4a65356586777494a89a788ae4bcbb4295c54e668f0a2f3170ecebefc801e4ca

Analysis

max time kernel
151s
max time network
209s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a0f2b3db0d1efd18321b7701c658b3.xls
Size

33KB
MD5

55a0f2b3db0d1efd18321b7701c658b3
SHA1

8edc457ff5cbc5eef2e1e269702dac8c907c6402
SHA256

4a65356586777494a89a788ae4bcbb4295c54e668f0a2f3170ecebefc801e4ca
SHA512

583dfc22752983b806bc9d6e4ff873f2952923e66d5c35e8fd482b89c2eb045d65ffc4184b412ac9b238f73a5f7a8564ddfcd7233ac8f0d0e90216e6425e15d8
SSDEEP

768:/ik3hOdsylKlgryzc4bNhZFGzE+cL2knAJp2Inur39U/8+:qk3hOdsylKlgryzc4bNhZFGzE+cL2knw

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEEXCEL.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{369FF1B1-6AB5-11ED-B78F-CED6325FB9F2} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1356 EXCEL.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

EXCEL.EXEIEXPLORE.EXE

pid process

1356 EXCEL.EXE
1356 EXCEL.EXE
1272 IEXPLORE.EXE
1272 IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

EXCEL.EXEIEXPLORE.EXEIEXPLORE.EXEWINWORD.EXEIEXPLORE.EXE

pid	process
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE
1272	IEXPLORE.EXE
1272	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1764	WINWORD.EXE
1764	WINWORD.EXE
1272	IEXPLORE.EXE
1272	IEXPLORE.EXE
1304	IEXPLORE.EXE
1304	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEIEXPLORE.EXE

description	pid	process	target process
PID 1356 wrote to memory of 1272	1356	EXCEL.EXE	IEXPLORE.EXE
PID 1356 wrote to memory of 1272	1356	EXCEL.EXE	IEXPLORE.EXE
PID 1356 wrote to memory of 1272	1356	EXCEL.EXE	IEXPLORE.EXE
PID 1356 wrote to memory of 1272	1356	EXCEL.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1736	1272	IEXPLORE.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1736	1272	IEXPLORE.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1736	1272	IEXPLORE.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1736	1272	IEXPLORE.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1304	1272	IEXPLORE.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1304	1272	IEXPLORE.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1304	1272	IEXPLORE.EXE	IEXPLORE.EXE
PID 1272 wrote to memory of 1304	1272	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\55a0f2b3db0d1efd18321b7701c658b3.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" https://products.office.com/zh-CN/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:406530 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
382d683007c8e7045687fb2864160395

SHA1
2a81220c2ca12c877955c941753b28cef8647ab3

SHA256
76bcc416a32dc55ea268a00cf69405aaa42cd6eafa99a41ec4d71c0205913769

SHA512
885d3cbd387394eef795c8b34a951fdd27691cc0678c5b4621ea5cc20cdcc19af01b7136f864b520148834b94e9a83184c98517d0448fc6e1ad55a8e17b315ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a06b41f8d7601d43cfabd32457d3516

SHA1
4739bb4a2180bb54d7e9f875c5cedcd29b41cf19

SHA256
46009a84552884f6efb2381cbb4d5119306a89da3e6222c00da548e0a28e9813

SHA512
85b497497c58f4e7e9919fb1f195d3758e67e8a4fdb731a658c32173eb17dbfedd214e608f90ecbc9a57ecf1b23b0994e23996d87fcb0f638c14c11a93d5fe3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c06071cc281ac4bcd57d4e9c3f003b9

SHA1
e82001c5848eb38fdc1bb7198a4d31ef2020c13a

SHA256
baf89f6c18915471224fa021fd27aa516308dc6fbf48e9e54088c6041f9600dd

SHA512
4129abfa77ae013b39fe44251958f175b9f058d4288f84e18234438b07bcaf19162af5bc6229ffda0d3c65ef6e96f86d6cd39b432d7ee7555e91c3f95b53cccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f2686731aaf6ca1ff0aa29d8b03cbad

SHA1
049e62a7b94708fa1ca6c19196a3d7cc7da20ae9

SHA256
9e467cccfa219208d966df7a76004fbdeaa640b2bc0cbb52d84c811886e6c500

SHA512
05d3ca9671b64561854d55a827bafafdcf3f06d92bfb817a28283e5396242cb440a075f2ceb5c1ba7064787375c1e5484015a944238baf89056227ff142b5e9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8624c0a628af922b78aa655cc111c6f9

SHA1
7c25c5741c5302cc23cc405b8a4a03efb4d954b6

SHA256
48622dbccf5485e2c5bfd5d775243f68e4fee90234d868e332b65b65b1c85701

SHA512
5e09939274b9536759f7e10cf82491ad5d3dfb8734b35327414db0b8f779b23a3a8128ed2dca52bc31c92acc4726b51a0ece052071f108e176997ab299363199

Download Submit
memory/1356-84-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-68-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-57-0x0000000071E0D000-0x0000000071E18000-memory.dmp

Filesize
44KB

Download
memory/1356-58-0x0000000074E01000-0x0000000074E03000-memory.dmp

Filesize
8KB

Download
memory/1356-59-0x000000006C391000-0x000000006C393000-memory.dmp

Filesize
8KB

Download
memory/1356-67-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-66-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-65-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-64-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-63-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-61-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-62-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-60-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-87-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-69-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-70-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-72-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-71-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-75-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-77-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-76-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-74-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-73-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-78-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-79-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-81-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-80-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-83-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-82-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-55-0x0000000070E21000-0x0000000070E23000-memory.dmp

Filesize
8KB

Download
memory/1356-89-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-86-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-92-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1356-85-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-91-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-90-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-88-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-93-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-94-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-95-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-96-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-97-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-99-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-98-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-106-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-105-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-104-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-103-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-102-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-101-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-100-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-107-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-109-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-108-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-110-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-111-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-112-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-113-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-114-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-54-0x000000002FB91000-0x000000002FB94000-memory.dmp

Filesize
12KB

Download
memory/1356-115-0x0000000000447000-0x0000000000452000-memory.dmp

Filesize
44KB

Download
memory/1356-124-0x0000000071E0D000-0x0000000071E18000-memory.dmp

Filesize
44KB

Download
memory/1764-116-0x0000000068691000-0x0000000068694000-memory.dmp

Filesize
12KB

Download
memory/1764-120-0x0000000071E0D000-0x0000000071E18000-memory.dmp

Filesize
44KB

Download
memory/1764-121-0x0000000071E0D000-0x0000000071E18000-memory.dmp

Filesize
44KB

Download