Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2996
Target ID:	0
Parent PID:	576
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	09:19:14
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fb20000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\wdusx1.ocx

Details

Is windows:	true
Is dropped:	false
PID:	1952
Target ID:	4
Parent PID:	2996
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\wdusx1.ocx
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:19:24
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff180000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Emotet	E-Banking Fraud, Stealing of Sensitive Information
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\wdusx2.ocx

Details

Is windows:	true
Is dropped:	false
PID:	1472
Target ID:	6
Parent PID:	2996
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\wdusx2.ocx
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:19:26
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffa70000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Emotet	E-Banking Fraud, Stealing of Sensitive Information
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LxvynAbdjmnUIIL\BlVTVcJlqYTKwC.dll"

Details

Is windows:	true
Is dropped:	false
PID:	1200
Target ID:	7
Parent PID:	1472
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LxvynAbdjmnUIIL\BlVTVcJlqYTKwC.dll"
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:19:27
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffa70000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Emotet	E-Banking Fraud, Stealing of Sensitive Information
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\wdusx3.ocx

Details

Is windows:	true
Is dropped:	false
PID:	1980
Target ID:	8
Parent PID:	2996
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\wdusx3.ocx
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:19:28
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffa70000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Emotet	E-Banking Fraud, Stealing of Sensitive Information
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

Details

Is windows:	true
Is dropped:	false
PID:	2104
Target ID:	5
Parent PID:	404
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Size:	27136
MD5:	C78655BC80301D76ED4FEF1C1EA40A7D
Time:	09:19:25
Date:	06/08/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff7d0000
Modulesize:	45056
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://kronostr.com/tr/68yHRhfuU7Qj/

188.132.217.108

https://www.zardamarine.com/images/psQbAjrrEOXWPrS/

208.67.23.91

http://labfitouts.com/cgi-bin/Rea3Iu3wGvgAbTset0/

66.96.149.19

https://198.199.70.22/B

unknown

https://165.22.254.68/O

unknown

https://198.199.70.22/080/F

unknown

https://198.199.70.22:8080/e

unknown

https://198.199.70.22:8080/a

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://crl.entrust.net/server1.crl0

unknown

http://ocsp.entrust.net03

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://ocsp.entrust.net0D

unknown

https://secure.comodo.com/CPS0

unknown

https://165.22.254.68/

unknown

http://crl.entrust.net/2048ca.crl0

unknown

There are 7 hidden URLs, click here to show them.

Domains

Name

Malicious

zardamarine.com

208.67.23.91

Details

Name:	zardamarine.com
IP:	208.67.23.91
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.zardamarine.com

unknown

Details

Name:	www.zardamarine.com
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

labfitouts.com

66.96.149.19

Details

Name:	labfitouts.com
IP:	66.96.149.19
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

kronostr.com

188.132.217.108

Details

Name:	kronostr.com
IP:	188.132.217.108
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

157.245.111.0

unknown

United States

157.230.99.206

unknown

United States

54.37.106.167

unknown

France

196.44.98.190

unknown

Ghana

59.148.253.194

unknown

Hong Kong

202.29.239.162

unknown

Thailand

103.41.204.169

unknown

Indonesia

36.67.23.59

unknown

Indonesia

165.22.254.68

unknown

United States

103.56.149.105

unknown

Indonesia

85.214.67.203

unknown

Germany

68.183.91.111

unknown

United States

85.25.120.45

unknown

Germany

198.199.70.22

unknown

United States

93.104.209.107

unknown

Germany

208.67.23.91

zardamarine.com

United States

188.225.32.231

unknown

Russian Federation

175.126.176.79

unknown

Korea Republic of

139.196.72.155

unknown

China

165.232.185.110

unknown

United States

104.248.225.227

unknown

United States

103.126.216.86

unknown

Bangladesh

128.199.217.206

unknown

United Kingdom

116.124.128.206

unknown

Korea Republic of

103.224.241.74

unknown

India

103.71.99.57

unknown

India

210.57.209.142

unknown

Indonesia

202.28.34.99

unknown

Thailand

87.106.97.83

unknown

Germany

103.254.12.236

unknown

Viet Nam

103.85.95.4

unknown

Indonesia

54.37.228.122

unknown

France

202.134.4.210

unknown

Indonesia

88.217.172.165

unknown

Germany

195.77.239.39

unknown

Spain

165.22.254.236

unknown

United States

78.47.204.80

unknown

Germany

118.98.72.86

unknown

Indonesia

104.244.79.94

unknown

United States

37.44.244.177

unknown

Germany

178.62.112.199

unknown

European Union

62.171.178.147

unknown

United Kingdom

64.227.55.231

unknown

United States

188.132.217.108

kronostr.com

Turkey

66.96.149.19

labfitouts.com

United States

There are 35 hidden IPs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

d.2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\661DE

661DE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

-#2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display