Malware Analysis Report

2025-08-06 04:00

Sample ID 230308-e2agksea52
Target I19984860741841252_202303081146.zip
SHA256 c4a969b0d04a9b70c2d04928e4f0055e7f28cc2717541230a70c5dc31f601030
Tags
macro macro_on_action emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4a969b0d04a9b70c2d04928e4f0055e7f28cc2717541230a70c5dc31f601030

Threat Level: Known bad

The file I19984860741841252_202303081146.zip was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker trojan

Process spawned unexpected child process

Emotet

Suspicious Office macro

Office macro that triggers on suspicious action

Loads dropped DLL

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Script User-Agent

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 04:26

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 04:25

Reported

2023-03-08 04:29

Platform

win10-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\052709.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TqpjeRquNIjkUh\MoxKQmnrix.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 134.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp

Files

memory/352-119-0x00007FFEF0340000-0x00007FFEF0350000-memory.dmp

memory/352-120-0x00007FFEF0340000-0x00007FFEF0350000-memory.dmp

memory/352-121-0x00007FFEF0340000-0x00007FFEF0350000-memory.dmp

memory/352-122-0x00007FFEF0340000-0x00007FFEF0350000-memory.dmp

memory/352-125-0x00007FFEEC7D0000-0x00007FFEEC7E0000-memory.dmp

memory/352-126-0x00007FFEEC7D0000-0x00007FFEEC7E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\052711.zip

MD5 f722207b3e742ae5b5aeb999bfdb35f0
SHA1 0dd46925311e4f7b9ffba1839e3990c586f08456
SHA256 289b313d6977527c3d3a9e1235da66982be9bdf3ff00bc0f91cac2785a7eba52
SHA512 e85d98636e4da0bce8daea6ce16d721ff25b63e80c262e05309ba3ee7563ca216a6d5fbf9b192a9b0270d3a3d621cb9e33e9cc570745b233c9dd1dca5261d882

C:\Users\Admin\AppData\Local\Temp\052709.tmp

MD5 851c375861d36292311383733358ff80
SHA1 35884c49e55cfa7541ad99bd383873841f483d0a
SHA256 b0412b6bf2bf2ea874ef2a7f0967956d20f6fe5aa75604755dd234b71faaba6a
SHA512 54d85257637e1d78ed5d2708b68fdc808df0b8a246916539b4691b257af1fe00dd286eb6f03b6feb0654a7e1bf93ed9a61fc7fd04e345944b69af22ab4e5cbe3

memory/4424-329-0x00000000021C0000-0x0000000002270000-memory.dmp

\Users\Admin\AppData\Local\Temp\052709.tmp

MD5 851c375861d36292311383733358ff80
SHA1 35884c49e55cfa7541ad99bd383873841f483d0a
SHA256 b0412b6bf2bf2ea874ef2a7f0967956d20f6fe5aa75604755dd234b71faaba6a
SHA512 54d85257637e1d78ed5d2708b68fdc808df0b8a246916539b4691b257af1fe00dd286eb6f03b6feb0654a7e1bf93ed9a61fc7fd04e345944b69af22ab4e5cbe3

\Users\Admin\AppData\Local\Temp\052709.tmp

MD5 851c375861d36292311383733358ff80
SHA1 35884c49e55cfa7541ad99bd383873841f483d0a
SHA256 b0412b6bf2bf2ea874ef2a7f0967956d20f6fe5aa75604755dd234b71faaba6a
SHA512 54d85257637e1d78ed5d2708b68fdc808df0b8a246916539b4691b257af1fe00dd286eb6f03b6feb0654a7e1bf93ed9a61fc7fd04e345944b69af22ab4e5cbe3

memory/4424-331-0x0000000180000000-0x000000018002D000-memory.dmp

memory/4424-339-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/4424-348-0x00000000021C0000-0x0000000002270000-memory.dmp