Malware Analysis Report

2025-08-06 04:00

Sample ID 230308-gxnjraec89
Target Electronic form.7z
SHA256 29ecc66052eb737a86de8ec8c9a202c3295e863ff22c0a8d77d54cb32451207f
Tags
macro macro_on_action emotet epoch4 banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29ecc66052eb737a86de8ec8c9a202c3295e863ff22c0a8d77d54cb32451207f

Threat Level: Known bad

The file Electronic form.7z was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker persistence trojan

Process spawned unexpected child process

Emotet

Office macro that triggers on suspicious action

Suspicious Office macro

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies registry class

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 06:11

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 06:11

Reported

2023-03-08 06:14

Platform

win7-20230220-en

Max time kernel

105s

Max time network

34s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Electronic form\Electronic form.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 764 wrote to memory of 528 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 528 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 528 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 528 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 528 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 528 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 528 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 528 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 528 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 528 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 528 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 528 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 900 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1724 wrote to memory of 900 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1724 wrote to memory of 900 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1724 wrote to memory of 900 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Electronic form\Electronic form.doc"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Electronic form\071140.tmp"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\Electronic form\071140.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VeakbIPWoxBsLwBQu\pxnpwFJWgqC.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp

Files

memory/1724-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1724-57-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-59-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-58-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-61-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-60-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-63-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-62-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-64-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-65-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-66-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-67-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-68-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-69-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-70-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-71-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-72-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-73-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-74-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-76-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-75-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-77-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-78-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-80-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-79-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-82-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-83-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-81-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-84-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-85-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-87-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-86-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-88-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-89-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-90-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-92-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-91-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-93-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-94-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-96-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-95-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-97-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-98-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-99-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1724-101-0x0000000000760000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ELECTR~1\071146.zip

MD5 9ad186e479e35bab7859e974b0cbfd65
SHA1 9a6191124de81354ffe01922e6348e6ab0830aee
SHA256 c8861f1708199dd01294e6d66ebf2bb3951980e177ec646b15291999e6b6a291
SHA512 f6578eaefd8a6934a10f0089877494e5c68f2fcf4fb821a5f6f1195b38559fa3086f57a5eaabd0a3efd6c42b4278d6d80d67ce4a4d440e944f9b42da9bde3ecd

memory/1724-1072-0x0000000006130000-0x0000000006131000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Electronic form\071140.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

\Users\Admin\AppData\Local\Temp\Electronic form\071140.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

\Users\Admin\AppData\Local\Temp\Electronic form\071140.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/528-1262-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1724-1269-0x0000000006130000-0x0000000006131000-memory.dmp

memory/1348-1271-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 2908eeeccbccbe97b6c207fcaf667f1f
SHA1 34864ff87cbbce6bf97de0680a72f3d6de79d6b8
SHA256 6529476e40398e77852505196a2e456f31b37acbad70d06c5364b370be5b2771
SHA512 2081cf63d6a8102b6a1a69e82f705ea872971d6b007ae6937e8c86933ee6e97e2770189e500384f88fb92da92a2e9066886d28e0dc955dec46e94e10b22a6d96

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 06:11

Reported

2023-03-08 06:14

Platform

win10v2004-20230220-en

Max time kernel

142s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Electronic form\Electronic form.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QOqvtvHLFMLWJcmX.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NuccshNrtP\\QOqvtvHLFMLWJcmX.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Electronic form\Electronic form.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Electronic form\071138.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NuccshNrtP\QOqvtvHLFMLWJcmX.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
FR 51.11.192.49:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
FR 91.121.146.47:8080 91.121.146.47 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp

Files

memory/4100-133-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-134-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-135-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-136-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-137-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-138-0x00007FFB74840000-0x00007FFB74850000-memory.dmp

memory/4100-139-0x00007FFB74840000-0x00007FFB74850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Electronic form\071141.zip

MD5 9ad186e479e35bab7859e974b0cbfd65
SHA1 9a6191124de81354ffe01922e6348e6ab0830aee
SHA256 c8861f1708199dd01294e6d66ebf2bb3951980e177ec646b15291999e6b6a291
SHA512 f6578eaefd8a6934a10f0089877494e5c68f2fcf4fb821a5f6f1195b38559fa3086f57a5eaabd0a3efd6c42b4278d6d80d67ce4a4d440e944f9b42da9bde3ecd

C:\Users\Admin\AppData\Local\Temp\Electronic form\071138.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

C:\Users\Admin\AppData\Local\Temp\Electronic form\071138.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/2932-177-0x0000000180000000-0x000000018002D000-memory.dmp

memory/2932-180-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

C:\Windows\System32\NuccshNrtP\QOqvtvHLFMLWJcmX.dll

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/4720-189-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4100-215-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-214-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-216-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp

memory/4100-213-0x00007FFB76CF0000-0x00007FFB76D00000-memory.dmp