emotet | 0a712277286bdb83dee39bd389e1ad65e079bdb53b9255fa4b26283b30c9da72

Resubmissions

03/11/2022, 21:07

221103-zyn6safbg6 10

03/11/2022, 21:01

221103-ztzfyshccm 10

03/11/2022, 15:09

221103-sjnhdabfg4 10

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c.xls
Size

216KB
MD5

2486374800299563ab8934122234242a
SHA1

47bfe94aa96ef43231890f04ccd286b0888e10c8
SHA256

ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c
SHA512

74e52e1e1317908447340cbba32949321ed435f17a524224af80236ecdf67187c83908cca514e82a49b9abe9495125ba741e01ed8f30663124c13fce339c63e5
SSDEEP

6144:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgAyY+TAQXTHGUMEyP5p6f5jQmK:GbGUMVWlbK

Score

10^/10

emotet banker trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://audioselec.com/about/dDw5ggtyMojggTqhc/

xlm40.dropper

https://geringer-muehle.de/wp-admin/G/

xlm40.dropper

http://intolove.co.uk/wp-admin/FbGhiWtrEzrQ/

xlm40.dropper

http://isc.net.ua/themes/3rU/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1920	1212	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1528	1212	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	280	1212	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	612	1212	regsvr32.exe	27

Downloads MZ/PE file

Loads dropped DLL 6 IoCs

pid	Process
1920	regsvr32.exe
868	regsvr32.exe
280	regsvr32.exe
1568	regsvr32.exe
612	regsvr32.exe
940	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1212	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
868	regsvr32.exe
980	regsvr32.exe
980	regsvr32.exe
1568	regsvr32.exe
1984	regsvr32.exe
940	regsvr32.exe
1984	regsvr32.exe
1620	regsvr32.exe
1620	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	EXCEL.EXE
1212	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1212	EXCEL.EXE
1212	EXCEL.EXE
1212	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1920	1212	EXCEL.EXE	30
PID 1212 wrote to memory of 1920	1212	EXCEL.EXE	30
PID 1212 wrote to memory of 1920	1212	EXCEL.EXE	30
PID 1212 wrote to memory of 1920	1212	EXCEL.EXE	30
PID 1212 wrote to memory of 1920	1212	EXCEL.EXE	30
PID 1212 wrote to memory of 1920	1212	EXCEL.EXE	30
PID 1212 wrote to memory of 1920	1212	EXCEL.EXE	30
PID 1920 wrote to memory of 868	1920	regsvr32.exe	31
PID 1920 wrote to memory of 868	1920	regsvr32.exe	31
PID 1920 wrote to memory of 868	1920	regsvr32.exe	31
PID 1920 wrote to memory of 868	1920	regsvr32.exe	31
PID 1920 wrote to memory of 868	1920	regsvr32.exe	31
PID 1920 wrote to memory of 868	1920	regsvr32.exe	31
PID 1920 wrote to memory of 868	1920	regsvr32.exe	31
PID 868 wrote to memory of 980	868	regsvr32.exe	32
PID 868 wrote to memory of 980	868	regsvr32.exe	32
PID 868 wrote to memory of 980	868	regsvr32.exe	32
PID 868 wrote to memory of 980	868	regsvr32.exe	32
PID 868 wrote to memory of 980	868	regsvr32.exe	32
PID 1212 wrote to memory of 1528	1212	EXCEL.EXE	33
PID 1212 wrote to memory of 1528	1212	EXCEL.EXE	33
PID 1212 wrote to memory of 1528	1212	EXCEL.EXE	33
PID 1212 wrote to memory of 1528	1212	EXCEL.EXE	33
PID 1212 wrote to memory of 1528	1212	EXCEL.EXE	33
PID 1212 wrote to memory of 1528	1212	EXCEL.EXE	33
PID 1212 wrote to memory of 1528	1212	EXCEL.EXE	33
PID 1212 wrote to memory of 280	1212	EXCEL.EXE	34
PID 1212 wrote to memory of 280	1212	EXCEL.EXE	34
PID 1212 wrote to memory of 280	1212	EXCEL.EXE	34
PID 1212 wrote to memory of 280	1212	EXCEL.EXE	34
PID 1212 wrote to memory of 280	1212	EXCEL.EXE	34
PID 1212 wrote to memory of 280	1212	EXCEL.EXE	34
PID 1212 wrote to memory of 280	1212	EXCEL.EXE	34
PID 280 wrote to memory of 1568	280	regsvr32.exe	35
PID 280 wrote to memory of 1568	280	regsvr32.exe	35
PID 280 wrote to memory of 1568	280	regsvr32.exe	35
PID 280 wrote to memory of 1568	280	regsvr32.exe	35
PID 280 wrote to memory of 1568	280	regsvr32.exe	35
PID 280 wrote to memory of 1568	280	regsvr32.exe	35
PID 280 wrote to memory of 1568	280	regsvr32.exe	35
PID 1568 wrote to memory of 1984	1568	regsvr32.exe	36
PID 1568 wrote to memory of 1984	1568	regsvr32.exe	36
PID 1568 wrote to memory of 1984	1568	regsvr32.exe	36
PID 1568 wrote to memory of 1984	1568	regsvr32.exe	36
PID 1568 wrote to memory of 1984	1568	regsvr32.exe	36
PID 1212 wrote to memory of 612	1212	EXCEL.EXE	37
PID 1212 wrote to memory of 612	1212	EXCEL.EXE	37
PID 1212 wrote to memory of 612	1212	EXCEL.EXE	37
PID 1212 wrote to memory of 612	1212	EXCEL.EXE	37
PID 1212 wrote to memory of 612	1212	EXCEL.EXE	37
PID 1212 wrote to memory of 612	1212	EXCEL.EXE	37
PID 1212 wrote to memory of 612	1212	EXCEL.EXE	37
PID 612 wrote to memory of 940	612	regsvr32.exe	38
PID 612 wrote to memory of 940	612	regsvr32.exe	38
PID 612 wrote to memory of 940	612	regsvr32.exe	38
PID 612 wrote to memory of 940	612	regsvr32.exe	38
PID 612 wrote to memory of 940	612	regsvr32.exe	38
PID 612 wrote to memory of 940	612	regsvr32.exe	38
PID 612 wrote to memory of 940	612	regsvr32.exe	38
PID 940 wrote to memory of 1620	940	regsvr32.exe	39
PID 940 wrote to memory of 1620	940	regsvr32.exe	39
PID 940 wrote to memory of 1620	940	regsvr32.exe	39
PID 940 wrote to memory of 1620	940	regsvr32.exe	39
PID 940 wrote to memory of 1620	940	regsvr32.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\regsvr32.exe
    ..\oxnv1.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XOyuKIfaCZiicCeF\npryDSmn.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:980
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:1528
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\system32\regsvr32.exe
    ..\oxnv3.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WDxCUWNRfAkhsl\OBDpIcYQ.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1984
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\system32\regsvr32.exe
    ..\oxnv4.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RpXPaodd\ftVCQahFL.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
814KB

MD5
12a81d42416771d412f249e318088d24

SHA1
b7d865bd7c3479c6efcf05c4a53cb442ab6eaa7b

SHA256
49f40a56dee471071d04545612cafc909f029a8c147b7591706c6831b2d16c02

SHA512
13e711d4255d33b948d5e97b0f0b27adec2be9ccc3e71158b8badac9b5268ff0a6cea5533cad8c7f4795b0ad42a85ea401c63f3f3f341bb1eafe070de1c37015

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
814KB

MD5
4bda16479818d2ffd47417c24753aed4

SHA1
3ee06f7717755ab7fa658c32b068bda22cf56335

SHA256
9916457a0db1d62de30d9625ccad91b872962eb24001613a835a0e04e3ff97d6

SHA512
6edb5cf6294df6bd2e8f3fbe95fb877c15f225a5615079a73ea83ac45e00af13b6d1bb24a47dae85d00a2453643f6b2879d1d1bef43c46b4f67cefb0abe81bd0

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
814KB

MD5
29ace580875ad5c9820ce5b0147904d0

SHA1
34d0f9851a6123da12ddda915278029f7f05d218

SHA256
635506abeb118a2715f5ddce55a4b9c0f9be60e59acf80d8192d50c1fbde951c

SHA512
e5fdeca4c35759e82976df415d12c1c202c622d9535bb8345a57184c0cb1a6c4c3bca222d271cc0424c718572f26635eac826ece4a5a7d822e010661c259ff6f

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
814KB

MD5
12a81d42416771d412f249e318088d24

SHA1
b7d865bd7c3479c6efcf05c4a53cb442ab6eaa7b

SHA256
49f40a56dee471071d04545612cafc909f029a8c147b7591706c6831b2d16c02

SHA512
13e711d4255d33b948d5e97b0f0b27adec2be9ccc3e71158b8badac9b5268ff0a6cea5533cad8c7f4795b0ad42a85ea401c63f3f3f341bb1eafe070de1c37015

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
814KB

MD5
12a81d42416771d412f249e318088d24

SHA1
b7d865bd7c3479c6efcf05c4a53cb442ab6eaa7b

SHA256
49f40a56dee471071d04545612cafc909f029a8c147b7591706c6831b2d16c02

SHA512
13e711d4255d33b948d5e97b0f0b27adec2be9ccc3e71158b8badac9b5268ff0a6cea5533cad8c7f4795b0ad42a85ea401c63f3f3f341bb1eafe070de1c37015

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
814KB

MD5
4bda16479818d2ffd47417c24753aed4

SHA1
3ee06f7717755ab7fa658c32b068bda22cf56335

SHA256
9916457a0db1d62de30d9625ccad91b872962eb24001613a835a0e04e3ff97d6

SHA512
6edb5cf6294df6bd2e8f3fbe95fb877c15f225a5615079a73ea83ac45e00af13b6d1bb24a47dae85d00a2453643f6b2879d1d1bef43c46b4f67cefb0abe81bd0

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
814KB

MD5
4bda16479818d2ffd47417c24753aed4

SHA1
3ee06f7717755ab7fa658c32b068bda22cf56335

SHA256
9916457a0db1d62de30d9625ccad91b872962eb24001613a835a0e04e3ff97d6

SHA512
6edb5cf6294df6bd2e8f3fbe95fb877c15f225a5615079a73ea83ac45e00af13b6d1bb24a47dae85d00a2453643f6b2879d1d1bef43c46b4f67cefb0abe81bd0

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
814KB

MD5
29ace580875ad5c9820ce5b0147904d0

SHA1
34d0f9851a6123da12ddda915278029f7f05d218

SHA256
635506abeb118a2715f5ddce55a4b9c0f9be60e59acf80d8192d50c1fbde951c

SHA512
e5fdeca4c35759e82976df415d12c1c202c622d9535bb8345a57184c0cb1a6c4c3bca222d271cc0424c718572f26635eac826ece4a5a7d822e010661c259ff6f

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
814KB

MD5
29ace580875ad5c9820ce5b0147904d0

SHA1
34d0f9851a6123da12ddda915278029f7f05d218

SHA256
635506abeb118a2715f5ddce55a4b9c0f9be60e59acf80d8192d50c1fbde951c

SHA512
e5fdeca4c35759e82976df415d12c1c202c622d9535bb8345a57184c0cb1a6c4c3bca222d271cc0424c718572f26635eac826ece4a5a7d822e010661c259ff6f

Download Submit
memory/868-66-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/868-64-0x000007FEFC581000-0x000007FEFC583000-memory.dmp

Filesize
8KB

Download
memory/1212-58-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1212-54-0x000000002F321000-0x000000002F324000-memory.dmp

Filesize
12KB

Download
memory/1212-57-0x0000000072BBD000-0x0000000072BC8000-memory.dmp

Filesize
44KB

Download
memory/1212-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1212-69-0x0000000072BBD000-0x0000000072BC8000-memory.dmp

Filesize
44KB

Download
memory/1212-55-0x0000000071BD1000-0x0000000071BD3000-memory.dmp

Filesize
8KB

Download
memory/1212-107-0x000000006CC11000-0x000000006CC13000-memory.dmp

Filesize
8KB

Download