Malware Analysis Report

2025-08-11 01:43

Sample ID 221109-1h99raeagk
Target 14408.xls
SHA256 ead31830ffa2f7421dfbb81a6dffa1388021494679b943cb824806863a6be300
Tags
macro xlm emotet epoch5 banker trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ead31830ffa2f7421dfbb81a6dffa1388021494679b943cb824806863a6be300

Threat Level: Known bad

The file 14408.xls was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker trojan persistence

Emotet

Process spawned unexpected child process

Downloads MZ/PE file

Suspicious Office macro

Loads dropped DLL

Adds Run key to start application

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 21:40

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 21:40

Reported

2022-11-09 21:43

Platform

win7-20220812-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\14408.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 1412 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1412 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1412 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1412 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1412 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1412 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1412 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 980 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 980 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 980 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 980 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 980 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 980 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 980 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1520 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 696 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 696 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 696 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 696 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 696 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 696 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 696 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 696 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 696 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 696 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 696 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 696 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1520 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 664 wrote to memory of 1016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 664 wrote to memory of 1016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 664 wrote to memory of 1016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 664 wrote to memory of 1016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 664 wrote to memory of 1016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 664 wrote to memory of 1016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 664 wrote to memory of 1016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1016 wrote to memory of 1596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1016 wrote to memory of 1596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1016 wrote to memory of 1596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1016 wrote to memory of 1596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1016 wrote to memory of 1596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1520 wrote to memory of 1032 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1032 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1032 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1032 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1032 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1032 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1032 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\14408.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WOBMEbJgzOC\PqSuMjChYkT.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VZVbt\wHYcUthEUojOL.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PEriYH\VPHruIMy.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LVRxsdeA\dipbcVOzMtjE.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fixoutlet.com udp
NL 141.138.168.119:80 fixoutlet.com tcp
US 8.8.8.8:53 www.cesasin.com.ar udp
AR 179.43.117.122:80 www.cesasin.com.ar tcp
US 8.8.8.8:53 blacktequila.com.br udp
US 192.169.82.54:80 blacktequila.com.br tcp
US 8.8.8.8:53 case.co.il udp
IL 185.18.204.26:80 case.co.il tcp
KR 218.38.121.17:443 tcp
KR 218.38.121.17:443 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp
IT 80.211.107.116:8080 tcp
IT 80.211.107.116:8080 tcp
US 174.138.33.49:7080 tcp
US 174.138.33.49:7080 tcp
KR 218.38.121.17:443 tcp
KR 218.38.121.17:443 tcp
SG 165.22.254.236:8080 tcp
KR 218.38.121.17:443 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp
KR 218.38.121.17:443 tcp
DE 185.148.169.10:8080 tcp
IT 80.211.107.116:8080 tcp
IT 80.211.107.116:8080 tcp
KR 218.38.121.17:443 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp
DE 62.171.178.147:8080 tcp
US 174.138.33.49:7080 tcp
KR 218.38.121.17:443 tcp
US 174.138.33.49:7080 tcp
IT 80.211.107.116:8080 tcp
IT 80.211.107.116:8080 tcp
SG 165.22.254.236:8080 tcp
SG 128.199.217.206:443 tcp

Files

memory/1520-54-0x000000002F401000-0x000000002F404000-memory.dmp

memory/1520-55-0x0000000070FF1000-0x0000000070FF3000-memory.dmp

memory/1520-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1520-57-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

memory/1520-58-0x0000000074D61000-0x0000000074D63000-memory.dmp

memory/1520-59-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

memory/1412-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 48211759702ce1b609427c6618bf7c54
SHA1 8999fd1f7785d122b5eb733737487f6f71d4c430
SHA256 7547b3f63f9b58ac13809a213556d8cf2af6099b036376646a1f21ecbca69eb4
SHA512 a27ab36f272ef20846344a97641f965ba4d39b84b7405c89b53787fbf69741d5972d772c5c2a41efe535c8f671e02257d40e2164d5345fee3e53109562dd9a70

\Users\Admin\elv1.ooocccxxx

MD5 48211759702ce1b609427c6618bf7c54
SHA1 8999fd1f7785d122b5eb733737487f6f71d4c430
SHA256 7547b3f63f9b58ac13809a213556d8cf2af6099b036376646a1f21ecbca69eb4
SHA512 a27ab36f272ef20846344a97641f965ba4d39b84b7405c89b53787fbf69741d5972d772c5c2a41efe535c8f671e02257d40e2164d5345fee3e53109562dd9a70

memory/980-64-0x0000000000000000-mapping.dmp

memory/980-65-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

\Users\Admin\elv1.ooocccxxx

MD5 48211759702ce1b609427c6618bf7c54
SHA1 8999fd1f7785d122b5eb733737487f6f71d4c430
SHA256 7547b3f63f9b58ac13809a213556d8cf2af6099b036376646a1f21ecbca69eb4
SHA512 a27ab36f272ef20846344a97641f965ba4d39b84b7405c89b53787fbf69741d5972d772c5c2a41efe535c8f671e02257d40e2164d5345fee3e53109562dd9a70

memory/980-67-0x0000000001EB0000-0x0000000001EE0000-memory.dmp

memory/1904-70-0x0000000000000000-mapping.dmp

memory/1760-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 15e3cde75461e37aba5b3982fb9cf6e5
SHA1 d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA256 51c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512 abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca

\Users\Admin\elv2.ooocccxxx

MD5 15e3cde75461e37aba5b3982fb9cf6e5
SHA1 d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA256 51c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512 abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca

memory/696-79-0x0000000000000000-mapping.dmp

\Users\Admin\elv2.ooocccxxx

MD5 15e3cde75461e37aba5b3982fb9cf6e5
SHA1 d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA256 51c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512 abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca

memory/1420-85-0x0000000000000000-mapping.dmp

memory/664-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 3479033a5ec6626ec2c2d24a9d19f796
SHA1 827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA256 8badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512 b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618

memory/1016-94-0x0000000000000000-mapping.dmp

\Users\Admin\elv3.ooocccxxx

MD5 3479033a5ec6626ec2c2d24a9d19f796
SHA1 827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA256 8badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512 b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618

\Users\Admin\elv3.ooocccxxx

MD5 3479033a5ec6626ec2c2d24a9d19f796
SHA1 827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA256 8badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512 b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618

memory/1596-100-0x0000000000000000-mapping.dmp

memory/1032-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 0f2b02086295811395a96a99556cc9da
SHA1 79c1034e8204ec0945463620949f56280dd6f931
SHA256 5f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512 820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2

\Users\Admin\elv4.ooocccxxx

MD5 0f2b02086295811395a96a99556cc9da
SHA1 79c1034e8204ec0945463620949f56280dd6f931
SHA256 5f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512 820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2

memory/320-109-0x0000000000000000-mapping.dmp

\Users\Admin\elv4.ooocccxxx

MD5 0f2b02086295811395a96a99556cc9da
SHA1 79c1034e8204ec0945463620949f56280dd6f931
SHA256 5f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512 820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2

memory/1884-115-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 21:40

Reported

2022-11-09 21:44

Platform

win10v2004-20220812-en

Max time kernel

185s

Max time network

189s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14408.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BfczZNgcKnc.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WdJVXfoXw\\BfczZNgcKnc.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzRcPmkqglw.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CddVKWpQJwvxdZ\\zzRcPmkqglw.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzhHgfgn.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\SRkVc\\pzhHgfgn.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 3204 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 960 wrote to memory of 3204 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 960 wrote to memory of 4456 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 960 wrote to memory of 4456 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4456 wrote to memory of 4200 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4456 wrote to memory of 4200 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 960 wrote to memory of 1044 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 960 wrote to memory of 1044 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1044 wrote to memory of 4424 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1044 wrote to memory of 4424 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 960 wrote to memory of 2332 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 960 wrote to memory of 2332 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2332 wrote to memory of 2344 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 2344 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14408.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WdJVXfoXw\BfczZNgcKnc.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CddVKWpQJwvxdZ\zzRcPmkqglw.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SRkVc\pzhHgfgn.dll"

Network

Country Destination Domain Proto
US 13.89.179.8:443 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 fixoutlet.com udp
NL 141.138.168.119:80 fixoutlet.com tcp
US 8.238.20.126:80 tcp
US 8.8.8.8:53 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 www.cesasin.com.ar udp
AR 179.43.117.122:80 www.cesasin.com.ar tcp
US 8.8.8.8:53 blacktequila.com.br udp
US 192.169.82.54:80 blacktequila.com.br tcp
US 8.8.8.8:53 case.co.il udp
IL 185.18.204.26:80 case.co.il tcp
KR 218.38.121.17:443 218.38.121.17 tcp
KR 218.38.121.17:443 218.38.121.17 tcp
KR 218.38.121.17:443 218.38.121.17 tcp

Files

memory/960-132-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-134-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-133-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-135-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-136-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-137-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmp

memory/960-138-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmp

memory/3204-139-0x0000000000000000-mapping.dmp

memory/4456-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 15e3cde75461e37aba5b3982fb9cf6e5
SHA1 d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA256 51c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512 abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca

C:\Users\Admin\elv2.ooocccxxx

MD5 15e3cde75461e37aba5b3982fb9cf6e5
SHA1 d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA256 51c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512 abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca

memory/4456-143-0x0000000001210000-0x0000000001240000-memory.dmp

memory/4200-146-0x0000000000000000-mapping.dmp

C:\Windows\System32\WdJVXfoXw\BfczZNgcKnc.dll

MD5 15e3cde75461e37aba5b3982fb9cf6e5
SHA1 d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA256 51c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512 abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca

memory/1044-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 3479033a5ec6626ec2c2d24a9d19f796
SHA1 827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA256 8badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512 b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618

C:\Users\Admin\elv3.ooocccxxx

MD5 3479033a5ec6626ec2c2d24a9d19f796
SHA1 827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA256 8badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512 b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618

memory/4424-157-0x0000000000000000-mapping.dmp

C:\Windows\System32\CddVKWpQJwvxdZ\zzRcPmkqglw.dll

MD5 3479033a5ec6626ec2c2d24a9d19f796
SHA1 827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA256 8badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512 b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618

memory/2332-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 0f2b02086295811395a96a99556cc9da
SHA1 79c1034e8204ec0945463620949f56280dd6f931
SHA256 5f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512 820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2

C:\Users\Admin\elv4.ooocccxxx

MD5 0f2b02086295811395a96a99556cc9da
SHA1 79c1034e8204ec0945463620949f56280dd6f931
SHA256 5f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512 820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2

memory/2344-168-0x0000000000000000-mapping.dmp

C:\Windows\System32\SRkVc\pzhHgfgn.dll

MD5 0f2b02086295811395a96a99556cc9da
SHA1 79c1034e8204ec0945463620949f56280dd6f931
SHA256 5f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512 820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2

memory/960-174-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-175-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-177-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

memory/960-176-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp