Malware Analysis Report

2025-08-11 01:43

Sample ID 221109-z1wzeadhck
Target 8387977512.zip
SHA256 ed7ec6c6205cf57e52a1f04da7c8efd3164e3ba9f1ca0bb51415b11679695075
Tags
macro xlm emotet epoch4 banker trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed7ec6c6205cf57e52a1f04da7c8efd3164e3ba9f1ca0bb51415b11679695075

Threat Level: Known bad

The file 8387977512.zip was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch4 banker trojan persistence

Emotet

Process spawned unexpected child process

Suspicious Office macro

Downloads MZ/PE file

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 21:11

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 21:11

Reported

2022-11-09 21:14

Platform

win7-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e41862e6cf7c3206fe699b624046c6d3f7ecd59fce0ddca1aadcc87b30545949.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1860 wrote to memory of 1372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 832 wrote to memory of 552 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 552 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 552 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 552 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 552 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 552 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 552 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 552 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 552 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 552 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 552 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 552 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 552 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 552 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1960 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1960 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1960 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1960 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1960 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 832 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1144 wrote to memory of 1376 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 1376 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 1376 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 1376 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 1376 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 1376 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 1376 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1376 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1376 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1376 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1376 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1376 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e41862e6cf7c3206fe699b624046c6d3f7ecd59fce0ddca1aadcc87b30545949.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EsETczsCsSZRWQsnG\mZzcnpJKpx.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JBVdDuMy\IEZpehQcmY.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AdnZw\YqaQy.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wordpress.xinmoshiwang.com udp
CN 47.92.35.35:80 wordpress.xinmoshiwang.com tcp
US 8.8.8.8:53 ftp.appleshipstores.com udp
US 66.96.162.143:80 ftp.appleshipstores.com tcp
US 8.8.8.8:53 onaltiyadokuz.net udp
BG 185.176.40.48:80 onaltiyadokuz.net tcp
US 8.8.8.8:53 cepasvirtual.com.ar udp
AR 179.43.117.122:80 cepasvirtual.com.ar tcp
KR 182.162.143.56:443 tcp
KR 182.162.143.56:443 tcp
KR 182.162.143.56:443 tcp
KR 182.162.143.56:443 tcp
US 169.60.181.70:8080 tcp
US 169.60.181.70:8080 tcp
KR 182.162.143.56:443 tcp
KR 182.162.143.56:443 tcp
SG 149.28.143.92:443 tcp
US 169.60.181.70:8080 tcp
SG 149.28.143.92:443 tcp
RS 91.187.140.35:8080 tcp
RS 91.187.140.35:8080 tcp
SG 149.28.143.92:443 tcp
BR 187.63.160.88:80 tcp
RS 91.187.140.35:8080 tcp
RS 91.187.140.35:8080 tcp
BR 187.63.160.88:80 tcp
BR 187.63.160.88:80 tcp
BR 187.63.160.88:80 tcp
FR 94.23.45.86:4143 tcp
FR 94.23.45.86:4143 tcp
RS 91.187.140.35:8080 tcp
RS 91.187.140.35:8080 tcp
FI 95.217.221.146:8080 tcp
FR 94.23.45.86:4143 tcp
FR 94.23.45.86:4143 tcp
BR 187.63.160.88:80 tcp
BR 187.63.160.88:80 tcp
FI 95.217.221.146:8080 tcp
AU 110.232.117.186:8080 tcp
FR 94.23.45.86:4143 tcp
FR 94.23.45.86:4143 tcp
AU 110.232.117.186:8080 tcp

Files

memory/832-54-0x000000002FB61000-0x000000002FB64000-memory.dmp

memory/832-55-0x0000000071C61000-0x0000000071C63000-memory.dmp

memory/832-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/832-57-0x0000000072C4D000-0x0000000072C58000-memory.dmp

memory/832-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

memory/832-59-0x0000000072C4D000-0x0000000072C58000-memory.dmp

memory/1860-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 8acc929bb4c9389acc4065a8ef22a2e5
SHA1 aa2eb2163e06ceef6d69deba00cf611a4912323e
SHA256 a7922c6092d43c146508c4ed25789ed27e4bf24fdc2eb001ea01517f418b504d
SHA512 d63eddf4f06acf350999ffcb83802fd7436154412c0a24e327e4609ff36aa9675a30604b5cb45da5708dabc15dcba90090a7c0e87b3c301b2c35abd720ec792d

\Users\Admin\elv1.ooocccxxx

MD5 8acc929bb4c9389acc4065a8ef22a2e5
SHA1 aa2eb2163e06ceef6d69deba00cf611a4912323e
SHA256 a7922c6092d43c146508c4ed25789ed27e4bf24fdc2eb001ea01517f418b504d
SHA512 d63eddf4f06acf350999ffcb83802fd7436154412c0a24e327e4609ff36aa9675a30604b5cb45da5708dabc15dcba90090a7c0e87b3c301b2c35abd720ec792d

memory/1372-64-0x0000000000000000-mapping.dmp

memory/1372-65-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

\Users\Admin\elv1.ooocccxxx

MD5 8acc929bb4c9389acc4065a8ef22a2e5
SHA1 aa2eb2163e06ceef6d69deba00cf611a4912323e
SHA256 a7922c6092d43c146508c4ed25789ed27e4bf24fdc2eb001ea01517f418b504d
SHA512 d63eddf4f06acf350999ffcb83802fd7436154412c0a24e327e4609ff36aa9675a30604b5cb45da5708dabc15dcba90090a7c0e87b3c301b2c35abd720ec792d

memory/1372-67-0x0000000180000000-0x000000018002F000-memory.dmp

memory/796-70-0x0000000000000000-mapping.dmp

memory/552-75-0x0000000000000000-mapping.dmp

\Users\Admin\elv2.ooocccxxx

MD5 f348358f3177a9bcf4e653ceb5282229
SHA1 b209971db44f1f6b0fbb0072c4949eb9d6deef7e
SHA256 2692e423504370899c4228216e69a6bdb854ececab6f7f60a38d8ace29a196e4
SHA512 2fd28637e2957f740a9c50154265b43f82253bcbac7e32c263f589cfb3791a679046db5312cb1ceedf8f67c22d1dca505154f6223af6c33b6ea47caf4a6dfcef

memory/1960-79-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 f348358f3177a9bcf4e653ceb5282229
SHA1 b209971db44f1f6b0fbb0072c4949eb9d6deef7e
SHA256 2692e423504370899c4228216e69a6bdb854ececab6f7f60a38d8ace29a196e4
SHA512 2fd28637e2957f740a9c50154265b43f82253bcbac7e32c263f589cfb3791a679046db5312cb1ceedf8f67c22d1dca505154f6223af6c33b6ea47caf4a6dfcef

\Users\Admin\elv2.ooocccxxx

MD5 f348358f3177a9bcf4e653ceb5282229
SHA1 b209971db44f1f6b0fbb0072c4949eb9d6deef7e
SHA256 2692e423504370899c4228216e69a6bdb854ececab6f7f60a38d8ace29a196e4
SHA512 2fd28637e2957f740a9c50154265b43f82253bcbac7e32c263f589cfb3791a679046db5312cb1ceedf8f67c22d1dca505154f6223af6c33b6ea47caf4a6dfcef

memory/1364-85-0x0000000000000000-mapping.dmp

memory/1356-90-0x0000000000000000-mapping.dmp

memory/1144-92-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 068c9d1d3bf5fb2f15924f1fe2c15464
SHA1 10cfb6d1188d5fc730059481fd23a3b38679ca89
SHA256 04c630720447a87da96dd0a065f8c90f48a499720df18055def66ebda14b4d6e
SHA512 4c2527966902559370ae85b79d3a6427a8488d0e29322d2d58633df814a7c4ae95c6237143094646325fa422e644ca2785449e70d2fac1df6a3ecd0a3dc01359

