Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 22:13
Behavioral task
behavioral1
Sample
0556_877.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0556_877.xls
Resource
win10v2004-20220812-en
General
-
Target
0556_877.xls
-
Size
91KB
-
MD5
0e720e872be438cce00c8eded2533ab7
-
SHA1
742a5817a0c84210f86a170d7a44331bb70f4e53
-
SHA256
73943b556c0df7640625e6f06669351ffbf7743f840c84fc743caf70702c21cb
-
SHA512
e5ec29e6cc5483a9702ed821dd59285d996dd489fb3d9df1447a9202bf8bc5f5fb0410407a5885e23c512b735e4bb8875407fa73016180229a424c0e8ca57a38
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgIbCXuZH4gb4CEn9J4ZJFQvj:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg5
Malware Config
Extracted
http://fixoutlet.com/logs/OGlRuU/
http://www.cesasin.com.ar/administrator/viA95RR/
http://blacktequila.com.br/2fb62HWWoKi5nfEq2D/XB5VOAXZkhVhSKveYUV/
http://case.co.il/_js/dooigYa/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 684 1376 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 800 1376 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 896 1376 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1564 1376 regsvr32.exe 27 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 684 regsvr32.exe 1548 regsvr32.exe 800 regsvr32.exe 1180 regsvr32.exe 896 regsvr32.exe 1276 regsvr32.exe 1564 regsvr32.exe 1300 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1376 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1548 regsvr32.exe 1748 regsvr32.exe 1748 regsvr32.exe 1180 regsvr32.exe 1636 regsvr32.exe 1636 regsvr32.exe 1276 regsvr32.exe 1736 regsvr32.exe 1300 regsvr32.exe 1736 regsvr32.exe 1588 regsvr32.exe 1588 regsvr32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1376 EXCEL.EXE 1376 EXCEL.EXE 1376 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 684 1376 EXCEL.EXE 30 PID 1376 wrote to memory of 684 1376 EXCEL.EXE 30 PID 1376 wrote to memory of 684 1376 EXCEL.EXE 30 PID 1376 wrote to memory of 684 1376 EXCEL.EXE 30 PID 1376 wrote to memory of 684 1376 EXCEL.EXE 30 PID 1376 wrote to memory of 684 1376 EXCEL.EXE 30 PID 1376 wrote to memory of 684 1376 EXCEL.EXE 30 PID 684 wrote to memory of 1548 684 regsvr32.exe 31 PID 684 wrote to memory of 1548 684 regsvr32.exe 31 PID 684 wrote to memory of 1548 684 regsvr32.exe 31 PID 684 wrote to memory of 1548 684 regsvr32.exe 31 PID 684 wrote to memory of 1548 684 regsvr32.exe 31 PID 684 wrote to memory of 1548 684 regsvr32.exe 31 PID 684 wrote to memory of 1548 684 regsvr32.exe 31 PID 1548 wrote to memory of 1748 1548 regsvr32.exe 32 PID 1548 wrote to memory of 1748 1548 regsvr32.exe 32 PID 1548 wrote to memory of 1748 1548 regsvr32.exe 32 PID 1548 wrote to memory of 1748 1548 regsvr32.exe 32 PID 1548 wrote to memory of 1748 1548 regsvr32.exe 32 PID 1376 wrote to memory of 800 1376 EXCEL.EXE 33 PID 1376 wrote to memory of 800 1376 EXCEL.EXE 33 PID 1376 wrote to memory of 800 1376 EXCEL.EXE 33 PID 1376 wrote to memory of 800 1376 EXCEL.EXE 33 PID 1376 wrote to memory of 800 1376 EXCEL.EXE 33 PID 1376 wrote to memory of 800 1376 EXCEL.EXE 33 PID 1376 wrote to memory of 800 1376 EXCEL.EXE 33 PID 800 wrote to memory of 1180 800 regsvr32.exe 34 PID 800 wrote to memory of 1180 800 regsvr32.exe 34 PID 800 wrote to memory of 1180 800 regsvr32.exe 34 PID 800 wrote to memory of 1180 800 regsvr32.exe 34 PID 800 wrote to memory of 1180 800 regsvr32.exe 34 PID 800 wrote to memory of 1180 800 regsvr32.exe 34 PID 800 wrote to memory of 1180 800 regsvr32.exe 34 PID 1180 wrote to memory of 1636 1180 regsvr32.exe 35 PID 1180 wrote to memory of 1636 1180 regsvr32.exe 35 PID 1180 wrote to memory of 1636 1180 regsvr32.exe 35 PID 1180 wrote to memory of 1636 1180 regsvr32.exe 35 PID 1180 wrote to memory of 1636 1180 regsvr32.exe 35 PID 1376 wrote to memory of 896 1376 EXCEL.EXE 36 PID 1376 wrote to memory of 896 1376 EXCEL.EXE 36 PID 1376 wrote to memory of 896 1376 EXCEL.EXE 36 PID 1376 wrote to memory of 896 1376 EXCEL.EXE 36 PID 1376 wrote to memory of 896 1376 EXCEL.EXE 36 PID 1376 wrote to memory of 896 1376 EXCEL.EXE 36 PID 1376 wrote to memory of 896 1376 EXCEL.EXE 36 PID 896 wrote to memory of 1276 896 regsvr32.exe 37 PID 896 wrote to memory of 1276 896 regsvr32.exe 37 PID 896 wrote to memory of 1276 896 regsvr32.exe 37 PID 896 wrote to memory of 1276 896 regsvr32.exe 37 PID 896 wrote to memory of 1276 896 regsvr32.exe 37 PID 896 wrote to memory of 1276 896 regsvr32.exe 37 PID 896 wrote to memory of 1276 896 regsvr32.exe 37 PID 1276 wrote to memory of 1736 1276 regsvr32.exe 38 PID 1276 wrote to memory of 1736 1276 regsvr32.exe 38 PID 1276 wrote to memory of 1736 1276 regsvr32.exe 38 PID 1276 wrote to memory of 1736 1276 regsvr32.exe 38 PID 1276 wrote to memory of 1736 1276 regsvr32.exe 38 PID 1376 wrote to memory of 1564 1376 EXCEL.EXE 39 PID 1376 wrote to memory of 1564 1376 EXCEL.EXE 39 PID 1376 wrote to memory of 1564 1376 EXCEL.EXE 39 PID 1376 wrote to memory of 1564 1376 EXCEL.EXE 39 PID 1376 wrote to memory of 1564 1376 EXCEL.EXE 39 PID 1376 wrote to memory of 1564 1376 EXCEL.EXE 39 PID 1376 wrote to memory of 1564 1376 EXCEL.EXE 39
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0556_877.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\regsvr32.exe/S ..\elv1.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\LjAkGGvMW\NwRDURqoIc.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\system32\regsvr32.exe/S ..\elv2.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\RxBwcnbmRQoxIoyTP\IBMgQlQbQPmvlG.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\regsvr32.exe/S ..\elv3.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\IeqEJGvcPemhFmi\JPdqJfPGZWaThrN.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1736
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1564 -
C:\Windows\system32\regsvr32.exe/S ..\elv4.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1300 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\CEMOJXBGLbraIovT\sIqoYiKjQrUcf.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
591KB
MD54a5ab9863715d0778c91040cb2a9c3a8
SHA130dfa658ab6895c002c102c2b3009321beb37c5a
SHA256c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA5125e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1
-
Filesize
591KB
MD59bc23165d29537bd71402d3d62e58917
SHA109144b3178d0a4d06163b592d2a4833a8e81944e
SHA2561f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123
-
Filesize
591KB
MD5ed1c9fe85da680fe5beda7c6fde1028c
SHA1e602359ea60a74007ff51689c7768e76c566da8f
SHA256c7297324ae8e0a55e1822ab8a71e5fb149afaf1c0ba950c303096ba5c14a7104
SHA512f96e0ffbd3d9c96589653944497ab464642fd74b02f70502d2fcf79cc5f00a2b41e939395ef644372663d17b4a215eb828e79569af7b3959d3bc524452639de6
-
Filesize
591KB
MD57b9c0fd9bce02dced8d5d8834d8cf56a
SHA122e4690dcfca530e96b8f9286023d711fece52e4
SHA25648145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb
-
Filesize
591KB
MD54a5ab9863715d0778c91040cb2a9c3a8
SHA130dfa658ab6895c002c102c2b3009321beb37c5a
SHA256c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA5125e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1
-
Filesize
591KB
MD54a5ab9863715d0778c91040cb2a9c3a8
SHA130dfa658ab6895c002c102c2b3009321beb37c5a
SHA256c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA5125e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1
-
Filesize
591KB
MD59bc23165d29537bd71402d3d62e58917
SHA109144b3178d0a4d06163b592d2a4833a8e81944e
SHA2561f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123
-
Filesize
591KB
MD59bc23165d29537bd71402d3d62e58917
SHA109144b3178d0a4d06163b592d2a4833a8e81944e
SHA2561f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123
-
Filesize
591KB
MD5ed1c9fe85da680fe5beda7c6fde1028c
SHA1e602359ea60a74007ff51689c7768e76c566da8f
SHA256c7297324ae8e0a55e1822ab8a71e5fb149afaf1c0ba950c303096ba5c14a7104
SHA512f96e0ffbd3d9c96589653944497ab464642fd74b02f70502d2fcf79cc5f00a2b41e939395ef644372663d17b4a215eb828e79569af7b3959d3bc524452639de6
-
Filesize
591KB
MD5ed1c9fe85da680fe5beda7c6fde1028c
SHA1e602359ea60a74007ff51689c7768e76c566da8f
SHA256c7297324ae8e0a55e1822ab8a71e5fb149afaf1c0ba950c303096ba5c14a7104
SHA512f96e0ffbd3d9c96589653944497ab464642fd74b02f70502d2fcf79cc5f00a2b41e939395ef644372663d17b4a215eb828e79569af7b3959d3bc524452639de6
-
Filesize
591KB
MD57b9c0fd9bce02dced8d5d8834d8cf56a
SHA122e4690dcfca530e96b8f9286023d711fece52e4
SHA25648145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb
-
Filesize
591KB
MD57b9c0fd9bce02dced8d5d8834d8cf56a
SHA122e4690dcfca530e96b8f9286023d711fece52e4
SHA25648145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb