Malware Analysis Report

2025-08-11 01:42

Sample ID 221109-z11ycscbd3
Target 8369317541.zip
SHA256 ac374b7e67d74e75b29f483648d67c4a9cca07cec21c867301f34a27a5e0c8e4
Tags
macro xlm emotet epoch4 banker trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac374b7e67d74e75b29f483648d67c4a9cca07cec21c867301f34a27a5e0c8e4

Threat Level: Known bad

The file 8369317541.zip was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch4 banker trojan persistence

Process spawned unexpected child process

Emotet

Downloads MZ/PE file

Suspicious Office macro

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 21:11

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 21:11

Reported

2022-11-09 21:15

Platform

win7-20220812-en

Max time kernel

148s

Max time network

174s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1724 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1724 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1724 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1724 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1724 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1724 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1724 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1312 wrote to memory of 1304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1312 wrote to memory of 1304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1312 wrote to memory of 1304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1312 wrote to memory of 1304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1312 wrote to memory of 1304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1952 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1748 wrote to memory of 520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1748 wrote to memory of 520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1748 wrote to memory of 520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1748 wrote to memory of 520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1748 wrote to memory of 520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1748 wrote to memory of 520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 520 wrote to memory of 1208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 520 wrote to memory of 1208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 520 wrote to memory of 1208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 520 wrote to memory of 1208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 520 wrote to memory of 1208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1952 wrote to memory of 1148 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1148 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1148 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1148 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1148 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1148 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1148 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1148 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1148 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1148 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1148 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1148 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1148 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1148 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1848 wrote to memory of 988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1848 wrote to memory of 988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1848 wrote to memory of 988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1848 wrote to memory of 988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1848 wrote to memory of 988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1952 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LXsVUXSTxrsnOOK\JHdtQuxq.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BHGcvYmFW\axVS.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IhIMQQMGpF\asMiBaon.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

Network

Country Destination Domain Proto
US 8.8.8.8:53 cubicegg.asia udp
JP 202.172.28.199:80 cubicegg.asia tcp
US 8.8.8.8:53 darwinistic.com udp
US 108.161.136.198:80 darwinistic.com tcp
US 8.8.8.8:53 devinagallagher.com udp
US 69.65.10.202:80 devinagallagher.com tcp
US 8.8.8.8:53 brittknight.com udp
US 172.67.192.217:80 brittknight.com tcp
US 8.8.8.8:53 suspendeddomain.org udp
US 104.21.235.177:80 suspendeddomain.org tcp
KR 182.162.143.56:443 tcp
KR 182.162.143.56:443 tcp
US 169.60.181.70:8080 tcp
KR 182.162.143.56:443 tcp
KR 182.162.143.56:443 tcp
SG 149.28.143.92:443 tcp
US 169.60.181.70:8080 tcp
KR 182.162.143.56:443 tcp
KR 182.162.143.56:443 tcp
US 169.60.181.70:8080 tcp
RS 91.187.140.35:8080 tcp
RS 91.187.140.35:8080 tcp
SG 149.28.143.92:443 tcp
BR 187.63.160.88:80 tcp
BR 187.63.160.88:80 tcp
SG 149.28.143.92:443 tcp
FR 94.23.45.86:4143 tcp
FR 94.23.45.86:4143 tcp

Files

memory/1952-54-0x000000002F2D1000-0x000000002F2D4000-memory.dmp

memory/1952-55-0x0000000071751000-0x0000000071753000-memory.dmp

memory/1952-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1952-57-0x0000000075E31000-0x0000000075E33000-memory.dmp

memory/1952-58-0x000000007273D000-0x0000000072748000-memory.dmp

memory/1952-59-0x000000007273D000-0x0000000072748000-memory.dmp

memory/1724-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1 841cb873109728065ff3907e0a19af8d4b363b6b
SHA256 220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA512 8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

\Users\Admin\elv1.ooocccxxx

MD5 e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1 841cb873109728065ff3907e0a19af8d4b363b6b
SHA256 220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA512 8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

memory/1312-64-0x0000000000000000-mapping.dmp

memory/1312-65-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

\Users\Admin\elv1.ooocccxxx

MD5 e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1 841cb873109728065ff3907e0a19af8d4b363b6b
SHA256 220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA512 8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

memory/1312-67-0x0000000180000000-0x000000018002F000-memory.dmp

memory/1304-70-0x0000000000000000-mapping.dmp

memory/1748-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 1209ebba5bb4117ee10b719ddba8b7c4
SHA1 7454dbf8268ce69d0d256d103808bd7e5c744662
SHA256 75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512 f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

memory/520-79-0x0000000000000000-mapping.dmp

\Users\Admin\elv2.ooocccxxx

MD5 1209ebba5bb4117ee10b719ddba8b7c4
SHA1 7454dbf8268ce69d0d256d103808bd7e5c744662
SHA256 75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512 f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

\Users\Admin\elv2.ooocccxxx

MD5 1209ebba5bb4117ee10b719ddba8b7c4
SHA1 7454dbf8268ce69d0d256d103808bd7e5c744662
SHA256 75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512 f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

memory/1208-85-0x0000000000000000-mapping.dmp

memory/1148-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 9b3be6dd84a212ea83fb3a7c184dbb07
SHA1 fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA256 4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512 f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

\Users\Admin\elv3.ooocccxxx

MD5 9b3be6dd84a212ea83fb3a7c184dbb07
SHA1 fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA256 4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512 f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

memory/1848-94-0x0000000000000000-mapping.dmp

\Users\Admin\elv3.ooocccxxx

MD5 9b3be6dd84a212ea83fb3a7c184dbb07
SHA1 fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA256 4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512 f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

memory/988-100-0x0000000000000000-mapping.dmp

memory/1580-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 1a09990075e11f2512781ac4d7f137dc
SHA1 aca3f66e4d63cb3c67af3471d78ed00b4d96b6f7
SHA256 01b20c39c841743a41c60daf2c844082624bf03522d77b055ee3a6054769ce6d
SHA512 c49f1beee9edc33307fc2859cabfa3353258259c64385d28758fdd885d9fd06a0b9afc7d1007b940159878d868574c9c1a2cd87ab11658a01df977cd2ca6c362

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 21:11

Reported

2022-11-09 21:15

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

168s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sjCsxfMPtvHd.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LipmV\\sjCsxfMPtvHd.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 1440 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2412 wrote to memory of 1440 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1440 wrote to memory of 1660 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1440 wrote to memory of 1660 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2412 wrote to memory of 2180 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2412 wrote to memory of 2180 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2180 wrote to memory of 4972 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2180 wrote to memory of 4972 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2412 wrote to memory of 3856 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2412 wrote to memory of 3856 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 3856 wrote to memory of 4176 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3856 wrote to memory of 4176 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2412 wrote to memory of 2936 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2412 wrote to memory of 2936 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Srohl\HEYFPyP.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LipmV\sjCsxfMPtvHd.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FLdtVVYrZQYHDn\gSXNoh.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

Network

Country Destination Domain Proto
US 8.8.8.8:53 cubicegg.asia udp
NL 96.16.53.148:80 tcp
JP 202.172.28.199:80 cubicegg.asia tcp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 darwinistic.com udp
US 108.161.136.198:80 darwinistic.com tcp
US 8.8.8.8:53 devinagallagher.com udp
US 69.65.10.202:80 devinagallagher.com tcp
US 8.8.8.8:53 brittknight.com udp
US 8.8.8.8:53 devinagallagher.com udp
NL 87.248.202.1:80 tcp
KR 182.162.143.56:443 182.162.143.56 tcp
KR 182.162.143.56:443 182.162.143.56 tcp
KR 182.162.143.56:443 182.162.143.56 tcp
US 169.60.181.70:8080 tcp
US 169.60.181.70:8080 tcp
SG 149.28.143.92:443 tcp
SG 149.28.143.92:443 tcp
US 8.8.8.8:53 udp

Files

memory/2412-132-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

memory/2412-133-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

memory/2412-134-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

memory/2412-135-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

memory/2412-136-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

memory/2412-137-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmp

memory/2412-138-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmp

memory/1440-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1 841cb873109728065ff3907e0a19af8d4b363b6b
SHA256 220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA512 8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

C:\Users\Admin\elv1.ooocccxxx

MD5 e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1 841cb873109728065ff3907e0a19af8d4b363b6b
SHA256 220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA512 8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

memory/1440-142-0x0000000180000000-0x000000018002F000-memory.dmp

memory/1660-145-0x0000000000000000-mapping.dmp

C:\Windows\System32\Srohl\HEYFPyP.dll

MD5 e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1 841cb873109728065ff3907e0a19af8d4b363b6b
SHA256 220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA512 8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

memory/2180-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 1209ebba5bb4117ee10b719ddba8b7c4
SHA1 7454dbf8268ce69d0d256d103808bd7e5c744662
SHA256 75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512 f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

C:\Users\Admin\elv2.ooocccxxx

MD5 1209ebba5bb4117ee10b719ddba8b7c4
SHA1 7454dbf8268ce69d0d256d103808bd7e5c744662
SHA256 75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512 f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

memory/4972-156-0x0000000000000000-mapping.dmp

C:\Windows\System32\LipmV\sjCsxfMPtvHd.dll

MD5 1209ebba5bb4117ee10b719ddba8b7c4
SHA1 7454dbf8268ce69d0d256d103808bd7e5c744662
SHA256 75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512 f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

memory/3856-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 9b3be6dd84a212ea83fb3a7c184dbb07
SHA1 fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA256 4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512 f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

C:\Users\Admin\elv3.ooocccxxx

MD5 9b3be6dd84a212ea83fb3a7c184dbb07
SHA1 fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA256 4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512 f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

memory/4176-167-0x0000000000000000-mapping.dmp

C:\Windows\System32\FLdtVVYrZQYHDn\gSXNoh.dll

MD5 9b3be6dd84a212ea83fb3a7c184dbb07
SHA1 fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA256 4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512 f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

memory/2936-172-0x0000000000000000-mapping.dmp