Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/11/2022, 00:17
Behavioral task
behavioral1
Sample
2022-11-04_0917.xls
Resource
win7-20220812-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
2022-11-04_0917.xls
Resource
win10v2004-20220901-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
2022-11-04_0917.xls
-
Size
217KB
-
MD5
344e23983dd111026745a44858fb51f0
-
SHA1
91e67fc0fc4699e42f5aa38464f2f9d9a2a789fe
-
SHA256
bb7131f2c734163aa766524bb2de31956d2f012294ffd5186ad7e12c057c0d04
-
SHA512
0ef2b0e7d197b51977f7272e9d605437654bcbe0ee8f069e261a2b82d26948577b65fb737060aeafe199908a730fc72a2508852059ede55aafb7e98ee0b3e707
-
SSDEEP
6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQm7pnT:1bGUMVWlbZ
Malware Config
Extracted
Language
xlm4.0
Source
URLs
xlm40.dropper
http://app.clubdedocentes.com/storage/DCcq9ekgH99sI/
xlm40.dropper
http://linhkiendoc.com/app/payments/qoy5JqpLqrbsKl/
xlm40.dropper
http://sourcecool.com/throng/iOD/
xlm40.dropper
http://www.stickers-et-deco.com/Adapter/lYw/
Extracted
Family
emotet
Botnet
Epoch4
C2
45.235.8.30:8080
94.23.45.86:4143
119.59.103.152:8080
169.60.181.70:8080
164.68.99.3:8080
172.105.226.75:8080
107.170.39.149:8080
206.189.28.199:8080
1.234.2.232:8080
188.44.20.25:443
186.194.240.217:443
103.43.75.120:443
149.28.143.92:443
159.89.202.34:443
209.97.163.214:443
183.111.227.137:8080
129.232.188.93:443
139.59.126.41:443
110.232.117.186:8080
139.59.56.73:8080
103.75.201.2:443
91.207.28.33:8080
164.90.222.65:443
197.242.150.244:8080
212.24.98.99:8080
51.161.73.194:443
115.68.227.76:8080
159.65.88.10:8080
201.94.166.162:443
95.217.221.146:8080
173.212.193.249:8080
82.223.21.224:8080
103.132.242.26:8080
213.239.212.5:443
153.126.146.25:7080
45.176.232.124:443
182.162.143.56:443
169.57.156.166:8080
159.65.140.115:443
163.44.196.120:8080
172.104.251.154:8080
167.172.253.162:8080
91.187.140.35:8080
45.118.115.99:8080
147.139.166.154:8080
72.15.201.15:8080
149.56.131.28:8080
167.172.199.165:8080
101.50.0.91:8080
160.16.142.56:8080
185.4.135.165:8080
104.168.155.143:8080
79.137.35.198:8080
5.135.159.50:443
187.63.160.88:80
eck1.plain
ecs1.plain
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1368 832 regsvr32.exe 26 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 984 832 regsvr32.exe 26 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1928 832 regsvr32.exe 26 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1956 832 regsvr32.exe 26 -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
pid Process 1368 regsvr32.exe 1960 regsvr32.exe 1956 regsvr32.exe 1808 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 832 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1960 regsvr32.exe 1480 regsvr32.exe 1480 regsvr32.exe 1808 regsvr32.exe 316 regsvr32.exe 316 regsvr32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 832 EXCEL.EXE 832 EXCEL.EXE 832 EXCEL.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 832 wrote to memory of 1368 832 EXCEL.EXE 29 PID 832 wrote to memory of 1368 832 EXCEL.EXE 29 PID 832 wrote to memory of 1368 832 EXCEL.EXE 29 PID 832 wrote to memory of 1368 832 EXCEL.EXE 29 PID 832 wrote to memory of 1368 832 EXCEL.EXE 29 PID 832 wrote to memory of 1368 832 EXCEL.EXE 29 PID 832 wrote to memory of 1368 832 EXCEL.EXE 29 PID 1368 wrote to memory of 1960 1368 regsvr32.exe 30 PID 1368 wrote to memory of 1960 1368 regsvr32.exe 30 PID 1368 wrote to memory of 1960 1368 regsvr32.exe 30 PID 1368 wrote to memory of 1960 1368 regsvr32.exe 30 PID 1368 wrote to memory of 1960 1368 regsvr32.exe 30 PID 1368 wrote to memory of 1960 1368 regsvr32.exe 30 PID 1368 wrote to memory of 1960 1368 regsvr32.exe 30 PID 1960 wrote to memory of 1480 1960 regsvr32.exe 31 PID 1960 wrote to memory of 1480 1960 regsvr32.exe 31 PID 1960 wrote to memory of 1480 1960 regsvr32.exe 31 PID 1960 wrote to memory of 1480 1960 regsvr32.exe 31 PID 1960 wrote to memory of 1480 1960 regsvr32.exe 31 PID 832 wrote to memory of 984 832 EXCEL.EXE 32 PID 832 wrote to memory of 984 832 EXCEL.EXE 32 PID 832 wrote to memory of 984 832 EXCEL.EXE 32 PID 832 wrote to memory of 984 832 EXCEL.EXE 32 PID 832 wrote to memory of 984 832 EXCEL.EXE 32 PID 832 wrote to memory of 984 832 EXCEL.EXE 32 PID 832 wrote to memory of 984 832 EXCEL.EXE 32 PID 832 wrote to memory of 1928 832 EXCEL.EXE 33 PID 832 wrote to memory of 1928 832 EXCEL.EXE 33 PID 832 wrote to memory of 1928 832 EXCEL.EXE 33 PID 832 wrote to memory of 1928 832 EXCEL.EXE 33 PID 832 wrote to memory of 1928 832 EXCEL.EXE 33 PID 832 wrote to memory of 1928 832 EXCEL.EXE 33 PID 832 wrote to memory of 1928 832 EXCEL.EXE 33 PID 832 wrote to memory of 1956 832 EXCEL.EXE 34 PID 832 wrote to memory of 1956 832 EXCEL.EXE 34 PID 832 wrote to memory of 1956 832 EXCEL.EXE 34 PID 832 wrote to memory of 1956 832 EXCEL.EXE 34 PID 832 wrote to memory of 1956 832 EXCEL.EXE 34 PID 832 wrote to memory of 1956 832 EXCEL.EXE 34 PID 832 wrote to memory of 1956 832 EXCEL.EXE 34 PID 1956 wrote to memory of 1808 1956 regsvr32.exe 35 PID 1956 wrote to memory of 1808 1956 regsvr32.exe 35 PID 1956 wrote to memory of 1808 1956 regsvr32.exe 35 PID 1956 wrote to memory of 1808 1956 regsvr32.exe 35 PID 1956 wrote to memory of 1808 1956 regsvr32.exe 35 PID 1956 wrote to memory of 1808 1956 regsvr32.exe 35 PID 1956 wrote to memory of 1808 1956 regsvr32.exe 35 PID 1808 wrote to memory of 316 1808 regsvr32.exe 36 PID 1808 wrote to memory of 316 1808 regsvr32.exe 36 PID 1808 wrote to memory of 316 1808 regsvr32.exe 36 PID 1808 wrote to memory of 316 1808 regsvr32.exe 36 PID 1808 wrote to memory of 316 1808 regsvr32.exe 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2022-11-04_0917.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\regsvr32.exe/S ..\oxnv1.ooccxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NYnnpxe\ZNEwaCAFX.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx2⤵
- Process spawned unexpected child process
PID:984
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx2⤵
- Process spawned unexpected child process
PID:1928
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\regsvr32.exe/S ..\oxnv4.ooccxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\XBcKtlTDzvHWnvd\eBKLbedivbBBk.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:316
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
745KB
MD5b0f4b57e89f80f216c2c029989afc923
SHA131b27da6820f5226d6b7044a01bfc5ad21da0ad4
SHA25674ebfdbdd4d9c3626a93181efd2625ed272e17c997ea23976cc58600683f370e
SHA51288e53a7b865a231f70cbec42fc3210d4db1cab06d2e55c7e5faf1ef6f1e5d8bfcad55e9592f46213fe383a413583b41afab8cd96c33fad7cbb742d2f56e3968f
-
Filesize
745KB
MD599dee3bfaa766ee393d100863b358d13
SHA1bc84d7f06c5dece49bb0a84ce6b3dec243947b52
SHA2568ee31ebdf4146e1858e69e54e66de2d4c62901ea60078fe3a09a95cd4b7937a5
SHA512ddd3f18a5e5f16115975bb5928b28d22c125374169a37c75a7e104dd40baca671f60e20b66b2f6d710df9175401c425ead57ff4a1689ba3bbf97fc5d3ab5c345
-
Filesize
745KB
MD5b0f4b57e89f80f216c2c029989afc923
SHA131b27da6820f5226d6b7044a01bfc5ad21da0ad4
SHA25674ebfdbdd4d9c3626a93181efd2625ed272e17c997ea23976cc58600683f370e
SHA51288e53a7b865a231f70cbec42fc3210d4db1cab06d2e55c7e5faf1ef6f1e5d8bfcad55e9592f46213fe383a413583b41afab8cd96c33fad7cbb742d2f56e3968f
-
Filesize
745KB
MD5b0f4b57e89f80f216c2c029989afc923
SHA131b27da6820f5226d6b7044a01bfc5ad21da0ad4
SHA25674ebfdbdd4d9c3626a93181efd2625ed272e17c997ea23976cc58600683f370e
SHA51288e53a7b865a231f70cbec42fc3210d4db1cab06d2e55c7e5faf1ef6f1e5d8bfcad55e9592f46213fe383a413583b41afab8cd96c33fad7cbb742d2f56e3968f
-
Filesize
745KB
MD599dee3bfaa766ee393d100863b358d13
SHA1bc84d7f06c5dece49bb0a84ce6b3dec243947b52
SHA2568ee31ebdf4146e1858e69e54e66de2d4c62901ea60078fe3a09a95cd4b7937a5
SHA512ddd3f18a5e5f16115975bb5928b28d22c125374169a37c75a7e104dd40baca671f60e20b66b2f6d710df9175401c425ead57ff4a1689ba3bbf97fc5d3ab5c345
-
Filesize
745KB
MD599dee3bfaa766ee393d100863b358d13
SHA1bc84d7f06c5dece49bb0a84ce6b3dec243947b52
SHA2568ee31ebdf4146e1858e69e54e66de2d4c62901ea60078fe3a09a95cd4b7937a5
SHA512ddd3f18a5e5f16115975bb5928b28d22c125374169a37c75a7e104dd40baca671f60e20b66b2f6d710df9175401c425ead57ff4a1689ba3bbf97fc5d3ab5c345