emotet | 5452b9448c3310adaa86f6020c32d6ae4727fce5049f613ad9242e2f35e94eff

General

Target

INVOICE JSM9193_1565826.doc
Sample

200129-rvtk7t4t9j
SHA256

5452b9448c3310adaa86f6020c32d6ae4727fce5049f613ad9242e2f35e94eff

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

186.10.98.177:80

154.70.158.97:80

95.66.182.136:80

68.183.18.169:8080

178.62.75.204:8080

178.33.167.120:8080

144.76.56.36:8080

61.204.119.188:443

163.172.107.70:8080

156.155.163.232:80

91.117.31.181:80

153.183.25.24:80

110.2.118.164:80

195.250.143.182:80

162.154.175.215:80

50.116.78.109:8080

72.176.87.136:80

184.162.115.11:443

37.70.131.107:80

181.39.96.86:443

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4812	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4812	WINWORD.EXE
3788	v9zw0kimj.exe
4512	v9zw0kimj.exe

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4036	4812	WScript.exe	71

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4036	4812	WINWORD.EXE	78
PID 4036 wrote to memory of 3788	4036	WScript.exe	79
PID 3788 wrote to memory of 4512	3788	v9zw0kimj.exe	80

Executes dropped EXE 2 IoCs

pid	Process
3788	v9zw0kimj.exe
4512	v9zw0kimj.exe

Suspicious behavior: EmotetMutantsSpam 1 IoCs

pid	Process
4512	v9zw0kimj.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE JSM9193_1565826.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:4812
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\0.1477167.jse"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe
    "C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe
      --4aec14ef
      4⤵
      Suspicious use of SetWindowsHookEx
      Executes dropped EXE
      Suspicious behavior: EmotetMutantsSpam
      PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3788-8-0x0000000000AA0000-0x0000000000AB7000-memory.dmp

Filesize
92KB

Download
memory/4512-10-0x0000000002060000-0x0000000002077000-memory.dmp

Filesize
92KB

Download
memory/4512-11-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads