Analysis
-
max time kernel
20s -
max time network
125s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08/03/2023, 04:02
Behavioral task
behavioral1
Sample
I19984860741841252_202303081146.doc
Resource
win10-20230220-en
General
-
Target
I19984860741841252_202303081146.doc
-
Size
516.3MB
-
MD5
c2ba98ea49f3d5f5b04d7980ed36b75d
-
SHA1
0b66f823f6edf03c3992d9265a43aa5ffa24938a
-
SHA256
1e041bead6abf833504e173d6b1026ee766bfef84635a7d222e520a673d8896c
-
SHA512
108011d99c013c97e462cb1792a8e5de1a1ebdccd5073acc2c5ac08dc8fcca0acd20eb0bfd37850721a46dffdf54d88bfac59aca6399dda8e4ee53434796e365
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Extracted
emotet
Epoch4
129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
103.75.201.2:443
149.56.131.28:8080
79.137.35.198:8080
5.135.159.50:443
66.228.32.31:7080
91.121.146.47:8080
153.92.5.27:8080
45.235.8.30:8080
72.15.201.15:8080
107.170.39.149:8080
45.176.232.124:443
82.223.21.224:8080
167.172.199.165:8080
213.239.212.5:443
202.129.205.3:8080
94.23.45.86:4143
147.139.166.154:8080
167.172.253.162:8080
91.207.28.33:8080
188.44.20.25:443
104.168.155.143:8080
110.232.117.186:8080
164.68.99.3:8080
1.234.2.232:8080
173.212.193.249:8080
182.162.143.56:443
160.16.142.56:8080
101.50.0.91:8080
103.43.75.120:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4388 2584 regsvr32.exe 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2584 WINWORD.EXE 2584 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2584 WINWORD.EXE 2584 WINWORD.EXE 2584 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2584 WINWORD.EXE 2584 WINWORD.EXE 2584 WINWORD.EXE 2584 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2584 wrote to memory of 4388 2584 WINWORD.EXE 69 PID 2584 wrote to memory of 4388 2584 WINWORD.EXE 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\050530.tmp"2⤵
- Process spawned unexpected child process
PID:4388 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\IKTiGFiruNNcsG\nRTfjLfy.dll"3⤵PID:396
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364.2MB
MD52ab273e3f37a4f5c36cd498480e93bf7
SHA1c48f878d126807599f8348113984230478207020
SHA256c5de4262cd45152878e90f28691f930628912cde0f198c5d284c31acc32ee1c9
SHA512b5689e01ff9e7a141599d72e60feb67ca85b0d2327893326ae19c074544157f7fe6c5b61e69875f31793a591e2f641b334a776a198a23dcd4fecc37c50535d12
-
Filesize
882KB
MD517cbbaee3e9473162ecb52b035bd6728
SHA103f75d00794ae7204c6b7ae060f4c9f26b700391
SHA2560a5cc8f4267d94a7643d67c898b7b59d3b5dc3b477d7544bf174315af4689da5
SHA512f2f68eb8936e4a6fa4f2352ecfebadacdada38a9d9fbe72b0c2c914f291c3e6c943ac1da5882e2f753aa0c0655b075106cf7206b004fa289469628bdb14eebe1
-
Filesize
380.4MB
MD5101dd230139ccf96d05bad3d8bb18adb
SHA1984801cd3b79fcbaf38ad10bc06b22490724e4a5
SHA2562f739056f51fbf51c6b55c623ec83add4bce7a258dab4d620466c5c31d7dca55
SHA51282ec60fc4f1c5dbcb71256095370c0c7fd5780340a5a71a349cbfc7f47d38dc5fa9f61e6ed5d786a28f3094a3c6413d1cf5fe16d4fcd27c6ce6fed6ef3ba2208
-
Filesize
380.1MB
MD5088262698f09a1185be8aaae7e02e134
SHA15a18c6e3edb19a00e7a3fd081d43b6e21dad7375
SHA2561c521ca0d2af3ae2e361881f7551f4b4b5ca5adf84f29399338ab01ef4a9a15a
SHA51200995f6fd01241992c829015a7be820f55ffc0040e414d316b4cee53fc0cad5d9acee82b2c94e0207755e643b127d9f6b3faeb79fe65667088ab3ab5cd378d28