Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 18:44
Behavioral task
behavioral1
Sample
96837761.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96837761.xls
Resource
win10v2004-20220901-en
General
-
Target
96837761.xls
-
Size
91KB
-
MD5
cc505355a0a7f9f6732e8913f09cdda3
-
SHA1
ec68034f3f9e1b46dc8758ff33eb269ba6b7371e
-
SHA256
f13e833091f1cad44f055e15956642e0939329cb910bd1c3b7a15f0059052a8b
-
SHA512
8ddd843d1b4b0d601a4c5a84954c183e8f450c1196a481bda949a01cdc24ec3b7f2e8fc8a442503d45eb1fdf7069dd23ffa6689739afef88bb2a3b43f6a05f29
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg2bCXuZH4gb4CEn9J4Zmcvp:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgu
Malware Config
Extracted
http://bundlefilm.com/headers/lkfBH3Czw9CjEW07P2/
http://camsanparke.net/wp-content/h2Ja5bwB03hnyfCb/
http://royreid.co.uk/wp-content/dCwG/
https://cs.com.sg/admin/a1lR5wu/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1784 2020 regsvr32.exe 25 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1524 2020 regsvr32.exe 25 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1504 2020 regsvr32.exe 25 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1700 2020 regsvr32.exe 25 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 1784 regsvr32.exe 2040 regsvr32.exe 1524 regsvr32.exe 1540 regsvr32.exe 1504 regsvr32.exe 688 regsvr32.exe 1700 regsvr32.exe 1376 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2020 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2040 regsvr32.exe 1604 regsvr32.exe 1604 regsvr32.exe 1540 regsvr32.exe 1088 regsvr32.exe 688 regsvr32.exe 1088 regsvr32.exe 1292 regsvr32.exe 1292 regsvr32.exe 1376 regsvr32.exe 1184 regsvr32.exe 1184 regsvr32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1784 2020 EXCEL.EXE 28 PID 2020 wrote to memory of 1784 2020 EXCEL.EXE 28 PID 2020 wrote to memory of 1784 2020 EXCEL.EXE 28 PID 2020 wrote to memory of 1784 2020 EXCEL.EXE 28 PID 2020 wrote to memory of 1784 2020 EXCEL.EXE 28 PID 2020 wrote to memory of 1784 2020 EXCEL.EXE 28 PID 2020 wrote to memory of 1784 2020 EXCEL.EXE 28 PID 1784 wrote to memory of 2040 1784 regsvr32.exe 29 PID 1784 wrote to memory of 2040 1784 regsvr32.exe 29 PID 1784 wrote to memory of 2040 1784 regsvr32.exe 29 PID 1784 wrote to memory of 2040 1784 regsvr32.exe 29 PID 1784 wrote to memory of 2040 1784 regsvr32.exe 29 PID 1784 wrote to memory of 2040 1784 regsvr32.exe 29 PID 1784 wrote to memory of 2040 1784 regsvr32.exe 29 PID 2040 wrote to memory of 1604 2040 regsvr32.exe 30 PID 2040 wrote to memory of 1604 2040 regsvr32.exe 30 PID 2040 wrote to memory of 1604 2040 regsvr32.exe 30 PID 2040 wrote to memory of 1604 2040 regsvr32.exe 30 PID 2040 wrote to memory of 1604 2040 regsvr32.exe 30 PID 2020 wrote to memory of 1524 2020 EXCEL.EXE 31 PID 2020 wrote to memory of 1524 2020 EXCEL.EXE 31 PID 2020 wrote to memory of 1524 2020 EXCEL.EXE 31 PID 2020 wrote to memory of 1524 2020 EXCEL.EXE 31 PID 2020 wrote to memory of 1524 2020 EXCEL.EXE 31 PID 2020 wrote to memory of 1524 2020 EXCEL.EXE 31 PID 2020 wrote to memory of 1524 2020 EXCEL.EXE 31 PID 1524 wrote to memory of 1540 1524 regsvr32.exe 32 PID 1524 wrote to memory of 1540 1524 regsvr32.exe 32 PID 1524 wrote to memory of 1540 1524 regsvr32.exe 32 PID 1524 wrote to memory of 1540 1524 regsvr32.exe 32 PID 1524 wrote to memory of 1540 1524 regsvr32.exe 32 PID 1524 wrote to memory of 1540 1524 regsvr32.exe 32 PID 1524 wrote to memory of 1540 1524 regsvr32.exe 32 PID 1540 wrote to memory of 1088 1540 regsvr32.exe 33 PID 1540 wrote to memory of 1088 1540 regsvr32.exe 33 PID 1540 wrote to memory of 1088 1540 regsvr32.exe 33 PID 1540 wrote to memory of 1088 1540 regsvr32.exe 33 PID 1540 wrote to memory of 1088 1540 regsvr32.exe 33 PID 2020 wrote to memory of 1504 2020 EXCEL.EXE 34 PID 2020 wrote to memory of 1504 2020 EXCEL.EXE 34 PID 2020 wrote to memory of 1504 2020 EXCEL.EXE 34 PID 2020 wrote to memory of 1504 2020 EXCEL.EXE 34 PID 2020 wrote to memory of 1504 2020 EXCEL.EXE 34 PID 2020 wrote to memory of 1504 2020 EXCEL.EXE 34 PID 2020 wrote to memory of 1504 2020 EXCEL.EXE 34 PID 1504 wrote to memory of 688 1504 regsvr32.exe 35 PID 1504 wrote to memory of 688 1504 regsvr32.exe 35 PID 1504 wrote to memory of 688 1504 regsvr32.exe 35 PID 1504 wrote to memory of 688 1504 regsvr32.exe 35 PID 1504 wrote to memory of 688 1504 regsvr32.exe 35 PID 1504 wrote to memory of 688 1504 regsvr32.exe 35 PID 1504 wrote to memory of 688 1504 regsvr32.exe 35 PID 688 wrote to memory of 1292 688 regsvr32.exe 36 PID 688 wrote to memory of 1292 688 regsvr32.exe 36 PID 688 wrote to memory of 1292 688 regsvr32.exe 36 PID 688 wrote to memory of 1292 688 regsvr32.exe 36 PID 688 wrote to memory of 1292 688 regsvr32.exe 36 PID 2020 wrote to memory of 1700 2020 EXCEL.EXE 37 PID 2020 wrote to memory of 1700 2020 EXCEL.EXE 37 PID 2020 wrote to memory of 1700 2020 EXCEL.EXE 37 PID 2020 wrote to memory of 1700 2020 EXCEL.EXE 37 PID 2020 wrote to memory of 1700 2020 EXCEL.EXE 37 PID 2020 wrote to memory of 1700 2020 EXCEL.EXE 37 PID 2020 wrote to memory of 1700 2020 EXCEL.EXE 37
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\96837761.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\regsvr32.exe/S ..\elv1.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NNHnDinrQfI\KuCPYbBDD.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\regsvr32.exe/S ..\elv2.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\AztiFyzu\PDryrKOn.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\regsvr32.exe/S ..\elv3.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlmKMVjxVxZHkMnl\sWAKcMzfcrdUWve.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1700 -
C:\Windows\system32\regsvr32.exe/S ..\elv4.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1376 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\OHRPtGKITFyCMfF\iiCVVSYxwd.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD512354d1919a3beaa3e306bdf184f913b
SHA1f0205a4f9876c01624315d3a827d34ce23687c38
SHA256b3671aa915b4ed51c943f727080f00a113c39e6f42285e53b043b3589ca82bfe
SHA512e32bb0c3c28c696412fe649b34449f518efce19373a87d9c43b65f6a6797d6fd1ba20730df3a23fb66941fb6914a84c9f2b472f43b07de5be57f350202ea14dc
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD5bdc5cdc41583d04ef4b4f029ef60ce54
SHA18e40d8796e4453bc08583439d8bf2776c80e6d30
SHA256b802b439b1c821fedbbf5ae0a5ec358533750214b9881fa90b4e7a94c0085d7a
SHA512f0caa7ffa9ed69c7b822200398cbc7829f680df7019fd58e712231b979454d6b796fcc6aa48134e17bd953a901aebe27dc92a2a85d75d9bb8ce7929d3faafde3
-
Filesize
434KB
MD512354d1919a3beaa3e306bdf184f913b
SHA1f0205a4f9876c01624315d3a827d34ce23687c38
SHA256b3671aa915b4ed51c943f727080f00a113c39e6f42285e53b043b3589ca82bfe
SHA512e32bb0c3c28c696412fe649b34449f518efce19373a87d9c43b65f6a6797d6fd1ba20730df3a23fb66941fb6914a84c9f2b472f43b07de5be57f350202ea14dc
-
Filesize
434KB
MD512354d1919a3beaa3e306bdf184f913b
SHA1f0205a4f9876c01624315d3a827d34ce23687c38
SHA256b3671aa915b4ed51c943f727080f00a113c39e6f42285e53b043b3589ca82bfe
SHA512e32bb0c3c28c696412fe649b34449f518efce19373a87d9c43b65f6a6797d6fd1ba20730df3a23fb66941fb6914a84c9f2b472f43b07de5be57f350202ea14dc
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD5bdc5cdc41583d04ef4b4f029ef60ce54
SHA18e40d8796e4453bc08583439d8bf2776c80e6d30
SHA256b802b439b1c821fedbbf5ae0a5ec358533750214b9881fa90b4e7a94c0085d7a
SHA512f0caa7ffa9ed69c7b822200398cbc7829f680df7019fd58e712231b979454d6b796fcc6aa48134e17bd953a901aebe27dc92a2a85d75d9bb8ce7929d3faafde3
-
Filesize
434KB
MD5bdc5cdc41583d04ef4b4f029ef60ce54
SHA18e40d8796e4453bc08583439d8bf2776c80e6d30
SHA256b802b439b1c821fedbbf5ae0a5ec358533750214b9881fa90b4e7a94c0085d7a
SHA512f0caa7ffa9ed69c7b822200398cbc7829f680df7019fd58e712231b979454d6b796fcc6aa48134e17bd953a901aebe27dc92a2a85d75d9bb8ce7929d3faafde3