emotet | 885b6fbc0fc6c4047b764ecac7e7b3a30b10b203f186598ead1ad06492e94d6a

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

562.xls
Size

217KB
MD5

c2e34731e0c5a3e75c35d7e6dcd5b14d
SHA1

9ef72765312220c818544cae93a6602e06368521
SHA256

885b6fbc0fc6c4047b764ecac7e7b3a30b10b203f186598ead1ad06492e94d6a
SHA512

118b8779c8454b4543f816beb66a545b015388801e5c11c8c8bb518022d068bfb8bb7722fb6d3d6a524c2d1fb5b30a4a1c42fe3e3504bdb2ac244879116879eb
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQm7:bbGUMVWlb7

Score

10^/10

emotet banker trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://aprendeconmireia.com/images/wBu/

xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/

xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/

xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1264	1768	regsvr32.exe	26
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2044	1768	regsvr32.exe	26
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1820	1768	regsvr32.exe	26
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1036	1768	regsvr32.exe	26

Downloads MZ/PE file

Loads dropped DLL 8 IoCs

pid	Process
1264	regsvr32.exe
1512	regsvr32.exe
2044	regsvr32.exe
1984	regsvr32.exe
1820	regsvr32.exe
1516	regsvr32.exe
1036	regsvr32.exe
380	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1768	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1512	regsvr32.exe
964	regsvr32.exe
964	regsvr32.exe
1984	regsvr32.exe
960	regsvr32.exe
960	regsvr32.exe
1516	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
380	regsvr32.exe
1732	regsvr32.exe
1732	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1768	EXCEL.EXE
1768	EXCEL.EXE
1768	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1264	1768	EXCEL.EXE	29
PID 1768 wrote to memory of 1264	1768	EXCEL.EXE	29
PID 1768 wrote to memory of 1264	1768	EXCEL.EXE	29
PID 1768 wrote to memory of 1264	1768	EXCEL.EXE	29
PID 1768 wrote to memory of 1264	1768	EXCEL.EXE	29
PID 1768 wrote to memory of 1264	1768	EXCEL.EXE	29
PID 1768 wrote to memory of 1264	1768	EXCEL.EXE	29
PID 1264 wrote to memory of 1512	1264	regsvr32.exe	30
PID 1264 wrote to memory of 1512	1264	regsvr32.exe	30
PID 1264 wrote to memory of 1512	1264	regsvr32.exe	30
PID 1264 wrote to memory of 1512	1264	regsvr32.exe	30
PID 1264 wrote to memory of 1512	1264	regsvr32.exe	30
PID 1264 wrote to memory of 1512	1264	regsvr32.exe	30
PID 1264 wrote to memory of 1512	1264	regsvr32.exe	30
PID 1512 wrote to memory of 964	1512	regsvr32.exe	31
PID 1512 wrote to memory of 964	1512	regsvr32.exe	31
PID 1512 wrote to memory of 964	1512	regsvr32.exe	31
PID 1512 wrote to memory of 964	1512	regsvr32.exe	31
PID 1512 wrote to memory of 964	1512	regsvr32.exe	31
PID 1768 wrote to memory of 2044	1768	EXCEL.EXE	32
PID 1768 wrote to memory of 2044	1768	EXCEL.EXE	32
PID 1768 wrote to memory of 2044	1768	EXCEL.EXE	32
PID 1768 wrote to memory of 2044	1768	EXCEL.EXE	32
PID 1768 wrote to memory of 2044	1768	EXCEL.EXE	32
PID 1768 wrote to memory of 2044	1768	EXCEL.EXE	32
PID 1768 wrote to memory of 2044	1768	EXCEL.EXE	32
PID 2044 wrote to memory of 1984	2044	regsvr32.exe	33
PID 2044 wrote to memory of 1984	2044	regsvr32.exe	33
PID 2044 wrote to memory of 1984	2044	regsvr32.exe	33
PID 2044 wrote to memory of 1984	2044	regsvr32.exe	33
PID 2044 wrote to memory of 1984	2044	regsvr32.exe	33
PID 2044 wrote to memory of 1984	2044	regsvr32.exe	33
PID 2044 wrote to memory of 1984	2044	regsvr32.exe	33
PID 1984 wrote to memory of 960	1984	regsvr32.exe	34
PID 1984 wrote to memory of 960	1984	regsvr32.exe	34
PID 1984 wrote to memory of 960	1984	regsvr32.exe	34
PID 1984 wrote to memory of 960	1984	regsvr32.exe	34
PID 1984 wrote to memory of 960	1984	regsvr32.exe	34
PID 1768 wrote to memory of 1820	1768	EXCEL.EXE	35
PID 1768 wrote to memory of 1820	1768	EXCEL.EXE	35
PID 1768 wrote to memory of 1820	1768	EXCEL.EXE	35
PID 1768 wrote to memory of 1820	1768	EXCEL.EXE	35
PID 1768 wrote to memory of 1820	1768	EXCEL.EXE	35
PID 1768 wrote to memory of 1820	1768	EXCEL.EXE	35
PID 1768 wrote to memory of 1820	1768	EXCEL.EXE	35
PID 1820 wrote to memory of 1516	1820	regsvr32.exe	36
PID 1820 wrote to memory of 1516	1820	regsvr32.exe	36
PID 1820 wrote to memory of 1516	1820	regsvr32.exe	36
PID 1820 wrote to memory of 1516	1820	regsvr32.exe	36
PID 1820 wrote to memory of 1516	1820	regsvr32.exe	36
PID 1820 wrote to memory of 1516	1820	regsvr32.exe	36
PID 1820 wrote to memory of 1516	1820	regsvr32.exe	36
PID 1516 wrote to memory of 1328	1516	regsvr32.exe	37
PID 1516 wrote to memory of 1328	1516	regsvr32.exe	37
PID 1516 wrote to memory of 1328	1516	regsvr32.exe	37
PID 1516 wrote to memory of 1328	1516	regsvr32.exe	37
PID 1516 wrote to memory of 1328	1516	regsvr32.exe	37
PID 1768 wrote to memory of 1036	1768	EXCEL.EXE	38
PID 1768 wrote to memory of 1036	1768	EXCEL.EXE	38
PID 1768 wrote to memory of 1036	1768	EXCEL.EXE	38
PID 1768 wrote to memory of 1036	1768	EXCEL.EXE	38
PID 1768 wrote to memory of 1036	1768	EXCEL.EXE	38
PID 1768 wrote to memory of 1036	1768	EXCEL.EXE	38
PID 1768 wrote to memory of 1036	1768	EXCEL.EXE	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\562.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\regsvr32.exe
    /S ..\oxnv1.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GmcSJKnU\KUFvfCJSVAEtFAvc.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:964
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\regsvr32.exe
    /S ..\oxnv2.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PbjJPbCLeMTh\fjgvlN.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:960
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\regsvr32.exe
    /S ..\oxnv3.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VIZqipXMb\LdIi.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1328
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  PID:1036
- - C:\Windows\system32\regsvr32.exe
    /S ..\oxnv4.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:380
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KEmtOazzd\pVyCunxYZ.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
e4594871d98789b91e5f9ab989fb3f7f

SHA1
fcd7ae3f4bbfe2344051ada840ff64ccb9361712

SHA256
2cddbb0ec9f9c7526a3ecb9c178a62ae0a1048712056203ae51a4435c4156930

SHA512
3e5fdb034a860acef77809e111b5691a5cbcc06468b76791aa1e0b93f025d48de1ee3a317c1a0cd3c23c49ae5b6f01a0d01c0a61a0df0bfb9d043fa65ea35b77

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
38e9c920298c5efbddd9890f9f5daa4f

SHA1
9606da8026c4db33b299ba45fd1453054dfdb371

SHA256
f3b89d206767bfc1c734b7af93a8caafc5b48c7797516237af2d6ba45ad282b3

SHA512
81ebc516e793a3f34d06424d6a3425a7a60c44a5e12d77f03241fffd125274b736ff1dbe2793d05452c237557dcd032df4b55c7ffa8153a79ca311cd08f2a8d4

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
cb3eab697e768aae26bad6d7c21df990

SHA1
eaac242646520295c8cd613a8beac51e5e829227

SHA256
e88e1c227607b29de7a35c8f95a54ac57766ce7ec8b311ba1ddc894e24c4e07a

SHA512
c6828d82448d6818203fc45252efb23f13b3a5233a98c58714d46758f9746d896f6c01269fa646b1b67fa458e79a98ce5fc95fcaf1387895bb9df60cb44c91ce

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
1215b42ac8d300acd3f7d86fd372349d

SHA1
175ca8dfe5e333595f991c6206decd93355f3d53

SHA256
dd0374ea08e569274455a46b361eee9deb088e11d5e8fc19fc5b0e8009724362

SHA512
31d6dceab0c0260746542b4f196e83f0e779df87b44f2c0e4c0f3b17cc2a79e99d2eb1f3267d61f062b968f6b0f5212f24bdb497238148190606fc7832c8a5f4

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
e4594871d98789b91e5f9ab989fb3f7f

SHA1
fcd7ae3f4bbfe2344051ada840ff64ccb9361712

SHA256
2cddbb0ec9f9c7526a3ecb9c178a62ae0a1048712056203ae51a4435c4156930

SHA512
3e5fdb034a860acef77809e111b5691a5cbcc06468b76791aa1e0b93f025d48de1ee3a317c1a0cd3c23c49ae5b6f01a0d01c0a61a0df0bfb9d043fa65ea35b77

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
e4594871d98789b91e5f9ab989fb3f7f

SHA1
fcd7ae3f4bbfe2344051ada840ff64ccb9361712

SHA256
2cddbb0ec9f9c7526a3ecb9c178a62ae0a1048712056203ae51a4435c4156930

SHA512
3e5fdb034a860acef77809e111b5691a5cbcc06468b76791aa1e0b93f025d48de1ee3a317c1a0cd3c23c49ae5b6f01a0d01c0a61a0df0bfb9d043fa65ea35b77

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
38e9c920298c5efbddd9890f9f5daa4f

SHA1
9606da8026c4db33b299ba45fd1453054dfdb371

SHA256
f3b89d206767bfc1c734b7af93a8caafc5b48c7797516237af2d6ba45ad282b3

SHA512
81ebc516e793a3f34d06424d6a3425a7a60c44a5e12d77f03241fffd125274b736ff1dbe2793d05452c237557dcd032df4b55c7ffa8153a79ca311cd08f2a8d4

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
38e9c920298c5efbddd9890f9f5daa4f

SHA1
9606da8026c4db33b299ba45fd1453054dfdb371

SHA256
f3b89d206767bfc1c734b7af93a8caafc5b48c7797516237af2d6ba45ad282b3

SHA512
81ebc516e793a3f34d06424d6a3425a7a60c44a5e12d77f03241fffd125274b736ff1dbe2793d05452c237557dcd032df4b55c7ffa8153a79ca311cd08f2a8d4

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
cb3eab697e768aae26bad6d7c21df990

SHA1
eaac242646520295c8cd613a8beac51e5e829227

SHA256
e88e1c227607b29de7a35c8f95a54ac57766ce7ec8b311ba1ddc894e24c4e07a

SHA512
c6828d82448d6818203fc45252efb23f13b3a5233a98c58714d46758f9746d896f6c01269fa646b1b67fa458e79a98ce5fc95fcaf1387895bb9df60cb44c91ce

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
cb3eab697e768aae26bad6d7c21df990

SHA1
eaac242646520295c8cd613a8beac51e5e829227

SHA256
e88e1c227607b29de7a35c8f95a54ac57766ce7ec8b311ba1ddc894e24c4e07a

SHA512
c6828d82448d6818203fc45252efb23f13b3a5233a98c58714d46758f9746d896f6c01269fa646b1b67fa458e79a98ce5fc95fcaf1387895bb9df60cb44c91ce

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
1215b42ac8d300acd3f7d86fd372349d

SHA1
175ca8dfe5e333595f991c6206decd93355f3d53

SHA256
dd0374ea08e569274455a46b361eee9deb088e11d5e8fc19fc5b0e8009724362

SHA512
31d6dceab0c0260746542b4f196e83f0e779df87b44f2c0e4c0f3b17cc2a79e99d2eb1f3267d61f062b968f6b0f5212f24bdb497238148190606fc7832c8a5f4

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
1215b42ac8d300acd3f7d86fd372349d

SHA1
175ca8dfe5e333595f991c6206decd93355f3d53

SHA256
dd0374ea08e569274455a46b361eee9deb088e11d5e8fc19fc5b0e8009724362

SHA512
31d6dceab0c0260746542b4f196e83f0e779df87b44f2c0e4c0f3b17cc2a79e99d2eb1f3267d61f062b968f6b0f5212f24bdb497238148190606fc7832c8a5f4

Download Submit
memory/1512-66-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1512-64-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/1768-55-0x0000000070E11000-0x0000000070E13000-memory.dmp

Filesize
8KB

Download
memory/1768-54-0x000000002F4C1000-0x000000002F4C4000-memory.dmp

Filesize
12KB

Download
memory/1768-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1768-75-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/1768-58-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1768-57-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download