Malware Analysis Report

2025-08-06 04:00

Sample ID 230308-el1ntsde2x
Target I19984860741841252_202303081146.zip
SHA256 c4a969b0d04a9b70c2d04928e4f0055e7f28cc2717541230a70c5dc31f601030
Tags
emotet epoch4 banker trojan macro macro_on_action
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4a969b0d04a9b70c2d04928e4f0055e7f28cc2717541230a70c5dc31f601030

Threat Level: Known bad

The file I19984860741841252_202303081146.zip was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker trojan macro macro_on_action

Emotet

Process spawned unexpected child process

Office macro that triggers on suspicious action

Suspicious Office macro

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks processor information in registry

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 04:02

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 04:02

Reported

2023-03-08 04:07

Platform

win10v2004-20230221-en

Max time kernel

13s

Max time network

129s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 3576 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\regsvr32.exe
PID 2632 wrote to memory of 3576 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\050526.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AmDBRyRXzfi\LSrNiSQpbuqutQ.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 39.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 20.189.173.2:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp

Files

memory/2632-133-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

memory/2632-134-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

memory/2632-135-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

memory/2632-136-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

memory/2632-137-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

memory/2632-138-0x00007FFD161F0000-0x00007FFD16200000-memory.dmp

memory/2632-139-0x00007FFD161F0000-0x00007FFD16200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\050528.zip

MD5 17cbbaee3e9473162ecb52b035bd6728
SHA1 03f75d00794ae7204c6b7ae060f4c9f26b700391
SHA256 0a5cc8f4267d94a7643d67c898b7b59d3b5dc3b477d7544bf174315af4689da5
SHA512 f2f68eb8936e4a6fa4f2352ecfebadacdada38a9d9fbe72b0c2c914f291c3e6c943ac1da5882e2f753aa0c0655b075106cf7206b004fa289469628bdb14eebe1

C:\Users\Admin\AppData\Local\Temp\050526.tmp

MD5 5098ccecc1648869a170836a188ced0e
SHA1 b5832b472c4306031865b0910b6400f24978b154
SHA256 57fa5168da106198fe4331ae10e2b97af2ad9bfcc0b057439016ef707c4662d9
SHA512 84b56bcf9d3f3d960b83e88ea5d0f69d34ecaa8eea23a1273990676c44a41a51d2180cbf8393f7d5817483412e3be187136e7653d085fb54d7c7a2bc9830ad24

memory/3576-176-0x0000000180000000-0x000000018002D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\050526.tmp

MD5 0942b88b4274bc50c7d564de0eab7468
SHA1 f51f5d6f1523fb44c050aac914a690c01f94ad3c
SHA256 420436f346e62bfef467ad97317ef9c43f9d1e85616f4ce295a4e995dc85a33e
SHA512 d3ed39043519507f5fd2fb9538c462d11436016487f3e8ac6f2125e69e16953f5ad76a1e0e15ad8281feb8895c810b9d5dbbc22bdeb6fe627bc10383f5a8477f

memory/3576-182-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/4812-185-0x0000000001F10000-0x0000000001FC0000-memory.dmp

C:\Windows\System32\AmDBRyRXzfi\LSrNiSQpbuqutQ.dll

MD5 bbb4de69671548b478796cddb3c58dbb
SHA1 744c6fe7ce51add7413b4536926b6522f19b15ef
SHA256 85b0f3fb3648b30c538b2df5172f7d5df364dcb0fae37c3b25a9a7789c0e6dbb
SHA512 de2d6c6e1472c04bf6fb2906834ad139bb4e8a247e3458ce18e89fa8692c3defdd9d9f577b31b95f75207939c47ed9ead77d63b771a45d782faa2c6a28b2e014

C:\Windows\System32\AmDBRyRXzfi\LSrNiSQpbuqutQ.dll

MD5 7fde3dc3734224cd568cc5e066ea0ee5
SHA1 5cf1011686bf4146443572ec380f3a0b803e4e0b
SHA256 0fe9b565cdcd649061cbf3e3d01e6f874f836aa5cb0430dc5370952b0bfe9034
SHA512 dd31237479b321eabcc46e2694723b434af7b491a6ef3aeaff37b8bec18a05032580095f1ea478e6396dc7e11d2fba8e5a5283ea69abc6ab9285ac048379b7e7

memory/4812-190-0x0000000001F10000-0x0000000001FC0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 04:02

Reported

2023-03-08 04:07

Platform

win10-20230220-en

Max time kernel

20s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 4388 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\regsvr32.exe
PID 2584 wrote to memory of 4388 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I19984860741841252_202303081146.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\050530.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IKTiGFiruNNcsG\nRTfjLfy.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2584-121-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

memory/2584-122-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

memory/2584-123-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

memory/2584-124-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

memory/2584-127-0x00007FFA500A0000-0x00007FFA500B0000-memory.dmp

memory/2584-129-0x00007FFA500A0000-0x00007FFA500B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\050531.zip

MD5 17cbbaee3e9473162ecb52b035bd6728
SHA1 03f75d00794ae7204c6b7ae060f4c9f26b700391
SHA256 0a5cc8f4267d94a7643d67c898b7b59d3b5dc3b477d7544bf174315af4689da5
SHA512 f2f68eb8936e4a6fa4f2352ecfebadacdada38a9d9fbe72b0c2c914f291c3e6c943ac1da5882e2f753aa0c0655b075106cf7206b004fa289469628bdb14eebe1

C:\Users\Admin\AppData\Local\Temp\050530.tmp

MD5 2ab273e3f37a4f5c36cd498480e93bf7
SHA1 c48f878d126807599f8348113984230478207020
SHA256 c5de4262cd45152878e90f28691f930628912cde0f198c5d284c31acc32ee1c9
SHA512 b5689e01ff9e7a141599d72e60feb67ca85b0d2327893326ae19c074544157f7fe6c5b61e69875f31793a591e2f641b334a776a198a23dcd4fecc37c50535d12

memory/4388-331-0x0000000002060000-0x0000000002110000-memory.dmp

\Users\Admin\AppData\Local\Temp\050530.tmp

MD5 088262698f09a1185be8aaae7e02e134
SHA1 5a18c6e3edb19a00e7a3fd081d43b6e21dad7375
SHA256 1c521ca0d2af3ae2e361881f7551f4b4b5ca5adf84f29399338ab01ef4a9a15a
SHA512 00995f6fd01241992c829015a7be820f55ffc0040e414d316b4cee53fc0cad5d9acee82b2c94e0207755e643b127d9f6b3faeb79fe65667088ab3ab5cd378d28

\Users\Admin\AppData\Local\Temp\050530.tmp

MD5 101dd230139ccf96d05bad3d8bb18adb
SHA1 984801cd3b79fcbaf38ad10bc06b22490724e4a5
SHA256 2f739056f51fbf51c6b55c623ec83add4bce7a258dab4d620466c5c31d7dca55
SHA512 82ec60fc4f1c5dbcb71256095370c0c7fd5780340a5a71a349cbfc7f47d38dc5fa9f61e6ed5d786a28f3094a3c6413d1cf5fe16d4fcd27c6ce6fed6ef3ba2208

memory/4388-333-0x0000000180000000-0x000000018002D000-memory.dmp

memory/4388-341-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/4388-377-0x0000000002060000-0x0000000002110000-memory.dmp