Malware Analysis Report

2025-01-03 05:59

Sample ID 240328-lh334sfb97
Target 0c45cf4e32116eae8d73b52c140f5d91a19ee8ea
SHA256 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
Tags
emotet epoch3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90

Threat Level: Known bad

The file 0c45cf4e32116eae8d73b52c140f5d91a19ee8ea was found to be: Known bad.

Malicious Activity Summary

emotet epoch3 banker trojan

Emotet

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 09:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 09:32

Reported

2024-03-28 09:40

Platform

win7-20240221-en

Max time kernel

418s

Max time network

423s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe"

Signatures

Emotet

trojan banker emotet

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\pencrypto.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55F28B41-ECE6-11EE-A336-7EEA931DE775} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = 80d3e85ef380da01 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = c0d1300bf380da01 C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\42-35-df-dc-3d-6b C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionReason = "1" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = 001c209bf380da01 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = a0a997d7f380da01 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511} C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecision = "0" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = 80d3e85ef380da01 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionReason = "1" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDetectedUrl C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = 001c209bf380da01 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecision = "0" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = c0d1300bf380da01 C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = a0a997d7f380da01 C:\Windows\SysWOW64\pencrypto.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE,0" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE,0" C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1 C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE,0" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE,0" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C45CF~1.EXE /dde" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\PENCRY~1.EXE /dde" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1 C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command C:\Windows\SysWOW64\pencrypto.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" C:\Windows\SysWOW64\pencrypto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document" C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe
PID 2248 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe
PID 2248 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe
PID 2248 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe
PID 2528 wrote to memory of 2584 N/A C:\Windows\SysWOW64\pencrypto.exe C:\Windows\SysWOW64\pencrypto.exe
PID 2528 wrote to memory of 2584 N/A C:\Windows\SysWOW64\pencrypto.exe C:\Windows\SysWOW64\pencrypto.exe
PID 2528 wrote to memory of 2584 N/A C:\Windows\SysWOW64\pencrypto.exe C:\Windows\SysWOW64\pencrypto.exe
PID 2528 wrote to memory of 2584 N/A C:\Windows\SysWOW64\pencrypto.exe C:\Windows\SysWOW64\pencrypto.exe
PID 1184 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1184 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1184 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1184 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe

"C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe"

C:\Users\Admin\AppData\Local\Temp\0c45cf4e32116eae8d73b52c140f5d91a19ee8ea.exe

--b91fe435

C:\Windows\SysWOW64\pencrypto.exe

"C:\Windows\SysWOW64\pencrypto.exe"

C:\Windows\SysWOW64\pencrypto.exe

--44f3e170

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://tmp/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
PE 190.117.206.153:443 tcp
PE 190.117.206.153:443 tcp
PK 203.99.187.137:443 tcp
PK 203.99.187.137:443 tcp
CU 200.55.168.82:20 tcp
CU 200.55.168.82:20 tcp
US 70.32.94.58:8080 tcp
US 70.32.94.58:8080 tcp
GB 213.138.100.98:8080 tcp
GB 213.138.100.98:8080 tcp
DE 144.76.62.10:8080 tcp
DE 144.76.62.10:8080 tcp
PK 203.99.188.203:990 tcp
PK 203.99.188.203:990 tcp
CR 201.196.15.79:990 tcp
CR 201.196.15.79:990 tcp
PK 203.99.182.135:443 tcp
PK 203.99.182.135:443 tcp
NL 176.58.93.123:80 tcp
NL 176.58.93.123:80 tcp
US 192.241.220.183:8080 tcp

Files

memory/2248-0-0x0000000000360000-0x0000000000376000-memory.dmp

memory/2248-1-0x0000000000320000-0x0000000000330000-memory.dmp

memory/2588-6-0x0000000000280000-0x0000000000296000-memory.dmp

memory/2528-11-0x0000000000490000-0x00000000004A6000-memory.dmp

memory/2584-16-0x00000000003B0000-0x00000000003C6000-memory.dmp

memory/1788-35-0x000000001B350000-0x000000001B632000-memory.dmp

memory/1788-38-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-37-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

memory/1788-36-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/1788-41-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-40-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-39-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

memory/1788-42-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-43-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

memory/1788-44-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-45-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

memory/1788-46-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-47-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-48-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1788-50-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp