Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 18:45
Behavioral task
behavioral1
Sample
048.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
048.xls
Resource
win10v2004-20220812-en
General
-
Target
048.xls
-
Size
91KB
-
MD5
fe418d9d5049c12fd84186ed0c9c1018
-
SHA1
01f7e1b7220b1f7f46161ed28a24edb56a716b6b
-
SHA256
3b14c255306c87478f2f32d7d943cabfaa6ee1488d71bc324c14cc006a53e0d9
-
SHA512
0d2a3b7dc8d23bec6a15c4f4178a880c3d3a8689aceaa42f1e4f9fd20abfe5ce917f6ee09fa17ec858e1615ffd67e388c7c62ecea3cbde4f73ad6dbd530401a3
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg2bCXuZH4gb4CEn9J4ZKcvp:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgC
Malware Config
Extracted
http://bundlefilm.com/headers/lkfBH3Czw9CjEW07P2/
http://camsanparke.net/wp-content/h2Ja5bwB03hnyfCb/
http://royreid.co.uk/wp-content/dCwG/
https://cs.com.sg/admin/a1lR5wu/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1092 1884 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1772 1884 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1124 1884 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 908 1884 regsvr32.exe 27 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 1092 regsvr32.exe 280 regsvr32.exe 1772 regsvr32.exe 832 regsvr32.exe 1124 regsvr32.exe 1696 regsvr32.exe 908 regsvr32.exe 1036 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1884 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 280 regsvr32.exe 1152 regsvr32.exe 1152 regsvr32.exe 832 regsvr32.exe 1592 regsvr32.exe 1696 regsvr32.exe 1592 regsvr32.exe 1900 regsvr32.exe 1900 regsvr32.exe 1036 regsvr32.exe 1512 regsvr32.exe 1512 regsvr32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1884 EXCEL.EXE 1884 EXCEL.EXE 1884 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 1092 1884 EXCEL.EXE 30 PID 1884 wrote to memory of 1092 1884 EXCEL.EXE 30 PID 1884 wrote to memory of 1092 1884 EXCEL.EXE 30 PID 1884 wrote to memory of 1092 1884 EXCEL.EXE 30 PID 1884 wrote to memory of 1092 1884 EXCEL.EXE 30 PID 1884 wrote to memory of 1092 1884 EXCEL.EXE 30 PID 1884 wrote to memory of 1092 1884 EXCEL.EXE 30 PID 1092 wrote to memory of 280 1092 regsvr32.exe 31 PID 1092 wrote to memory of 280 1092 regsvr32.exe 31 PID 1092 wrote to memory of 280 1092 regsvr32.exe 31 PID 1092 wrote to memory of 280 1092 regsvr32.exe 31 PID 1092 wrote to memory of 280 1092 regsvr32.exe 31 PID 1092 wrote to memory of 280 1092 regsvr32.exe 31 PID 1092 wrote to memory of 280 1092 regsvr32.exe 31 PID 280 wrote to memory of 1152 280 regsvr32.exe 32 PID 280 wrote to memory of 1152 280 regsvr32.exe 32 PID 280 wrote to memory of 1152 280 regsvr32.exe 32 PID 280 wrote to memory of 1152 280 regsvr32.exe 32 PID 280 wrote to memory of 1152 280 regsvr32.exe 32 PID 1884 wrote to memory of 1772 1884 EXCEL.EXE 33 PID 1884 wrote to memory of 1772 1884 EXCEL.EXE 33 PID 1884 wrote to memory of 1772 1884 EXCEL.EXE 33 PID 1884 wrote to memory of 1772 1884 EXCEL.EXE 33 PID 1884 wrote to memory of 1772 1884 EXCEL.EXE 33 PID 1884 wrote to memory of 1772 1884 EXCEL.EXE 33 PID 1884 wrote to memory of 1772 1884 EXCEL.EXE 33 PID 1772 wrote to memory of 832 1772 regsvr32.exe 34 PID 1772 wrote to memory of 832 1772 regsvr32.exe 34 PID 1772 wrote to memory of 832 1772 regsvr32.exe 34 PID 1772 wrote to memory of 832 1772 regsvr32.exe 34 PID 1772 wrote to memory of 832 1772 regsvr32.exe 34 PID 1772 wrote to memory of 832 1772 regsvr32.exe 34 PID 1772 wrote to memory of 832 1772 regsvr32.exe 34 PID 832 wrote to memory of 1592 832 regsvr32.exe 35 PID 832 wrote to memory of 1592 832 regsvr32.exe 35 PID 832 wrote to memory of 1592 832 regsvr32.exe 35 PID 832 wrote to memory of 1592 832 regsvr32.exe 35 PID 832 wrote to memory of 1592 832 regsvr32.exe 35 PID 1884 wrote to memory of 1124 1884 EXCEL.EXE 36 PID 1884 wrote to memory of 1124 1884 EXCEL.EXE 36 PID 1884 wrote to memory of 1124 1884 EXCEL.EXE 36 PID 1884 