Analysis
-
max time kernel
148s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 21:11
Behavioral task
behavioral1
Sample
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls
Resource
win10v2004-20220812-en
General
-
Target
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls
-
Size
91KB
-
MD5
c923d2a2d9c4193171d80a850babe90a
-
SHA1
8e729e6fe2491b6566a3f41973c8891423c5ac3b
-
SHA256
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63
-
SHA512
4058f7dc49889aa04e8168f7e2471c327014842a5cfffe605d1cb74a9dfd5588a6ae9fdfebbbc2d43a8087698bd415439485502423319519a53f85512c00ca19
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgsbCXuZH4gb4CEn9J4Z3ip:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgL
Malware Config
Extracted
http://cubicegg.asia/assets/hQlJfFO/
http://darwinistic.com/icon/pvxwXfuOXowTDDg/
http://devinagallagher.com/NSA/BVks/
http://brittknight.com/PHP/qy6/
Extracted
emotet
Epoch4
45.235.8.30:8080
94.23.45.86:4143
119.59.103.152:8080
169.60.181.70:8080
164.68.99.3:8080
172.105.226.75:8080
107.170.39.149:8080
206.189.28.199:8080
1.234.2.232:8080
188.44.20.25:443
186.194.240.217:443
103.43.75.120:443
149.28.143.92:443
159.89.202.34:443
209.97.163.214:443
183.111.227.137:8080
129.232.188.93:443
139.59.126.41:443
110.232.117.186:8080
139.59.56.73:8080
103.75.201.2:443
91.207.28.33:8080
164.90.222.65:443
197.242.150.244:8080
212.24.98.99:8080
51.161.73.194:443
115.68.227.76:8080
159.65.88.10:8080
201.94.166.162:443
95.217.221.146:8080
173.212.193.249:8080
82.223.21.224:8080
103.132.242.26:8080
213.239.212.5:443
153.126.146.25:7080
45.176.232.124:443
182.162.143.56:443
169.57.156.166:8080
159.65.140.115:443
163.44.196.120:8080
172.104.251.154:8080
167.172.253.162:8080
91.187.140.35:8080
45.118.115.99:8080
147.139.166.154:8080
72.15.201.15:8080
149.56.131.28:8080
167.172.199.165:8080
101.50.0.91:8080
160.16.142.56:8080
185.4.135.165:8080
104.168.155.143:8080
79.137.35.198:8080
5.135.159.50:443
187.63.160.88:80
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1724 1952 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1748 1952 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1148 1952 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1580 1952 regsvr32.exe 27 -
Downloads MZ/PE file
-
Loads dropped DLL 6 IoCs
pid Process 1724 regsvr32.exe 1312 regsvr32.exe 1748 regsvr32.exe 520 regsvr32.exe 1148 regsvr32.exe 1848 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1952 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1312 regsvr32.exe 1304 regsvr32.exe 1304 regsvr32.exe 520 regsvr32.exe 1208 regsvr32.exe 1208 regsvr32.exe 1848 regsvr32.exe 988 regsvr32.exe 988 regsvr32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1952 EXCEL.EXE 1952 EXCEL.EXE 1952 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1724 1952 EXCEL.EXE 30 PID 1952 wrote to memory of 1724 1952 EXCEL.EXE 30 PID 1952 wrote to memory of 1724 1952 EXCEL.EXE 30 PID 1952 wrote to memory of 1724 1952 EXCEL.EXE 30 PID 1952 wrote to memory of 1724 1952 EXCEL.EXE 30 PID 1952 wrote to memory of 1724 1952 EXCEL.EXE 30 PID 1952 wrote to memory of 1724 1952 EXCEL.EXE 30 PID 1724 wrote to memory of 1312 1724 regsvr32.exe 31 PID 1724 wrote to memory of 1312 1724 regsvr32.exe 31 PID 1724 wrote to memory of 1312 1724 regsvr32.exe 31 PID 1724 wrote to memory of 1312 1724 regsvr32.exe 31 PID 1724 wrote to memory of 1312 1724 regsvr32.exe 31 PID 1724 wrote to memory of 1312 1724 regsvr32.exe 31 PID 1724 wrote to memory of 1312 1724 regsvr32.exe 31 PID 1312 wrote to memory of 1304 1312 regsvr32.exe 32 PID 1312 wrote to memory of 1304 1312 regsvr32.exe 32 PID 1312 wrote to memory of 1304 1312 regsvr32.exe 32 PID 1312 wrote to memory of 1304 1312 regsvr32.exe 32 PID 1312 wrote to memory of 1304 1312 regsvr32.exe 32 PID 1952 wrote to memory of 1748 1952 EXCEL.EXE 33 PID 1952 wrote to memory of 1748 1952 EXCEL.EXE 33 PID 1952 wrote to memory of 1748 1952 EXCEL.EXE 33 PID 1952 wrote to memory of 1748 1952 EXCEL.EXE 33 PID 1952 wrote to memory of 1748 1952 EXCEL.EXE 33 PID 1952 wrote to memory of 1748 1952 EXCEL.EXE 33 PID 1952 wrote to memory of 1748 1952 EXCEL.EXE 33 PID 1748 wrote to memory of 520 1748 regsvr32.exe 34 PID 1748 wrote to memory of 520 1748 regsvr32.exe 34 PID 1748 wrote to memory of 520 1748 regsvr32.exe 34 PID 1748 wrote to memory of 520 1748 regsvr32.exe 34 PID 1748 wrote to memory of 520 1748 regsvr32.exe 34 PID 1748 wrote to memory of 520 1748 regsvr32.exe 34 PID 1748 wrote to memory of 520 1748 regsvr32.exe 34 PID 520 wrote to memory of 1208 520 regsvr32.exe 35 PID 520 wrote to memory of 1208 520 regsvr32.exe 35 PID 520 wrote to memory of 1208 520 regsvr32.exe 35 PID 520 wrote to memory of 1208 520 regsvr32.exe 35 PID 520 wrote to memory of 1208 520 regsvr32.exe 35 PID 1952 wrote to memory of 1148 1952 EXCEL.EXE 36 PID 1952 wrote to memory of 1148 1952 EXCEL.EXE 36 PID 1952 wrote to memory of 1148 1952 EXCEL.EXE 36 PID 1952 wrote to memory of 1148 1952 EXCEL.EXE 36 PID 1952 wrote to memory of 1148 1952 EXCEL.EXE 36 PID 1952 wrote to memory of 1148 1952 EXCEL.EXE 36 PID 1952 wrote to memory of 1148 1952 EXCEL.EXE 36 PID 1148 wrote to memory of 1848 1148 regsvr32.exe 37 PID 1148 wrote to memory of 1848 1148 regsvr32.exe 37 PID 1148 wrote to memory of 1848 1148 regsvr32.exe 37 PID 1148 wrote to memory of 1848 1148 regsvr32.exe 37 PID 1148 wrote to memory of 1848 1148 regsvr32.exe 37 PID 1148 wrote to memory of 1848 1148 regsvr32.exe 37 PID 1148 wrote to memory of 1848 1148 regsvr32.exe 37 PID 1848 wrote to memory of 988 1848 regsvr32.exe 38 PID 1848 wrote to memory of 988 1848 regsvr32.exe 38 PID 1848 wrote to memory of 988 1848 regsvr32.exe 38 PID 1848 wrote to memory of 988 1848 regsvr32.exe 38 PID 1848 wrote to memory of 988 1848 regsvr32.exe 38 PID 1952 wrote to memory of 1580 1952 EXCEL.EXE 39 PID 1952 wrote to memory of 1580 1952 EXCEL.EXE 39 PID 1952 wrote to memory of 1580 1952 EXCEL.EXE 39 PID 1952 wrote to memory of 1580 1952 EXCEL.EXE 39 PID 1952 wrote to memory of 1580 1952 EXCEL.EXE 39 PID 1952 wrote to memory of 1580 1952 EXCEL.EXE 39 PID 1952 wrote to memory of 1580 1952 EXCEL.EXE 39
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\regsvr32.exe/S ..\elv1.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\LXsVUXSTxrsnOOK\JHdtQuxq.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\regsvr32.exe/S ..\elv2.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BHGcvYmFW\axVS.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\regsvr32.exe/S ..\elv3.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\IhIMQQMGpF\asMiBaon.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:988
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
PID:1580
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
855KB
MD5e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1841cb873109728065ff3907e0a19af8d4b363b6b
SHA256220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA5128133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d
-
Filesize
855KB
MD51209ebba5bb4117ee10b719ddba8b7c4
SHA17454dbf8268ce69d0d256d103808bd7e5c744662
SHA25675fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28
-
Filesize
573KB
MD59b3be6dd84a212ea83fb3a7c184dbb07
SHA1fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA2564e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427
-
Filesize
804B
MD51a09990075e11f2512781ac4d7f137dc
SHA1aca3f66e4d63cb3c67af3471d78ed00b4d96b6f7
SHA25601b20c39c841743a41c60daf2c844082624bf03522d77b055ee3a6054769ce6d
SHA512c49f1beee9edc33307fc2859cabfa3353258259c64385d28758fdd885d9fd06a0b9afc7d1007b940159878d868574c9c1a2cd87ab11658a01df977cd2ca6c362
-
Filesize
855KB
MD5e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1841cb873109728065ff3907e0a19af8d4b363b6b
SHA256220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA5128133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d
-
Filesize
855KB
MD5e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1841cb873109728065ff3907e0a19af8d4b363b6b
SHA256220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA5128133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d
-
Filesize
855KB
MD51209ebba5bb4117ee10b719ddba8b7c4
SHA17454dbf8268ce69d0d256d103808bd7e5c744662
SHA25675fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28
-
Filesize
855KB
MD51209ebba5bb4117ee10b719ddba8b7c4
SHA17454dbf8268ce69d0d256d103808bd7e5c744662
SHA25675fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28
-
Filesize
573KB
MD59b3be6dd84a212ea83fb3a7c184dbb07
SHA1fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA2564e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427
-
Filesize
573KB
MD59b3be6dd84a212ea83fb3a7c184dbb07
SHA1fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA2564e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427