emotet | 5452b9448c3310adaa86f6020c32d6ae4727fce5049f613ad9242e2f35e94eff

General

Target

INVOICE JSM9193_1565826.doc
Sample

200129-tw57ntqase
SHA256

5452b9448c3310adaa86f6020c32d6ae4727fce5049f613ad9242e2f35e94eff

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

186.10.98.177:80

154.70.158.97:80

95.66.182.136:80

68.183.18.169:8080

178.62.75.204:8080

178.33.167.120:8080

144.76.56.36:8080

61.204.119.188:443

163.172.107.70:8080

156.155.163.232:80

91.117.31.181:80

153.183.25.24:80

110.2.118.164:80

195.250.143.182:80

162.154.175.215:80

50.116.78.109:8080

72.176.87.136:80

184.162.115.11:443

37.70.131.107:80

181.39.96.86:443

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4808	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4808	WINWORD.EXE
3124	3hnosi568.exe
3764	3hnosi568.exe
4480	ptrchannel.exe
4516	ptrchannel.exe

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4404	4808	WScript.exe	71

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4516	ptrchannel.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4404	4808	WINWORD.EXE	78
PID 4404 wrote to memory of 3124	4404	WScript.exe	79
PID 3124 wrote to memory of 3764	3124	3hnosi568.exe	80
PID 4480 wrote to memory of 4516	4480	ptrchannel.exe	82

Executes dropped EXE 4 IoCs

pid	Process
3124	3hnosi568.exe
3764	3hnosi568.exe
4480	ptrchannel.exe
4516	ptrchannel.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
3764	3hnosi568.exe
4516	ptrchannel.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	ptrchannel.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ptrchannel.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ptrchannel.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ptrchannel.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ptrchannel.exe
File renamed	C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe => C:\Windows\SysWOW64\ptrchannel.exe	3hnosi568.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE JSM9193_1565826.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
PID:4808
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\0.2304651.jse"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe
    "C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe
      --42aa2c8f
      4⤵
      Suspicious use of SetWindowsHookEx
      Executes dropped EXE
      Suspicious behavior: EmotetMutantsSpam
      Drops file in System32 directory
      PID:3764

C:\Windows\SysWOW64\ptrchannel.exe
"C:\Windows\SysWOW64\ptrchannel.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4480
- C:\Windows\SysWOW64\ptrchannel.exe
  --942e52c7
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  - Suspicious behavior: EmotetMutantsSpam
  - Drops file in System32 directory
  PID:4516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3124-9-0x0000000002280000-0x0000000002297000-memory.dmp

Filesize
92KB

Download
memory/3764-11-0x00000000007B0000-0x00000000007C7000-memory.dmp

Filesize
92KB

Download
memory/3764-12-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4480-14-0x0000000000E10000-0x0000000000E27000-memory.dmp

Filesize
92KB

Download
memory/4516-16-0x0000000000610000-0x0000000000627000-memory.dmp

Filesize
92KB

Download
memory/4516-17-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads