emotet | 0a712277286bdb83dee39bd389e1ad65e079bdb53b9255fa4b26283b30c9da72

Resubmissions

03/11/2022, 21:07

221103-zyn6safbg6 10

03/11/2022, 21:01

221103-ztzfyshccm 10

03/11/2022, 15:09

221103-sjnhdabfg4 10

Analysis

max time kernel
597s
max time network
600s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c.xls
Size

216KB
MD5

2486374800299563ab8934122234242a
SHA1

47bfe94aa96ef43231890f04ccd286b0888e10c8
SHA256

ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c
SHA512

74e52e1e1317908447340cbba32949321ed435f17a524224af80236ecdf67187c83908cca514e82a49b9abe9495125ba741e01ed8f30663124c13fce339c63e5
SSDEEP

6144:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgAyY+TAQXTHGUMEyP5p6f5jQmK:GbGUMVWlbK

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://audioselec.com/about/dDw5ggtyMojggTqhc/

xlm40.dropper

https://geringer-muehle.de/wp-admin/G/

xlm40.dropper

http://intolove.co.uk/wp-admin/FbGhiWtrEzrQ/

xlm40.dropper

http://isc.net.ua/themes/3rU/

Extracted

Family

emotet

Botnet

Epoch4

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1492	1784	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	820	1784	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	332	1784	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	932	1784	regsvr32.exe	27

Downloads MZ/PE file

Loads dropped DLL 6 IoCs

pid	Process
1492	regsvr32.exe
1540	regsvr32.exe
332	regsvr32.exe
316	regsvr32.exe
932	regsvr32.exe
1948	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1784	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1540	regsvr32.exe
1368	regsvr32.exe
1368	regsvr32.exe
316	regsvr32.exe
960	regsvr32.exe
1948	regsvr32.exe
960	regsvr32.exe
1904	regsvr32.exe
1904	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1784	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1784	EXCEL.EXE
1784	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1492	1784	EXCEL.EXE	30
PID 1784 wrote to memory of 1492	1784	EXCEL.EXE	30
PID 1784 wrote to memory of 1492	1784	EXCEL.EXE	30
PID 1784 wrote to memory of 1492	1784	EXCEL.EXE	30
PID 1784 wrote to memory of 1492	1784	EXCEL.EXE	30
PID 1784 wrote to memory of 1492	1784	EXCEL.EXE	30
PID 1784 wrote to memory of 1492	1784	EXCEL.EXE	30
PID 1492 wrote to memory of 1540	1492	regsvr32.exe	31
PID 1492 wrote to memory of 1540	1492	regsvr32.exe	31
PID 1492 wrote to memory of 1540	1492	regsvr32.exe	31
PID 1492 wrote to memory of 1540	1492	regsvr32.exe	31
PID 1492 wrote to memory of 1540	1492	regsvr32.exe	31
PID 1492 wrote to memory of 1540	1492	regsvr32.exe	31
PID 1492 wrote to memory of 1540	1492	regsvr32.exe	31
PID 1540 wrote to memory of 1368	1540	regsvr32.exe	32
PID 1540 wrote to memory of 1368	1540	regsvr32.exe	32
PID 1540 wrote to memory of 1368	1540	regsvr32.exe	32
PID 1540 wrote to memory of 1368	1540	regsvr32.exe	32
PID 1540 wrote to memory of 1368	1540	regsvr32.exe	32
PID 1784 wrote to memory of 820	1784	EXCEL.EXE	33
PID 1784 wrote to memory of 820	1784	EXCEL.EXE	33
PID 1784 wrote to memory of 820	1784	EXCEL.EXE	33
PID 1784 wrote to memory of 820	1784	EXCEL.EXE	33
PID 1784 wrote to memory of 820	1784	EXCEL.EXE	33
PID 1784 wrote to memory of 820	1784	EXCEL.EXE	33
PID 1784 wrote to memory of 820	1784	EXCEL.EXE	33
PID 1784 wrote to memory of 332	1784	EXCEL.EXE	34
PID 1784 wrote to memory of 332	1784	EXCEL.EXE	34
PID 1784 wrote to memory of 332	1784	EXCEL.EXE	34
PID 1784 wrote to memory of 332	1784	EXCEL.EXE	34
PID 1784 wrote to memory of 332	1784	EXCEL.EXE	34
PID 1784 wrote to memory of 332	1784	EXCEL.EXE	34
PID 1784 wrote to memory of 332	1784	EXCEL.EXE	34
PID 332 wrote to memory of 316	332	regsvr32.exe	35
PID 332 wrote to memory of 316	332	regsvr32.exe	35
PID 332 wrote to memory of 316	332	regsvr32.exe	35
PID 332 wrote to memory of 316	332	regsvr32.exe	35
PID 332 wrote to memory of 316	332	regsvr32.exe	35
PID 332 wrote to memory of 316	332	regsvr32.exe	35
PID 332 wrote to memory of 316	332	regsvr32.exe	35
PID 316 wrote to memory of 960	316	regsvr32.exe	36
PID 316 wrote to memory of 960	316	regsvr32.exe	36
PID 316 wrote to memory of 960	316	regsvr32.exe	36
PID 316 wrote to memory of 960	316	regsvr32.exe	36
PID 316 wrote to memory of 960	316	regsvr32.exe	36
PID 1784 wrote to memory of 932	1784	EXCEL.EXE	37
PID 1784 wrote to memory of 932	1784	EXCEL.EXE	37
PID 1784 wrote to memory of 932	1784	EXCEL.EXE	37
PID 1784 wrote to memory of 932	1784	EXCEL.EXE	37
PID 1784 wrote to memory of 932	1784	EXCEL.EXE	37
PID 1784 wrote to memory of 932	1784	EXCEL.EXE	37
PID 1784 wrote to memory of 932	1784	EXCEL.EXE	37
PID 932 wrote to memory of 1948	932	regsvr32.exe	38
PID 932 wrote to memory of 1948	932	regsvr32.exe	38
PID 932 wrote to memory of 1948	932	regsvr32.exe	38
PID 932 wrote to memory of 1948	932	regsvr32.exe	38
PID 932 wrote to memory of 1948	932	regsvr32.exe	38
PID 932 wrote to memory of 1948	932	regsvr32.exe	38
PID 932 wrote to memory of 1948	932	regsvr32.exe	38
PID 1948 wrote to memory of 1904	1948	regsvr32.exe	39
PID 1948 wrote to memory of 1904	1948	regsvr32.exe	39
PID 1948 wrote to memory of 1904	1948	regsvr32.exe	39
PID 1948 wrote to memory of 1904	1948	regsvr32.exe	39
PID 1948 wrote to memory of 1904	1948	regsvr32.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\regsvr32.exe
    ..\oxnv1.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WpkGyXXz\JFZPOATc.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1368
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:820
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\system32\regsvr32.exe
    ..\oxnv3.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZDqFMYMj\BndCCK.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:960
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\system32\regsvr32.exe
    ..\oxnv4.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EnTqWdgCUnfql\exhLOVvTq.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
96b4c5ead181fe2513171fa44f76377e

SHA1
5dee66202056f170a2c268b207119976bdb0a1a7

SHA256
c8b55f0c0f59098b480966b3136bd50eb605c2d656b3ddef94d57665c0b536b9

SHA512
da31bf76fd7280b0d5025f262ebdc7c354d17c54e5ab603c8c5f64cd609fefa0f19824ece7b7260404457b4089e986f4b998b3fdb85ae2c8dba9e7be11df7005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0a748e197f251b051298b802a2141e1

SHA1
4f61bfcafb973ceb74acabe2d996d30b59ad5279

SHA256
d54e5e0b611116fcc6de22ee406e060b26bd3d7e51c9b15e45a0dc70704bd619

SHA512
6c76f025c8767fdd3f3c92014cbc3a557f9f2a19cdab8b04d24f884f8d1401af718f4eec833df543d72b30e77ba9f0bb238604092a45f33155b3bb8587ced98f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74fcba1f03eafb5d119b69abdda4d5ea

SHA1
9a797247877c71492b677839ecd6773bbfbb1d49

SHA256
c88287def6e2e19f56b70cc8ded4de5ea22c3a27329ee44d9b0d2d177f1527c1

SHA512
71194ededa7600fdf4005c9ce6f470325a8a836a73bdfbfcd6e27b78aa7b3d2ad9c7303823cc87e588008ace294cd5f3db5972b56a0dc923dbcbcab667fb2edf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
417b9e7e963438205f8a3d64daa02f44

SHA1
bc70607ce2b4ca9917731eafa1aa72d646777583

SHA256
265444f6cbeb3ed0ac65005f942da62c607af76c561a92fb4675554ea671555d

SHA512
56a9fce2fdbdbed2927773cead4630499af9e2c58ae258beb7ec5899196a0c152e6f988b9862627290f0e7fa241bbcca392dbf3a14ed50145ed8ac40a3407d3a

Download Submit
C:\Users\Admin\oxnv1.ooccxx

Filesize
708KB

MD5
6547ad5ca6f25c230f21abdc6917d520

SHA1
b75fc2c9b37d30b5fc3c0b35662d7287098c81bd

SHA256
76a41098ef49a464addd3af6c3f61ff097202e6a028a0a5bd87653938a4b04d5

SHA512
9770471abc9150e482a219d43b8bbe3a29d9e1da105159fd44cf56b03244005ea49184ddc80ac8ebac81f8f2b935b83aca12e5641204bfe4761949a305a97111

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
708KB

MD5
f42e3e1e9805323bfb61813c4420e90c

SHA1
76735b1e8987ad0ffd7b544eac2ec21abd8d821a

SHA256
bbcbcc91afda17bcb8f40e1aab9d684ac9efb002f50e0bb6aecae4ad9156ed05

SHA512
5a80a2bd62c5dd4d5be380065107ea3f990db51d007fe4e0d7f40bea31935e236fafa64d8f2a9bba7ca34fbf4e3ee8f341a392a48702d7475ff7dc332ce96bdb

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
708KB

MD5
1b0e974e4dc79923e28e1e4d0ee0d0ac

SHA1
11e7f1d5bf58c51a27a89233be9368bb67d0d8cf

SHA256
15c2f3333d4880b70888505de697bb84c6e62343f9ae9d90d99e7c280170b323

SHA512
5aae695851aa630de4792b3da41f1674fa3cb48193a4f1c45e5f3595d214f57c9977ea000f1e93dd897c50fb176fd86c363cca88d4e68d27debf51a1439166b4

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
708KB

MD5
6547ad5ca6f25c230f21abdc6917d520

SHA1
b75fc2c9b37d30b5fc3c0b35662d7287098c81bd

SHA256
76a41098ef49a464addd3af6c3f61ff097202e6a028a0a5bd87653938a4b04d5

SHA512
9770471abc9150e482a219d43b8bbe3a29d9e1da105159fd44cf56b03244005ea49184ddc80ac8ebac81f8f2b935b83aca12e5641204bfe4761949a305a97111

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
708KB

MD5
6547ad5ca6f25c230f21abdc6917d520

SHA1
b75fc2c9b37d30b5fc3c0b35662d7287098c81bd

SHA256
76a41098ef49a464addd3af6c3f61ff097202e6a028a0a5bd87653938a4b04d5

SHA512
9770471abc9150e482a219d43b8bbe3a29d9e1da105159fd44cf56b03244005ea49184ddc80ac8ebac81f8f2b935b83aca12e5641204bfe4761949a305a97111

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
708KB

MD5
f42e3e1e9805323bfb61813c4420e90c

SHA1
76735b1e8987ad0ffd7b544eac2ec21abd8d821a

SHA256
bbcbcc91afda17bcb8f40e1aab9d684ac9efb002f50e0bb6aecae4ad9156ed05

SHA512
5a80a2bd62c5dd4d5be380065107ea3f990db51d007fe4e0d7f40bea31935e236fafa64d8f2a9bba7ca34fbf4e3ee8f341a392a48702d7475ff7dc332ce96bdb

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
708KB

MD5
f42e3e1e9805323bfb61813c4420e90c

SHA1
76735b1e8987ad0ffd7b544eac2ec21abd8d821a

SHA256
bbcbcc91afda17bcb8f40e1aab9d684ac9efb002f50e0bb6aecae4ad9156ed05

SHA512
5a80a2bd62c5dd4d5be380065107ea3f990db51d007fe4e0d7f40bea31935e236fafa64d8f2a9bba7ca34fbf4e3ee8f341a392a48702d7475ff7dc332ce96bdb

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
708KB

MD5
1b0e974e4dc79923e28e1e4d0ee0d0ac

SHA1
11e7f1d5bf58c51a27a89233be9368bb67d0d8cf

SHA256
15c2f3333d4880b70888505de697bb84c6e62343f9ae9d90d99e7c280170b323

SHA512
5aae695851aa630de4792b3da41f1674fa3cb48193a4f1c45e5f3595d214f57c9977ea000f1e93dd897c50fb176fd86c363cca88d4e68d27debf51a1439166b4

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
708KB

MD5
1b0e974e4dc79923e28e1e4d0ee0d0ac

SHA1
11e7f1d5bf58c51a27a89233be9368bb67d0d8cf

SHA256
15c2f3333d4880b70888505de697bb84c6e62343f9ae9d90d99e7c280170b323

SHA512
5aae695851aa630de4792b3da41f1674fa3cb48193a4f1c45e5f3595d214f57c9977ea000f1e93dd897c50fb176fd86c363cca88d4e68d27debf51a1439166b4

Download Submit
memory/1540-66-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/1540-64-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/1784-69-0x0000000072BFD000-0x0000000072C08000-memory.dmp

Filesize
44KB

Download
memory/1784-54-0x000000002F7E1000-0x000000002F7E4000-memory.dmp

Filesize
12KB

Download
memory/1784-58-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1784-57-0x0000000072BFD000-0x0000000072C08000-memory.dmp

Filesize
44KB

Download
memory/1784-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1784-55-0x0000000071C11000-0x0000000071C13000-memory.dmp

Filesize
8KB

Download