Windows Analysis Report
documentazione 68668.xls

Overview

General Information

Sample Name:	documentazione 68668.xls
Analysis ID:	679676
MD5:	a4c856aa217eab1f66dfade13f701013
SHA1:	c4bd8e7e5cbb3e8038186851e7eb9ee65007c64d
SHA256:	51737c16eed7b848b37b843555c7bda5ead1f418fbadb8def452d287d0817179
Infos:

Detection

Hidden Macro 4.0, Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Office process drops PE file

Found Excel 4.0 Macro with suspicious formulas

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Registers a DLL

PE file contains more sections than normal

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: documentazione 68668.xls	Virustotal: Detection: 55%	Perma Link
Source: documentazione 68668.xls	Metadefender: Detection: 37%	Perma Link
Source: documentazione 68668.xls	ReversingLabs: Detection: 73%

Antivirus / Scanner detection for submitted sample

Source: documentazione 68668.xls

Avira: detected

Antivirus detection for URL or domain

Source: http://kronostr.com/tr/68yHRhfuU7Qj/	Avira URL Cloud: Label: malware
Source: https://www.zardamarine.com/images/psQbAjrrEOXWPrS/	Avira URL Cloud: Label: malware
Source: http://labfitouts.com/cgi-bin/Rea3Iu3wGvgAbTset0/	Avira URL Cloud: Label: malware
Source: https://198.199.70.22/B	Avira URL Cloud: Label: malware
Source: https://165.22.254.68/O	Avira URL Cloud: Label: malware
Source: https://198.199.70.22/080/F	Avira URL Cloud: Label: malware
Source: https://198.199.70.22:8080/e	Avira URL Cloud: Label: malware
Source: https://198.199.70.22:8080/a	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: zardamarine.com

Virustotal: Detection: 10%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UVvnppK[1].dll	Avira: detection malicious, Label: TR/Crypt.Agent.hwpwp
Source: C:\Users\user\wdusx2.ocx	Avira: detection malicious, Label: TR/Crypt.Agent.hwpwp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UVvnppK[1].dll	Metadefender: Detection: 40%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UVvnppK[1].dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\wdusx2.ocx	Metadefender: Detection: 40%	Perma Link
Source: C:\Users\user\wdusx2.ocx	ReversingLabs: Detection: 88%
Source: C:\Windows\System32\LxvynAbdjmnUIIL\BlVTVcJlqYTKwC.dll (copy)	Metadefender: Detection: 40%	Perma Link
Source: C:\Windows\System32\LxvynAbdjmnUIIL\BlVTVcJlqYTKwC.dll (copy)	ReversingLabs: Detection: 88%

Source: 00000007.00000002.1196956196.00000000003AA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["165.22.254.68:443", "198.199.70.22:8080", "104.244.79.94:443", "103.224.241.74:8080", "88.217.172.165:8080", "118.98.72.86:443", "104.248.225.227:8080", "196.44.98.190:8080", "103.254.12.236:7080", "157.245.111.0:8080", "68.183.91.111:8080", "202.29.239.162:443", "37.44.244.177:8080", "139.196.72.155:8080", "64.227.55.231:8080", "103.85.95.4:8080", "195.77.239.39:8080", "202.134.4.210:7080", "54.37.106.167:8080", "103.41.204.169:8080", "85.25.120.45:8080", "59.148.253.194:443", "175.126.176.79:8080", "103.126.216.86:443", "93.104.209.107:8080", "103.56.149.105:8080", "202.28.34.99:8080", "103.71.99.57:8080", "62.171.178.147:8080", "116.124.128.206:8080", "54.37.228.122:443", "210.57.209.142:8080", "128.199.217.206:443", "36.67.23.59:443", "188.225.32.231:4143", "87.106.97.83:7080", "85.214.67.203:8080", "78.47.204.80:443", "178.62.112.199:8080", "165.232.185.110:8080", "157.230.99.206:8080", "165.22.254.236:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0hvkZWKoAAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWi/kZWKoAAIg="]}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: global traffic	DNS query: name: www.zardamarine.com
Source: global traffic	DNS query: name: kronostr.com
Source: global traffic	DNS query: name: labfitouts.com

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 165.22.254.68:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.23.91:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.132.217.108:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 66.96.149.19:80

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 165.22.254.68 443			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 198.199.70.22 8080			Jump to behavior

Source: Malware configuration extractor	IPs: 165.22.254.68:443
Source: Malware configuration extractor	IPs: 198.199.70.22:8080
Source: Malware configuration extractor	IPs: 104.244.79.94:443
Source: Malware configuration extractor	IPs: 103.224.241.74:8080
Source: Malware configuration extractor	IPs: 88.217.172.165:8080
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 104.248.225.227:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 103.254.12.236:7080
Source: Malware configuration extractor	IPs: 157.245.111.0:8080
Source: Malware configuration extractor	IPs: 68.183.91.111:8080
Source: Malware configuration extractor	IPs: 202.29.239.162:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 64.227.55.231:8080
Source: Malware configuration extractor	IPs: 103.85.95.4:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 54.37.106.167:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 85.25.120.45:8080
Source: Malware configuration extractor	IPs: 59.148.253.194:443
Source: Malware configuration extractor	IPs: 175.126.176.79:8080
Source: Malware configuration extractor	IPs: 103.126.216.86:443
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 103.56.149.105:8080
Source: Malware configuration extractor	IPs: 202.28.34.99:8080
Source: Malware configuration extractor	IPs: 103.71.99.57:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 128.199.217.206:443
Source: Malware configuration extractor	IPs: 36.67.23.59:443
Source: Malware configuration extractor	IPs: 188.225.32.231:4143
Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 178.62.112.199:8080
Source: Malware configuration extractor	IPs: 165.232.185.110:8080
Source: Malware configuration extractor	IPs: 157.230.99.206:8080
Source: Malware configuration extractor	IPs: 165.22.254.236:8080

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 157.245.111.0 157.245.111.0
Source: Joe Sandbox View	IP Address: 157.230.99.206 157.230.99.206

Source: global traffic	HTTP traffic detected: GET /images/psQbAjrrEOXWPrS/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.zardamarine.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tr/68yHRhfuU7Qj/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kronostr.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/Rea3Iu3wGvgAbTset0/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: labfitouts.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.254.68
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.70.22

Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000007.00000002.1197037666.0000000000429000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000002.1197206836.0000000002C79000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000002.1197029726.0000000000420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000007.00000002.1197000736.00000000003F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://165.22.254.68/
Source: regsvr32.exe, 00000007.00000002.1197000736.00000000003F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://165.22.254.68/O
Source: regsvr32.exe, 00000007.00000002.1196956196.00000000003AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://198.199.70.22/080/F
Source: regsvr32.exe, 00000007.00000002.1196956196.00000000003AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://198.199.70.22/B
Source: regsvr32.exe, 00000007.00000002.1197037666.0000000000429000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://198.199.70.22:8080/a
Source: regsvr32.exe, 00000007.00000002.1197037666.0000000000429000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://198.199.70.22:8080/e
Source: regsvr32.exe, 00000007.00000002.1197156403.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1197051970.0000000000443000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1002852699.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: Yara match	File source: 7.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.4b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.926408860.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1197465713.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.924980552.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1196882539.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 7.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 7.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 6.2.regsvr32.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 6.2.regsvr32.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 6.2.regsvr32.exe.4b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 6.2.regsvr32.exe.4b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 7.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 7.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000006.00000002.926408860.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000006.00000002.926408860.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000007.00000002.1197465713.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000007.00000002.1197465713.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000006.00000002.924980552.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000006.00000002.924980552.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000007.00000002.1196882539.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000007.00000002.1196882539.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown

Source: Screenshot number: 4	Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4	Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Source: Screenshot number: 8	Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 Gb 9 10 11 12 13 14 15 1
Source: Screenshot number: 8	Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 Gb 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing and click Enable Content.
Source: Document image extraction number: 0	Screenshot OCR: Enable Content.
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing and click Enable Content.
Source: Document image extraction number: 1	Screenshot OCR: Enable Content.

Source: documentazione 68668.xls	Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA
Source: documentazione 68668.xls	Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UVvnppK[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\wdusx2.ocx			Jump to dropped file

Source: documentazione 68668.xls	Initial sample: EXEC
Source: documentazione 68668.xls	Initial sample: EXEC

Source: documentazione 68668.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: 7.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 7.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 6.2.regsvr32.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 6.2.regsvr32.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 6.2.regsvr32.exe.4b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 6.2.regsvr32.exe.4b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 7.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 7.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 00000006.00000002.926408860.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000006.00000002.926408860.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 00000007.00000002.1197465713.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000007.00000002.1197465713.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 00000006.00000002.924980552.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000006.00000002.924980552.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 00000007.00000002.1196882539.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000007.00000002.1196882539.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: C:\Users\user\Desktop\documentazione 68668.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: documentazione 68668.xls	Macro extractor: Sheet name: PKEKPPGEKKPGE
Source: documentazione 68668.xls	Macro extractor: Sheet name: PKEKPPGEKKPGE

Source: wdusx2.ocx.0.dr	Static PE information: Number of sections : 12 > 10
Source: UVvnppK[1].dll.0.dr	Static PE information: Number of sections : 12 > 10

