emotet | 7e8bc31fde2acc45f23d277c2e9ea931aec4bb3048571ee1244856b3b8607f48

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/11/2022, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9013953782860312849.xls
Size

217KB
MD5

e8a4b008fd8e7e6806fb00d295c513a1
SHA1

4462a0f303d66d5d98e8c461023c129d82672c27
SHA256

7e8bc31fde2acc45f23d277c2e9ea931aec4bb3048571ee1244856b3b8607f48
SHA512

6c5be307096e174108f941bcc984c8bef9ea08275123f5bb7842aafbc0abb75bf1aa6ae26369cbb45a8f886baea1c4e9f50036479d15a2c3c27a572f055e7cab
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgLyY+TAQXTHGUMEyP5p6f5jQmS:nbGUMVWlbS

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://sourceintership.com/vendor/rZnJL9pPUjA9pU/

xlm40.dropper

http://www.thebeginningstore.in/0202498070/m2x8inU7TSiuO3px/

xlm40.dropper

http://www.angloextrema.com.br/assets/mQVRrHu7o0eJXxTFu/

xlm40.dropper

http://alvaovillagecamping.pt/wp-content/Ra9iwOPb6uLf/

Extracted

Family

emotet

Botnet

Epoch4

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1232	1468	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	276	1468	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1032	1468	regsvr32.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1744	1468	regsvr32.exe	27

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
1032	regsvr32.exe
904	regsvr32.exe
1744	regsvr32.exe
1408	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1468	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
904	regsvr32.exe
1324	regsvr32.exe
1324	regsvr32.exe
1408	regsvr32.exe
1112	regsvr32.exe
1112	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1468	EXCEL.EXE
1468	EXCEL.EXE
1468	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1232	1468	EXCEL.EXE	30
PID 1468 wrote to memory of 1232	1468	EXCEL.EXE	30
PID 1468 wrote to memory of 1232	1468	EXCEL.EXE	30
PID 1468 wrote to memory of 1232	1468	EXCEL.EXE	30
PID 1468 wrote to memory of 1232	1468	EXCEL.EXE	30
PID 1468 wrote to memory of 1232	1468	EXCEL.EXE	30
PID 1468 wrote to memory of 1232	1468	EXCEL.EXE	30
PID 1468 wrote to memory of 276	1468	EXCEL.EXE	31
PID 1468 wrote to memory of 276	1468	EXCEL.EXE	31
PID 1468 wrote to memory of 276	1468	EXCEL.EXE	31
PID 1468 wrote to memory of 276	1468	EXCEL.EXE	31
PID 1468 wrote to memory of 276	1468	EXCEL.EXE	31
PID 1468 wrote to memory of 276	1468	EXCEL.EXE	31
PID 1468 wrote to memory of 276	1468	EXCEL.EXE	31
PID 1468 wrote to memory of 1032	1468	EXCEL.EXE	32
PID 1468 wrote to memory of 1032	1468	EXCEL.EXE	32
PID 1468 wrote to memory of 1032	1468	EXCEL.EXE	32
PID 1468 wrote to memory of 1032	1468	EXCEL.EXE	32
PID 1468 wrote to memory of 1032	1468	EXCEL.EXE	32
PID 1468 wrote to memory of 1032	1468	EXCEL.EXE	32
PID 1468 wrote to memory of 1032	1468	EXCEL.EXE	32
PID 1032 wrote to memory of 904	1032	regsvr32.exe	33
PID 1032 wrote to memory of 904	1032	regsvr32.exe	33
PID 1032 wrote to memory of 904	1032	regsvr32.exe	33
PID 1032 wrote to memory of 904	1032	regsvr32.exe	33
PID 1032 wrote to memory of 904	1032	regsvr32.exe	33
PID 1032 wrote to memory of 904	1032	regsvr32.exe	33
PID 1032 wrote to memory of 904	1032	regsvr32.exe	33
PID 904 wrote to memory of 1324	904	regsvr32.exe	34
PID 904 wrote to memory of 1324	904	regsvr32.exe	34
PID 904 wrote to memory of 1324	904	regsvr32.exe	34
PID 904 wrote to memory of 1324	904	regsvr32.exe	34
PID 904 wrote to memory of 1324	904	regsvr32.exe	34
PID 1468 wrote to memory of 1744	1468	EXCEL.EXE	35
PID 1468 wrote to memory of 1744	1468	EXCEL.EXE	35
PID 1468 wrote to memory of 1744	1468	EXCEL.EXE	35
PID 1468 wrote to memory of 1744	1468	EXCEL.EXE	35
PID 1468 wrote to memory of 1744	1468	EXCEL.EXE	35
PID 1468 wrote to memory of 1744	1468	EXCEL.EXE	35
PID 1468 wrote to memory of 1744	1468	EXCEL.EXE	35
PID 1744 wrote to memory of 1408	1744	regsvr32.exe	36
PID 1744 wrote to memory of 1408	1744	regsvr32.exe	36
PID 1744 wrote to memory of 1408	1744	regsvr32.exe	36
PID 1744 wrote to memory of 1408	1744	regsvr32.exe	36
PID 1744 wrote to memory of 1408	1744	regsvr32.exe	36
PID 1744 wrote to memory of 1408	1744	regsvr32.exe	36
PID 1744 wrote to memory of 1408	1744	regsvr32.exe	36
PID 1408 wrote to memory of 1112	1408	regsvr32.exe	37
PID 1408 wrote to memory of 1112	1408	regsvr32.exe	37
PID 1408 wrote to memory of 1112	1408	regsvr32.exe	37
PID 1408 wrote to memory of 1112	1408	regsvr32.exe	37
PID 1408 wrote to memory of 1112	1408	regsvr32.exe	37