wrote to memory of 1124 1884 EXCEL.EXE 36 PID 1884 wrote to memory of 1124 1884 EXCEL.EXE 36 PID 1884 wrote to memory of 1124 1884 EXCEL.EXE 36 PID 1884 wrote to memory of 1124 1884 EXCEL.EXE 36 PID 1124 wrote to memory of 1696 1124 regsvr32.exe 37 PID 1124 wrote to memory of 1696 1124 regsvr32.exe 37 PID 1124 wrote to memory of 1696 1124 regsvr32.exe 37 PID 1124 wrote to memory of 1696 1124 regsvr32.exe 37 PID 1124 wrote to memory of 1696 1124 regsvr32.exe 37 PID 1124 wrote to memory of 1696 1124 regsvr32.exe 37 PID 1124 wrote to memory of 1696 1124 regsvr32.exe 37 PID 1696 wrote to memory of 1900 1696 regsvr32.exe 38 PID 1696 wrote to memory of 1900 1696 regsvr32.exe 38 PID 1696 wrote to memory of 1900 1696 regsvr32.exe 38 PID 1696 wrote to memory of 1900 1696 regsvr32.exe 38 PID 1696 wrote to memory of 1900 1696 regsvr32.exe 38 PID 1884 wrote to memory of 908 1884 EXCEL.EXE 39 PID 1884 wrote to memory of 908 1884 EXCEL.EXE 39 PID 1884 wrote to memory of 908 1884 EXCEL.EXE 39 PID 1884 wrote to memory of 908 1884 EXCEL.EXE 39 PID 1884 wrote to memory of 908 1884 EXCEL.EXE 39 PID 1884 wrote to memory of 908 1884 EXCEL.EXE 39 PID 1884 wrote to memory of 908 1884 EXCEL.EXE 39
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\048.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\regsvr32.exe/S ..\elv1.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\IagnmdlpMzUgHVolT\ngcsqONf.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\regsvr32.exe/S ..\elv2.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\QCVUXMzuwkCnophN\kRLgvh.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\regsvr32.exe/S ..\elv3.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\SQNlmgbAIqxfnZg\EcCh.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:908 -
C:\Windows\system32\regsvr32.exe/S ..\elv4.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1036 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\JXgntGcYcAxlPi\nHizCxhnsAvw.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD5230c5af97879651becc7817d0df03e3e
SHA1f4eb75912acf264ac3570ecd47578b83ec0f45dd
SHA2563ad0bac873075630dfc1ccf29771ac1dea789853b31f59f618dae5595faaa3ab
SHA512b824ef9166b29c65c16f127993e80c547a7b9d89750f7608eeef0682bc5d7fd0fb6b415db3d9336dc45704e59315392507a092084c0cf5da9cd3efb2cca25fc3
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD5bdc5cdc41583d04ef4b4f029ef60ce54
SHA18e40d8796e4453bc08583439d8bf2776c80e6d30
SHA256b802b439b1c821fedbbf5ae0a5ec358533750214b9881fa90b4e7a94c0085d7a
SHA512f0caa7ffa9ed69c7b822200398cbc7829f680df7019fd58e712231b979454d6b796fcc6aa48134e17bd953a901aebe27dc92a2a85d75d9bb8ce7929d3faafde3
-
Filesize
434KB
MD5230c5af97879651becc7817d0df03e3e
SHA1f4eb75912acf264ac3570ecd47578b83ec0f45dd
SHA2563ad0bac873075630dfc1ccf29771ac1dea789853b31f59f618dae5595faaa3ab
SHA512b824ef9166b29c65c16f127993e80c547a7b9d89750f7608eeef0682bc5d7fd0fb6b415db3d9336dc45704e59315392507a092084c0cf5da9cd3efb2cca25fc3
-
Filesize
434KB
MD5230c5af97879651becc7817d0df03e3e
SHA1f4eb75912acf264ac3570ecd47578b83ec0f45dd
SHA2563ad0bac873075630dfc1ccf29771ac1dea789853b31f59f618dae5595faaa3ab
SHA512b824ef9166b29c65c16f127993e80c547a7b9d89750f7608eeef0682bc5d7fd0fb6b415db3d9336dc45704e59315392507a092084c0cf5da9cd3efb2cca25fc3
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD5bdc5cdc41583d04ef4b4f029ef60ce54
SHA18e40d8796e4453bc08583439d8bf2776c80e6d30
SHA256b802b439b1c821fedbbf5ae0a5ec358533750214b9881fa90b4e7a94c0085d7a
SHA512f0caa7ffa9ed69c7b822200398cbc7829f680df7019fd58e712231b979454d6b796fcc6aa48134e17bd953a901aebe27dc92a2a85d75d9bb8ce7929d3faafde3
-
Filesize
434KB
MD5bdc5cdc41583d04ef4b4f029ef60ce54
SHA18e40d8796e4453bc08583439d8bf2776c80e6d30
SHA256b802b439b1c821fedbbf5ae0a5ec358533750214b9881fa90b4e7a94c0085d7a
SHA512f0caa7ffa9ed69c7b822200398cbc7829f680df7019fd58e712231b979454d6b796fcc6aa48134e17bd953a901aebe27dc92a2a85d75d9bb8ce7929d3faafde3