Analysis Overview
SHA256
6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
Threat Level: Known bad
The file 0c45cf4e32116eae8d73b52c140f5d91a19ee8ea was found to be: Known bad.
Malicious Activity Summary
Emotet
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 09:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 09:32
Reported
2024-03-28 09:40
Platform
win7-20240221-en
Max time kernel
418s
Max time network
423s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\pencrypto.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55F28B41-ECE6-11EE-A336-7EEA931DE775} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = 80d3e85ef380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = c0d1300bf380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\42-35-df-dc-3d-6b | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = 001c209bf380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = a0a997d7f380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511} | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecision = "0" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = 80d3e85ef380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionReason = "1" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDetectedUrl | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = 001c209bf380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecision = "0" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = c0d1300bf380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = a0a997d7f380da01 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE,0" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE,0" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE,0" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE,0" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1 | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document" | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\pencrypto.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe
"C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe"
C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe
--b91fe435
C:\Windows\SysWOW64\pencrypto.exe
"C:\Windows\SysWOW64\pencrypto.exe"
C:\Windows\SysWOW64\pencrypto.exe
--44f3e170
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://tmp/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| PE | 190.117.206.153:443 | tcp | |
| PE | 190.117.206.153:443 | tcp | |
| PK | 203.99.187.137:443 | tcp | |
| PK | 203.99.187.137:443 | tcp | |
| CU | 200.55.168.82:20 | tcp | |
| CU | 200.55.168.82:20 | tcp | |
| US | 70.32.94.58:8080 | tcp | |
| US | 70.32.94.58:8080 | tcp | |
| GB | 213.138.100.98:8080 | tcp | |
| GB | 213.138.100.98:8080 | tcp | |
| DE | 144.76.62.10:8080 | tcp | |
| DE | 144.76.62.10:8080 | tcp | |
| PK | 203.99.188.203:990 | tcp | |
| PK | 203.99.188.203:990 | tcp | |
| CR | 201.196.15.79:990 | tcp | |
| CR | 201.196.15.79:990 | tcp | |
| PK | 203.99.182.135:443 | tcp | |
| PK | 203.99.182.135:443 | tcp | |
| NL | 176.58.93.123:80 | tcp | |
| NL | 176.58.93.123:80 | tcp | |
| US | 192.241.220.183:8080 | tcp |
Files
memory/2248-0-0x0000000000360000-0x0000000000376000-memory.dmp
memory/2248-1-0x0000000000320000-0x0000000000330000-memory.dmp
memory/2588-6-0x0000000000280000-0x0000000000296000-memory.dmp
memory/2528-11-0x0000000000490000-0x00000000004A6000-memory.dmp
memory/2584-16-0x00000000003B0000-0x00000000003C6000-memory.dmp
memory/1788-35-0x000000001B350000-0x000000001B632000-memory.dmp
memory/1788-38-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-37-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp
memory/1788-36-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
memory/1788-41-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-40-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-39-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp
memory/1788-42-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-43-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp
memory/1788-44-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-45-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp
memory/1788-46-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-47-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-48-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/1788-50-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp