emotet | 4bbdeba86763e0ef1ef5a037b6a97a03fb37a44394773a5c8d6c126f12babc63

Analysis

max time kernel
299s
max time network
304s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-11-2022 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1211.xls
Size

96KB
MD5

61702e522745bf911053f505bd144d2e
SHA1

e0a4a67d3dae7af500c457117bcc97fc9e452efc
SHA256

4bbdeba86763e0ef1ef5a037b6a97a03fb37a44394773a5c8d6c126f12babc63
SHA512

5c3d7db6b0235a8698513e93d1f09384bc4d4483d5530e9a9262dacb73bd66179f29d666ae36f975004daa511229f49586cfddc09fa6821a68768cf7ff647cc0
SSDEEP

3072:PKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgnOmH4wbH5M:PKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgnw

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://fromthetrenchesworldreport.com/analytics/ZY5ntk/

xlm40.dropper

http://d4842.cp.irishdomains.com/issa/images/kbwwxkgV1akI2jW8ZKs/

xlm40.dropper

http://erkaradyator.com.tr/Areas/Ar2lgC3yhtxBY/

xlm40.dropper

http://forgione.com.ar/genealogia/dRBVyl/

Extracted

Family

emotet

Botnet

Epoch5

202.28.34.99:8080

80.211.107.116:8080

175.126.176.79:8080

218.38.121.17:443

139.196.72.155:8080

103.71.99.57:8080

87.106.97.83:7080

178.62.112.199:8080

64.227.55.231:8080

46.101.98.60:8080

54.37.228.122:443

128.199.217.206:443

190.145.8.4:443

209.239.112.82:8080

85.214.67.203:8080

198.199.70.22:8080

128.199.242.164:8080

178.238.225.252:8080

103.85.95.4:8080

103.126.216.86:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1408	1204	regsvr32.exe	26
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2012	1204	regsvr32.exe	26
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1420	1204	regsvr32.exe	26
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1636	1204	regsvr32.exe	26

Downloads MZ/PE file

Loads dropped DLL 6 IoCs

pid	Process
1408	regsvr32.exe
1580	regsvr32.exe
2012	regsvr32.exe
1972	regsvr32.exe
1420	regsvr32.exe
1436	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1204	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1580	regsvr32.exe
2020	regsvr32.exe
1972	regsvr32.exe
2020	regsvr32.exe
1568	regsvr32.exe
1568	regsvr32.exe
1436	regsvr32.exe
1356	regsvr32.exe
1356	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1204	EXCEL.EXE
1204	EXCEL.EXE
1204	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1408	1204	EXCEL.EXE	29
PID 1204 wrote to memory of 1408	1204	EXCEL.EXE	29
PID 1204 wrote to memory of 1408	1204	EXCEL.EXE	29
PID 1204 wrote to memory of 1408	1204	EXCEL.EXE	29
PID 1204 wrote to memory of 1408	1204	EXCEL.EXE	29
PID 1204 wrote to memory of 1408	1204	EXCEL.EXE	29
PID 1204 wrote to memory of 1408	1204	EXCEL.EXE	29
PID 1408 wrote to memory of 1580	1408	regsvr32.exe	30
PID 1408 wrote to memory of 1580	1408	regsvr32.exe	30
PID 1408 wrote to memory of 1580	1408	regsvr32.exe	30
PID 1408 wrote to memory of 1580	1408	regsvr32.exe	30
PID 1408 wrote to memory of 1580	1408	regsvr32.exe	30
PID 1408 wrote to memory of 1580	1408	regsvr32.exe	30
PID 1408 wrote to memory of 1580	1408	regsvr32.exe	30
PID 1580 wrote to memory of 2020	1580	regsvr32.exe	31
PID 1580 wrote to memory of 2020	1580	regsvr32.exe	31
PID 1580 wrote to memory of 2020	1580	regsvr32.exe	31
PID 1580 wrote to memory of 2020	1580	regsvr32.exe	31
PID 1580 wrote to memory of 2020	1580	regsvr32.exe	31
PID 1204 wrote to memory of 2012	1204	EXCEL.EXE	32
PID 1204 wrote to memory of 2012	1204	EXCEL.EXE	32
PID 1204 wrote to memory of 2012	1204	EXCEL.EXE	32
PID 1204 wrote to memory of 2012	1204	EXCEL.EXE	32
PID 1204 wrote to memory of 2012	1204	EXCEL.EXE	32
PID 1204 wrote to memory of 2012	1204	EXCEL.EXE	32
PID 1204 wrote to memory of 2012	1204	EXCEL.EXE	32
PID 2012 wrote to memory of 1972	2012	regsvr32.exe	33
PID 2012 wrote to memory of 1972	2012	regsvr32.exe	33
PID 2012 wrote to memory of 1972	2012	regsvr32.exe	33
PID 2012 wrote to memory of 1972	2012	regsvr32.exe	33
PID 2012 wrote to memory of 1972	2012	regsvr32.exe	33
PID 2012 wrote to memory of 1972	2012	regsvr32.exe	33
PID 2012 wrote to memory of 1972	2012	regsvr32.exe	33
PID 1972 wrote to memory of 1568	1972	regsvr32.exe	34
PID 1972 wrote to memory of 1568	1972	regsvr32.exe	34
PID 1972 wrote to memory of 1568	1972	regsvr32.exe	34
PID 1972 wrote to memory of 1568	1972	regsvr32.exe	34
PID 1972 wrote to memory of 1568	1972	regsvr32.exe	34
PID 1204 wrote to memory of 1420	1204	EXCEL.EXE	35
PID 1204 wrote to memory of 1420	1204	EXCEL.EXE	35
PID 1204 wrote to memory of 1420	1204	EXCEL.EXE	35
PID 1204 wrote to memory of 1420	1204	EXCEL.EXE	35
PID 1204 wrote to memory of 1420	1204	EXCEL.EXE	35
PID 1204 wrote to memory of 1420	1204	EXCEL.EXE	35
PID 1204 wrote to memory of 1420	1204	EXCEL.EXE	35
PID 1420 wrote to memory of 1436	1420	regsvr32.exe	36
PID 1420 wrote to memory of 1436	1420	regsvr32.exe	36
PID 1420 wrote to memory of 1436	1420	regsvr32.exe	36
PID 1420 wrote to memory of 1436	1420	regsvr32.exe	36
PID 1420 wrote to memory of 1436	1420	regsvr32.exe	36
PID 1420 wrote to memory of 1436	1420	regsvr32.exe	36
PID 1420 wrote to memory of 1436	1420	regsvr32.exe	36
PID 1436 wrote to memory of 1356	1436	regsvr32.exe	37
PID 1436 wrote to memory of 1356	1436	regsvr32.exe	37
PID 1436 wrote to memory of 1356	1436	regsvr32.exe	37
PID 1436 wrote to memory of 1356	1436	regsvr32.exe	37
PID 1436 wrote to memory of 1356	1436	regsvr32.exe	37
PID 1204 wrote to memory of 1636	1204	EXCEL.EXE	38
PID 1204 wrote to memory of 1636	1204	EXCEL.EXE	38
PID 1204 wrote to memory of 1636	1204	EXCEL.EXE	38
PID 1204 wrote to memory of 1636	1204	EXCEL.EXE	38
PID 1204 wrote to memory of 1636	1204	EXCEL.EXE	38
PID 1204 wrote to memory of 1636	1204	EXCEL.EXE	38
PID 1204 wrote to memory of 1636	1204	EXCEL.EXE	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1211.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\scud1.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\system32\regsvr32.exe
    /S ..\scud1.ooocccxxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PNoneBI\pAnZeeSXEch.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2020
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\scud2.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\regsvr32.exe
    /S ..\scud2.ooocccxxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PboSRGmxepGfVHBlp\swDSUYyVVPTzqQi.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1568
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\scud3.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\regsvr32.exe
    /S ..\scud3.ooocccxxx
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OZUdeqeMFvooc\PeMhB.dll"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1356
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\scud4.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\scud1.ooocccxxx

Filesize
516KB

MD5
2a2b05bf1934553c30901366c0a6c08a

SHA1
584bc27aa77fb97096dddbbb2eb061adac49551c

SHA256
b0d44c099dc9dcd8d5e54dd190017b09cc7c52155dcdcea98b66aa627c221d76

SHA512
165e9d3210c820b9d2a5c95ba92a051e71a63d3e2e270452b0ed818fe0ac2d4882777434da5556fb0af7292b783769aa690e8cab9bdb13bd37e618f402d0277e

Download Submit
C:\Users\Admin\scud2.ooocccxxx

Filesize
516KB

MD5
378a50f0877aef30ff163ea235b67423

SHA1
b3de2fc7d451d3d7ab9bd14ff4ecd759e3623094

SHA256
395344cc68f391ab834e2479eb5a68c7071c848f96535c3f251925e5e32cf139

SHA512
c42d9f1e2c419c65a711e137d57e8cba6560ca6e2a602c235945b0798e2ffda3d917b7089b817eb9c1eea6de2084087472e8dac7d7a60fcd65cdfcc5ba0cce2f

Download Submit
C:\Users\Admin\scud3.ooocccxxx

Filesize
516KB

MD5
00dcec234bb316293dd4b753c0af7f96

SHA1
0480882d53d8be95288927c8b1b06c3707b7d1ec

SHA256
1393ea8eab35a00ce13a541d29fbab55db5b90cd32a1bcf8f137c5b9c06a2069

SHA512
fbf60676263224d6c178acca49d9ebd110f0122bf764581873c5c5a8eba5a44d5cf04ba02939bc8747d1089c216f93c6de627fab857247c2201f93c0d768f7ab

Download Submit
\Users\Admin\scud1.ooocccxxx

Filesize
516KB

MD5
2a2b05bf1934553c30901366c0a6c08a

SHA1
584bc27aa77fb97096dddbbb2eb061adac49551c

SHA256
b0d44c099dc9dcd8d5e54dd190017b09cc7c52155dcdcea98b66aa627c221d76

SHA512
165e9d3210c820b9d2a5c95ba92a051e71a63d3e2e270452b0ed818fe0ac2d4882777434da5556fb0af7292b783769aa690e8cab9bdb13bd37e618f402d0277e

Download Submit
\Users\Admin\scud1.ooocccxxx

Filesize
516KB

MD5
2a2b05bf1934553c30901366c0a6c08a

SHA1
584bc27aa77fb97096dddbbb2eb061adac49551c

SHA256
b0d44c099dc9dcd8d5e54dd190017b09cc7c52155dcdcea98b66aa627c221d76

SHA512
165e9d3210c820b9d2a5c95ba92a051e71a63d3e2e270452b0ed818fe0ac2d4882777434da5556fb0af7292b783769aa690e8cab9bdb13bd37e618f402d0277e

Download Submit
\Users\Admin\scud2.ooocccxxx

Filesize
516KB

MD5
378a50f0877aef30ff163ea235b67423

SHA1
b3de2fc7d451d3d7ab9bd14ff4ecd759e3623094

SHA256
395344cc68f391ab834e2479eb5a68c7071c848f96535c3f251925e5e32cf139

SHA512
c42d9f1e2c419c65a711e137d57e8cba6560ca6e2a602c235945b0798e2ffda3d917b7089b817eb9c1eea6de2084087472e8dac7d7a60fcd65cdfcc5ba0cce2f

Download Submit
\Users\Admin\scud2.ooocccxxx

Filesize
516KB

MD5
378a50f0877aef30ff163ea235b67423

SHA1
b3de2fc7d451d3d7ab9bd14ff4ecd759e3623094

SHA256
395344cc68f391ab834e2479eb5a68c7071c848f96535c3f251925e5e32cf139

SHA512
c42d9f1e2c419c65a711e137d57e8cba6560ca6e2a602c235945b0798e2ffda3d917b7089b817eb9c1eea6de2084087472e8dac7d7a60fcd65cdfcc5ba0cce2f

Download Submit
\Users\Admin\scud3.ooocccxxx

Filesize
516KB

MD5
00dcec234bb316293dd4b753c0af7f96

SHA1
0480882d53d8be95288927c8b1b06c3707b7d1ec

SHA256
1393ea8eab35a00ce13a541d29fbab55db5b90cd32a1bcf8f137c5b9c06a2069

SHA512
fbf60676263224d6c178acca49d9ebd110f0122bf764581873c5c5a8eba5a44d5cf04ba02939bc8747d1089c216f93c6de627fab857247c2201f93c0d768f7ab

Download Submit
\Users\Admin\scud3.ooocccxxx

Filesize
516KB

MD5
00dcec234bb316293dd4b753c0af7f96

SHA1
0480882d53d8be95288927c8b1b06c3707b7d1ec

SHA256
1393ea8eab35a00ce13a541d29fbab55db5b90cd32a1bcf8f137c5b9c06a2069

SHA512
fbf60676263224d6c178acca49d9ebd110f0122bf764581873c5c5a8eba5a44d5cf04ba02939bc8747d1089c216f93c6de627fab857247c2201f93c0d768f7ab

Download Submit
memory/1204-69-0x0000000071F1D000-0x0000000071F28000-memory.dmp

Filesize
44KB

Download
memory/1204-58-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-57-0x0000000071F1D000-0x0000000071F28000-memory.dmp

Filesize
44KB

Download
memory/1204-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1204-55-0x0000000070F31000-0x0000000070F33000-memory.dmp

Filesize
8KB

Download
memory/1204-54-0x000000002F0A1000-0x000000002F0A4000-memory.dmp

Filesize
12KB

Download
memory/1580-64-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1580-66-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download