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9013953782860312849.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:1232
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:276
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\regsvr32.exe
    /S ..\oxnv3.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HjAGbJNmrRFn\mvsTL.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1324
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\regsvr32.exe
    /S ..\oxnv4.ooccxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JkSDiJOF\RKwIJ.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv3.ooccxx

Filesize
745KB

MD5
fae0c1336f7121757fde241c178f8505

SHA1
22dd176b7a9cf5e66b820c1c5010da033bfa6af0

SHA256
7a88452c9bfb6a44802fd5905213d6d77721f0c383c21c1b17e279bd3bf3d227

SHA512
f8518f569dd878d2ccf3cf392cbc31f392305d279253d0870f3d90a549f34a3049f60c7628766da9a1224806595ab424ff32f3c8a5390f08b0cf2c2fdf046126

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
745KB

MD5
9001e599479e6ceebf2ac63b003bcdad

SHA1
f360413513de1b9890b2a70b2753d1140037799d

SHA256
4c246752b4b5426791798408244f5da1829e88a9708377a654e75dc9f5a0c688

SHA512
f143e04afee4204a9cd7af99187b71e0ea0c667d41ed86bf52acd1c30593540e6d4969ba9d022bf3cc88e6a0dd88a7d8916622667f5de5cfb9d827fdac7409e3

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
745KB

MD5
fae0c1336f7121757fde241c178f8505

SHA1
22dd176b7a9cf5e66b820c1c5010da033bfa6af0

SHA256
7a88452c9bfb6a44802fd5905213d6d77721f0c383c21c1b17e279bd3bf3d227

SHA512
f8518f569dd878d2ccf3cf392cbc31f392305d279253d0870f3d90a549f34a3049f60c7628766da9a1224806595ab424ff32f3c8a5390f08b0cf2c2fdf046126

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
745KB

MD5
fae0c1336f7121757fde241c178f8505

SHA1
22dd176b7a9cf5e66b820c1c5010da033bfa6af0

SHA256
7a88452c9bfb6a44802fd5905213d6d77721f0c383c21c1b17e279bd3bf3d227

SHA512
f8518f569dd878d2ccf3cf392cbc31f392305d279253d0870f3d90a549f34a3049f60c7628766da9a1224806595ab424ff32f3c8a5390f08b0cf2c2fdf046126

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
745KB

MD5
9001e599479e6ceebf2ac63b003bcdad

SHA1
f360413513de1b9890b2a70b2753d1140037799d

SHA256
4c246752b4b5426791798408244f5da1829e88a9708377a654e75dc9f5a0c688

SHA512
f143e04afee4204a9cd7af99187b71e0ea0c667d41ed86bf52acd1c30593540e6d4969ba9d022bf3cc88e6a0dd88a7d8916622667f5de5cfb9d827fdac7409e3

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
745KB

MD5
9001e599479e6ceebf2ac63b003bcdad

SHA1
f360413513de1b9890b2a70b2753d1140037799d

SHA256
4c246752b4b5426791798408244f5da1829e88a9708377a654e75dc9f5a0c688

SHA512
f143e04afee4204a9cd7af99187b71e0ea0c667d41ed86bf52acd1c30593540e6d4969ba9d022bf3cc88e6a0dd88a7d8916622667f5de5cfb9d827fdac7409e3

Download Submit
memory/904-71-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/904-69-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1468-59-0x000000007248D000-0x0000000072498000-memory.dmp

Filesize
44KB

Download
memory/1468-54-0x000000002F671000-0x000000002F674000-memory.dmp

Filesize
12KB

Download
memory/1468-58-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1468-57-0x000000007248D000-0x0000000072498000-memory.dmp

Filesize
44KB

Download
memory/1468-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1468-55-0x00000000714A1000-0x00000000714A3000-memory.dmp

Filesize
8KB

Download