c1cf20e1
SHA1 738f9243e0b115a51826820c0ed92040b64615c5
SHA256 b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6
SHA512 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822

memory/3508-189-0x0000000000000000-mapping.dmp

memory/1540-190-0x00000000034F0000-0x0000000003513000-memory.dmp

memory/4212-191-0x0000000000000000-mapping.dmp

memory/2184-192-0x0000000000000000-mapping.dmp