Malware Analysis Report

2025-08-06 03:59

Sample ID 230308-e5x22sde8x
Target I19984860741841252_202303081146.zip
SHA256 c4a969b0d04a9b70c2d04928e4f0055e7f28cc2717541230a70c5dc31f601030
Tags
macro macro_on_action emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4a969b0d04a9b70c2d04928e4f0055e7f28cc2717541230a70c5dc31f601030

Threat Level: Known bad

The file I19984860741841252_202303081146.zip was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker trojan

Process spawned unexpected child process

Emotet

Office macro that triggers on suspicious action

Suspicious Office macro

Checks processor information in registry

Enumerates system info in registry

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 04:32

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 04:32

Reported

2023-03-08 04:33

Platform

win10v2004-20230220-en

Max time kernel

24s

Max time network

50s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\053330.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JQdMFtdJGOoPDhg\Wkce.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 20.189.173.6:443 tcp

Files

memory/4260-133-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

memory/4260-134-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

memory/4260-135-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

memory/4260-136-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

memory/4260-137-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

memory/4260-138-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

memory/4260-140-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\053331.zip

MD5 f722207b3e742ae5b5aeb999bfdb35f0
SHA1 0dd46925311e4f7b9ffba1839e3990c586f08456
SHA256 289b313d6977527c3d3a9e1235da66982be9bdf3ff00bc0f91cac2785a7eba52
SHA512 e85d98636e4da0bce8daea6ce16d721ff25b63e80c262e05309ba3ee7563ca216a6d5fbf9b192a9b0270d3a3d621cb9e33e9cc570745b233c9dd1dca5261d882

C:\Users\Admin\AppData\Local\Temp\053330.tmp

MD5 fd97c79f31def5eef4e156f2e220bf0c
SHA1 3b9b7161b4658b02870cd521833aeae2d3596fe9
SHA256 fa0a19e065f08f430430a2ffe9c40e2e3b6bd50490459f1c3ebe457740e9f209
SHA512 e063e5962009c04ed3c21ee473385654968d39f48df9621241c995bffec2d761450565890f83ffa040b8744e287bbb2ae8771b9247caf870da62fc3ac81e124d

C:\Users\Admin\AppData\Local\Temp\053330.tmp

MD5 e70864474c83c98aa509b9697cfd9ea9
SHA1 c35cc65d7c1a8a72b21ad343f52c501b978d3605
SHA256 ab419f82d140705042fa2e3bdf0d1522540c6f7dfc95d5943c003430e3e4f56e
SHA512 396475516a40d85a2cafc981ebb8d6d777813abe37eb33a37268bf2815274964a639a0b40d6561de29fe982c00803c413021302f1c2cfccef151aaa0dcb3945d

memory/4160-177-0x0000000180000000-0x000000018002D000-memory.dmp

memory/4160-180-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

C:\Windows\System32\JQdMFtdJGOoPDhg\Wkce.dll

MD5 48c45c6b9c3cb926acd4223826d3a32b
SHA1 4494baa4cc1151304c06e43abed7003f585b162c
SHA256 6382d809ee65f1f98253b46a0291ae3ecddc5aae080f2dfbd74afb9b33e7dade
SHA512 4eb07de0fd1e118c5ad09ada04a9232ddce9e1c0a70ac1930d6ec4ab2ab41f2ad00531940434608a5dbb0a847fae81dca0634657fe2ed772b4f7c1529b25e6c3

memory/2516-188-0x0000000000400000-0x00000000004B0000-memory.dmp