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UVvnppK[1].dll 1EC9DC22A44EB1BD30B4C56B12CCAE1CFCB67F9ABA8F3A8E4A3DE562D237371E
Source: Joe Sandbox View	Dropped File: C:\Users\user\wdusx2.ocx 1EC9DC22A44EB1BD30B4C56B12CCAE1CFCB67F9ABA8F3A8E4A3DE562D237371E
Source: Joe Sandbox View	Dropped File: C:\Windows\System32\LxvynAbdjmnUIIL\BlVTVcJlqYTKwC.dll (copy) 1EC9DC22A44EB1BD30B4C56B12CCAE1CFCB67F9ABA8F3A8E4A3DE562D237371E

Windows Analysis Report documentazione 68668.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
documentazione 68668.xls

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\wdusx1.ocx
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\wdusx2.ocx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LxvynAbdjmnUIIL\BlVTVcJlqYTKwC.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\wdusx3.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\wdusx1.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\wdusx2.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\wdusx3.ocx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LxvynAbdjmnUIIL\BlVTVcJlqYTKwC.dll"	Jump to behavior

Source: documentazione 68668.xls	OLE indicator, Workbook stream: true
Source: documentazione 68668.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: UVvnppK[1].dll.0.dr	Static PE information: section name: .xdata
Source: wdusx2.ocx.0.dr	Static PE information: section name: .xdata

Source: wdusx2.ocx.0.dr	Static PE information: real checksum: 0xab9d6 should be: 0xad231
Source: UVvnppK[1].dll.0.dr	Static PE information: real checksum: 0xab9d6 should be: 0xad231

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe TID: 2188	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2924	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_61A020C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	6_2_61A020C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_61A0A268 SetUnhandledExceptionFilter,Sleep,	6_2_61A0A268
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_61A0A268 SetUnhandledExceptionFilter,Sleep,	6_2_61A0A268

IP	Domain	Country	ASN	ASN Name	Malicious
157.245.111.0	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
157.230.99.206	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
54.37.106.167	unknown	France	16276	OVHFR	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
59.148.253.194	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
202.29.239.162	unknown	Thailand	4621	UNINET-AS-APUNINET-TH	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
36.67.23.59	unknown	Indonesia	17974	TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID	true
165.22.254.68	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
103.56.149.105	unknown	Indonesia	55688	BEON-AS-IDPTBeonIntermediaID	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
68.183.91.111	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.25.120.45	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
188.132.217.108	kronostr.com	Turkey	42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
198.199.70.22	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
93.104.209.107	unknown	Germany	8767	MNET-ASGermanyDE	true
208.67.23.91	zardamarine.com	United States	3257	GTT-BACKBONEGTTDE	true
188.225.32.231	unknown	Russian Federation	9123	TIMEWEB-ASRU	true
175.126.176.79	unknown	Korea Republic of	9523	MOKWON-AS-KRMokwonUniversityKR	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
165.232.185.110	unknown	United States	22255	ALLEGHENYHEALTHNETWORKUS	true
104.248.225.227	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
103.126.216.86	unknown	Bangladesh	138482	SKYVIEW-AS-APSKYVIEWONLINELTDBD	true
128.199.217.206	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
103.224.241.74	unknown	India	133296	WEBWERKS-AS-INWebWerksIndiaPvtLtdIN	true
103.71.99.57	unknown	India	135682	AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
202.28.34.99	unknown	Thailand	9562	MSU-TH-APMahasarakhamUniversityTH	true
87.106.97.83	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
103.254.12.236	unknown	Viet Nam	56151	DIGISTAR-VNDigiStarCompanyLimitedVN	true
103.85.95.4	unknown	Indonesia	136077	IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID	true
54.37.228.122	unknown	France	16276	OVHFR	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
88.217.172.165	unknown	Germany	8767	MNET-ASGermanyDE	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
165.22.254.236	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
66.96.149.19	labfitouts.com	United States	29873	BIZLAND-SDUS	false
104.244.79.94	unknown	United States	53667	PONYNETUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
178.62.112.199	unknown	European Union	14061	DIGITALOCEAN-ASNUS	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
64.227.55.231	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

Name	Malicious	Antivirus Detection	Reputation
http://kronostr.com/tr/68yHRhfuU7Qj/	true	Avira URL Cloud: malware	unknown
https://www.zardamarine.com/images/psQbAjrrEOXWPrS/	true	Avira URL Cloud: malware	unknown
http://labfitouts.com/cgi-bin/Rea3Iu3wGvgAbTset0/	true	Avira URL Cloud: malware	unknown