\Users\Admin\elv4.ooocccxxx

MD5 068c9d1d3bf5fb2f15924f1fe2c15464
SHA1 10cfb6d1188d5fc730059481fd23a3b38679ca89
SHA256 04c630720447a87da96dd0a065f8c90f48a499720df18055def66ebda14b4d6e
SHA512 4c2527966902559370ae85b79d3a6427a8488d0e29322d2d58633df814a7c4ae95c6237143094646325fa422e644ca2785449e70d2fac1df6a3ecd0a3dc01359

memory/1376-96-0x0000000000000000-mapping.dmp

\Users\Admin\elv4.ooocccxxx

MD5 068c9d1d3bf5fb2f15924f1fe2c15464
SHA1 10cfb6d1188d5fc730059481fd23a3b38679ca89
SHA256 04c630720447a87da96dd0a065f8c90f48a499720df18055def66ebda14b4d6e
SHA512 4c2527966902559370ae85b79d3a6427a8488d0e29322d2d58633df814a7c4ae95c6237143094646325fa422e644ca2785449e70d2fac1df6a3ecd0a3dc01359

memory/1972-102-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 21:11

Reported

2022-11-09 21:14

Platform

win10v2004-20220901-en

Max time kernel

135s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e41862e6cf7c3206fe699b624046c6d3f7ecd59fce0ddca1aadcc87b30545949.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YqXVbFjeArSEl.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JsaBZAYhUN\\YqXVbFjeArSEl.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yimOpOvR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\HgGOROVvnZWc\\yimOpOvR.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eneeBp.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RzYOAs\\eneeBp.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 4948 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4992 wrote to memory of 4948 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4948 wrote to memory of 3056 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4948 wrote to memory of 3056 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4992 wrote to memory of 1112 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4992 wrote to memory of 1112 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4992 wrote to memory of 2164 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4992 wrote to memory of 2164 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1112 wrote to memory of 1352 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1112 wrote to memory of 1352 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4992 wrote to memory of 2296 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4992 wrote to memory of 2296 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2296 wrote to memory of 1836 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2296 wrote to memory of 1836 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e41862e6cf7c3206fe699b624046c6d3f7ecd59fce0ddca1aadcc87b30545949.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JsaBZAYhUN\YqXVbFjeArSEl.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HgGOROVvnZWc\yimOpOvR.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RzYOAs\eneeBp.dll"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 wordpress.xinmoshiwang.com udp
CN 47.92.35.35:80 wordpress.xinmoshiwang.com tcp
US 8.253.183.120:80 tcp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 ftp.appleshipstores.com udp
US 66.96.162.143:80 ftp.appleshipstores.com tcp
US 8.8.8.8:53 onaltiyadokuz.net udp
BG 185.176.40.48:80 onaltiyadokuz.net tcp
US 8.8.8.8:53 cepasvirtual.com.ar udp
AR 179.43.117.122:80 cepasvirtual.com.ar tcp
US 8.253.183.120:80 tcp
US 8.253.183.120:80 tcp
US 8.253.183.120:80 tcp
KR 182.162.143.56:443 182.162.143.56 tcp
KR 182.162.143.56:443 182.162.143.56 tcp
KR 182.162.143.56:443 182.162.143.56 tcp

Files

memory/4992-132-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

memory/4992-133-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

memory/4992-134-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

memory/4992-135-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

memory/4992-136-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

memory/4992-137-0x00007FFD0FD40000-0x00007FFD0FD50000-memory.dmp

memory/4992-138-0x00007FFD0FD40000-0x00007FFD0FD50000-memory.dmp

memory/4948-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 8acc929bb4c9389acc4065a8ef22a2e5
SHA1 aa2eb2163e06ceef6d69deba00cf611a4912323e
SHA256 a7922c6092d43c146508c4ed25789ed27e4bf24fdc2eb001ea01517f418b504d
SHA512 d63eddf4f06acf350999ffcb83802fd7436154412c0a24e327e4609ff36aa9675a30604b5cb45da5708dabc15dcba90090a7c0e87b3c301b2c35abd720ec792d

C:\Users\Admin\elv1.ooocccxxx

MD5 8acc929bb4c9389acc4065a8ef22a2e5
SHA1 aa2eb2163e06ceef6d69deba00cf611a4912323e
SHA256 a7922c6092d43c146508c4ed25789ed27e4bf24fdc2eb001ea01517f418b504d
SHA512 d63eddf4f06acf350999ffcb83802fd7436154412c0a24e327e4609ff36aa9675a30604b5cb45da5708dabc15dcba90090a7c0e87b3c301b2c35abd720ec792d

memory/4948-142-0x0000000180000000-0x000000018002F000-memory.dmp

memory/3056-145-0x0000000000000000-mapping.dmp

C:\Windows\System32\JsaBZAYhUN\YqXVbFjeArSEl.dll

MD5 8acc929bb4c9389acc4065a8ef22a2e5
SHA1 aa2eb2163e06ceef6d69deba00cf611a4912323e
SHA256 a7922c6092d43c146508c4ed25789ed27e4bf24fdc2eb001ea01517f418b504d
SHA512 d63eddf4f06acf350999ffcb83802fd7436154412c0a24e327e4609ff36aa9675a30604b5cb45da5708dabc15dcba90090a7c0e87b3c301b2c35abd720ec792d

memory/1112-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 f348358f3177a9bcf4e653ceb5282229
SHA1 b209971db44f1f6b0fbb0072c4949eb9d6deef7e
SHA256 2692e423504370899c4228216e69a6bdb854ececab6f7f60a38d8ace29a196e4
SHA512 2fd28637e2957f740a9c50154265b43f82253bcbac7e32c263f589cfb3791a679046db5312cb1ceedf8f67c22d1dca505154f6223af6c33b6ea47caf4a6dfcef

C:\Users\Admin\elv2.ooocccxxx

MD5 f348358f3177a9bcf4e653ceb5282229
SHA1 b209971db44f1f6b0fbb0072c4949eb9d6deef7e
SHA256 2692e423504370899c4228216e69a6bdb854ececab6f7f60a38d8ace29a196e4
SHA512 2fd28637e2957f740a9c50154265b43f82253bcbac7e32c263f589cfb3791a679046db5312cb1ceedf8f67c22d1dca505154f6223af6c33b6ea47caf4a6dfcef

memory/2164-156-0x0000000000000000-mapping.dmp

memory/1352-157-0x0000000000000000-mapping.dmp

C:\Windows\System32\HgGOROVvnZWc\yimOpOvR.dll

MD5 f348358f3177a9bcf4e653ceb5282229
SHA1 b209971db44f1f6b0fbb0072c4949eb9d6deef7e
SHA256 2692e423504370899c4228216e69a6bdb854ececab6f7f60a38d8ace29a196e4
SHA512 2fd28637e2957f740a9c50154265b43f82253bcbac7e32c263f589cfb3791a679046db5312cb1ceedf8f67c22d1dca505154f6223af6c33b6ea47caf4a6dfcef

memory/2296-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 068c9d1d3bf5fb2f15924f1fe2c15464
SHA1 10cfb6d1188d5fc730059481fd23a3b38679ca89
SHA256 04c630720447a87da96dd0a065f8c90f48a499720df18055def66ebda14b4d6e
SHA512 4c2527966902559370ae85b79d3a6427a8488d0e29322d2d58633df814a7c4ae95c6237143094646325fa422e644ca2785449e70d2fac1df6a3ecd0a3dc01359

C:\Users\Admin\elv4.ooocccxxx

MD5 068c9d1d3bf5fb2f15924f1fe2c15464
SHA1 10cfb6d1188d5fc730059481fd23a3b38679ca89
SHA256 04c630720447a87da96dd0a065f8c90f48a499720df18055def66ebda14b4d6e
SHA512 4c2527966902559370ae85b79d3a6427a8488d0e29322d2d58633df814a7c4ae95c6237143094646325fa422e644ca2785449e70d2fac1df6a3ecd0a3dc01359

memory/1836-168-0x0000000000000000-mapping.dmp

C:\Windows\System32\RzYOAs\eneeBp.dll

MD5 068c9d1d3bf5fb2f15924f1fe2c15464
SHA1 10cfb6d1188d5fc730059481fd23a3b38679ca89
SHA256 04c630720447a87da96dd0a065f8c90f48a499720df18055def66ebda14b4d6e
SHA512 4c2527966902559370ae85b79d3a6427a8488d0e29322d2d58633df814a7c4ae95c6237143094646325fa422e644ca2785449e70d2fac1df6a3ecd0a3dc01359