Analysis Overview
SHA256
62fab9c35ea8be9f22973fc904f2312508b86f78f8320d724847542dd2d558e4
Threat Level: Known bad
The file 17.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Emotet
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-09 19:50
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-09 19:50
Reported
2022-11-09 19:54
Platform
win7-20220812-en
Max time kernel
151s
Max time network
171s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\17.xls
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
/S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VFlbO\MJQlqeCvrPBIhcbM.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
/S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XmkgLDqX\ukiyVHcmQ.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\system32\regsvr32.exe
/S ..\elv3.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XnmDavJ\BImejDaQNRgaasKL.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
/S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EwGQJyBr\hFTAeXkGcahRzjOb.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bundlefilm.com | udp |
| US | 74.207.252.187:80 | bundlefilm.com | tcp |
| US | 8.8.8.8:53 | camsanparke.net | udp |
| TR | 213.142.148.59:80 | camsanparke.net | tcp |
| US | 8.8.8.8:53 | royreid.co.uk | udp |
| GB | 77.68.64.0:80 | royreid.co.uk | tcp |
| US | 8.8.8.8:53 | cs.com.sg | udp |
| SG | 103.237.169.99:443 | cs.com.sg | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 104.109.143.75:80 | apps.identrust.com | tcp |
| KR | 218.38.121.17:443 | tcp | |
| KR | 218.38.121.17:443 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| KR | 218.38.121.17:443 | tcp | |
| KR | 218.38.121.17:443 | tcp | |
| IT | 80.211.107.116:8080 | tcp | |
| IT | 80.211.107.116:8080 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| US | 174.138.33.49:7080 | tcp | |
| US | 174.138.33.49:7080 | tcp | |
| KR | 218.38.121.17:443 | tcp | |
| IT | 80.211.107.116:8080 | tcp | |
| IT | 80.211.107.116:8080 | tcp | |
| KR | 218.38.121.17:443 | tcp | |
| SG | 165.22.254.236:8080 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| US | 174.138.33.49:7080 | tcp | |
| US | 174.138.33.49:7080 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| DE | 185.148.169.10:8080 | tcp | |
| SG | 165.22.254.236:8080 | tcp | |
| IT | 80.211.107.116:8080 | tcp |
Files
memory/980-54-0x000000002F8B1000-0x000000002F8B4000-memory.dmp
memory/980-55-0x0000000070F81000-0x0000000070F83000-memory.dmp
memory/980-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/980-57-0x0000000071F6D000-0x0000000071F78000-memory.dmp
memory/980-58-0x0000000075811000-0x0000000075813000-memory.dmp
memory/980-59-0x0000000071F6D000-0x0000000071F78000-memory.dmp
memory/1292-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | f438653780bf4822560e5d8d2e907185 |
| SHA1 | 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6 |
| SHA256 | 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e |
| SHA512 | fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402 |
\Users\Admin\elv1.ooocccxxx
| MD5 | f438653780bf4822560e5d8d2e907185 |
| SHA1 | 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6 |
| SHA256 | 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e |
| SHA512 | fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402 |
memory/920-64-0x0000000000000000-mapping.dmp
memory/920-65-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
\Users\Admin\elv1.ooocccxxx
| MD5 | f438653780bf4822560e5d8d2e907185 |
| SHA1 | 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6 |
| SHA256 | 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e |
| SHA512 | fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402 |
memory/920-67-0x0000000180000000-0x0000000180030000-memory.dmp
memory/1220-70-0x0000000000000000-mapping.dmp
memory/1736-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | eef36d2e209df249fc8a2b371b32efd8 |
| SHA1 | ddf4c64d5162a51f19f84ae11b6b8be0c056c389 |
| SHA256 | 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef |
| SHA512 | b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021 |
\Users\Admin\elv2.ooocccxxx
| MD5 | eef36d2e209df249fc8a2b371b32efd8 |
| SHA1 | ddf4c64d5162a51f19f84ae11b6b8be0c056c389 |
| SHA256 | 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef |
| SHA512 | b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021 |
memory/524-79-0x0000000000000000-mapping.dmp
\Users\Admin\elv2.ooocccxxx
| MD5 | eef36d2e209df249fc8a2b371b32efd8 |
| SHA1 | ddf4c64d5162a51f19f84ae11b6b8be0c056c389 |
| SHA256 | 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef |
| SHA512 | b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021 |
memory/1588-85-0x0000000000000000-mapping.dmp
memory/2000-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv3.ooocccxxx
| MD5 | 99effcdd371092bf45673ee5b91b81b4 |
| SHA1 | 7553f5050ed44d36c4f393860d2636ac97ed865a |
| SHA256 | 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48 |
| SHA512 | 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc |
memory/1368-94-0x0000000000000000-mapping.dmp
\Users\Admin\elv3.ooocccxxx
| MD5 | 99effcdd371092bf45673ee5b91b81b4 |
| SHA1 | 7553f5050ed44d36c4f393860d2636ac97ed865a |
| SHA256 | 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48 |
| SHA512 | 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc |
\Users\Admin\elv3.ooocccxxx
| MD5 | 99effcdd371092bf45673ee5b91b81b4 |
| SHA1 | 7553f5050ed44d36c4f393860d2636ac97ed865a |
| SHA256 | 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48 |
| SHA512 | 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc |
memory/2028-100-0x0000000000000000-mapping.dmp
memory/904-105-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 4095598a5e1c0cb57ee9137521fc935f |
| SHA1 | 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f |
| SHA256 | 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631 |
| SHA512 | 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228 |
\Users\Admin\elv4.ooocccxxx
| MD5 | 4095598a5e1c0cb57ee9137521fc935f |
| SHA1 | 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f |
| SHA256 | 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631 |
| SHA512 | 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228 |
memory/1240-109-0x0000000000000000-mapping.dmp
\Users\Admin\elv4.ooocccxxx
| MD5 | 4095598a5e1c0cb57ee9137521fc935f |
| SHA1 | 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f |
| SHA256 | 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631 |
| SHA512 | 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228 |
memory/868-115-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-09 19:50
Reported
2022-11-09 19:54
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
165s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArSUlwQhNNqCW.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RwhrSrOnDATwdBElz\\ArSUlwQhNNqCW.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\17.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GplWhrsyv\BDFVxwqSmJFOgtRE.dll"
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KPRRLa\tladshhSUz.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RwhrSrOnDATwdBElz\ArSUlwQhNNqCW.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JyRkZe\AlFdQIogA.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| GB | 51.132.193.104:443 | tcp | |
| US | 8.8.8.8:53 | bundlefilm.com | udp |
| US | 74.207.252.187:80 | bundlefilm.com | tcp |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | camsanparke.net | udp |
| TR | 213.142.148.59:80 | camsanparke.net | tcp |
| US | 8.8.8.8:53 | royreid.co.uk | udp |
| GB | 77.68.64.0:80 | royreid.co.uk | tcp |
| US | 8.8.8.8:53 | cs.com.sg | udp |
| SG | 103.237.169.99:443 | cs.com.sg | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| NL | 104.123.40.135:443 | tcp | |
| BR | 186.250.48.5:443 | 186.250.48.5 | tcp |
| BR | 186.250.48.5:443 | 186.250.48.5 | tcp |
| IT | 80.211.107.116:8080 | 80.211.107.116 | tcp |
| IT | 80.211.107.116:8080 | 80.211.107.116 | tcp |
| US | 174.138.33.49:7080 | 174.138.33.49 | tcp |
| US | 174.138.33.49:7080 | 174.138.33.49 | tcp |
| SG | 165.22.254.236:8080 | tcp | |
| SG | 165.22.254.236:8080 | tcp |
Files
memory/1940-132-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp
memory/1940-133-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp
memory/1940-134-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp
memory/1940-135-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp
memory/1940-136-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp
memory/1940-137-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp
memory/1940-138-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp
memory/3500-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | f438653780bf4822560e5d8d2e907185 |
| SHA1 | 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6 |
| SHA256 | 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e |
| SHA512 | fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402 |
C:\Users\Admin\elv1.ooocccxxx
| MD5 | f438653780bf4822560e5d8d2e907185 |
| SHA1 | 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6 |
| SHA256 | 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e |
| SHA512 | fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402 |
memory/3500-142-0x0000000180000000-0x0000000180030000-memory.dmp
memory/2328-145-0x0000000000000000-mapping.dmp
memory/2344-147-0x0000000000000000-mapping.dmp
C:\Windows\System32\GplWhrsyv\BDFVxwqSmJFOgtRE.dll
| MD5 | f438653780bf4822560e5d8d2e907185 |
| SHA1 | 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6 |
| SHA256 | 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e |
| SHA512 | fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402 |
C:\Users\Admin\elv2.ooocccxxx
| MD5 | eef36d2e209df249fc8a2b371b32efd8 |
| SHA1 | ddf4c64d5162a51f19f84ae11b6b8be0c056c389 |
| SHA256 | 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef |
| SHA512 | b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021 |
C:\Users\Admin\elv2.ooocccxxx
| MD5 | eef36d2e209df249fc8a2b371b32efd8 |
| SHA1 | ddf4c64d5162a51f19f84ae11b6b8be0c056c389 |
| SHA256 | 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef |
| SHA512 | b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021 |
memory/1652-156-0x0000000000000000-mapping.dmp
C:\Windows\System32\KPRRLa\tladshhSUz.dll
| MD5 | eef36d2e209df249fc8a2b371b32efd8 |
| SHA1 | ddf4c64d5162a51f19f84ae11b6b8be0c056c389 |
| SHA256 | 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef |
| SHA512 | b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021 |
memory/3192-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv3.ooocccxxx
| MD5 | 99effcdd371092bf45673ee5b91b81b4 |
| SHA1 | 7553f5050ed44d36c4f393860d2636ac97ed865a |
| SHA256 | 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48 |
| SHA512 | 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc |
C:\Users\Admin\elv3.ooocccxxx
| MD5 | 99effcdd371092bf45673ee5b91b81b4 |
| SHA1 | 7553f5050ed44d36c4f393860d2636ac97ed865a |
| SHA256 | 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48 |
| SHA512 | 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc |
memory/4020-167-0x0000000000000000-mapping.dmp
C:\Windows\System32\RwhrSrOnDATwdBElz\ArSUlwQhNNqCW.dll
| MD5 | 99effcdd371092bf45673ee5b91b81b4 |
| SHA1 | 7553f5050ed44d36c4f393860d2636ac97ed865a |
| SHA256 | 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48 |
| SHA512 | 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc |
memory/1528-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 4095598a5e1c0cb57ee9137521fc935f |
| SHA1 | 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f |
| SHA256 | 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631 |
| SHA512 | 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228 |
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 4095598a5e1c0cb57ee9137521fc935f |
| SHA1 | 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f |
| SHA256 | 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631 |
| SHA512 | 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228 |
memory/4408-178-0x0000000000000000-mapping.dmp
C:\Windows\System32\JyRkZe\AlFdQIogA.dll
| MD5 | 4095598a5e1c0cb57ee9137521fc935f |
| SHA1 | 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f |
| SHA256 | 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631 |
| SHA512 | 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228 |