Malware Analysis Report

2025-08-06 04:00

Sample ID 230308-g1ytwsdh6v
Target 2023-03-08_1509.zip
SHA256 2c4c0dcd2b340579f0020891f40517d113f96707435c45677d8659adfc8cf5d7
Tags
macro macro_on_action emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c4c0dcd2b340579f0020891f40517d113f96707435c45677d8659adfc8cf5d7

Threat Level: Known bad

The file 2023-03-08_1509.zip was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker trojan

Process spawned unexpected child process

Emotet

Suspicious Office macro

Office macro that triggers on suspicious action

Loads dropped DLL

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Script User-Agent

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 06:17

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 06:16

Reported

2023-03-08 07:22

Platform

win7-20230220-en

Max time kernel

22s

Max time network

32s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1509.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1509.doc"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\072025.tmp"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\072025.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LQYiQwNmulLFNhtNt\lhWp.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp

Files

memory/1636-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1636-57-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-58-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-62-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-61-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-60-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-59-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-71-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-72-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-70-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-69-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-68-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-67-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-66-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-65-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-64-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-63-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-73-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-74-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-76-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-77-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-75-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-79-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-81-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-80-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-78-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-82-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-86-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-91-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-92-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-90-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-89-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-88-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-87-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-85-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-84-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-83-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-95-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-94-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-96-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-97-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-98-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-93-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-99-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1636-107-0x0000000000300000-0x0000000000400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\072030.zip

MD5 d5700e1ee975acb953e76eac021dc57d
SHA1 a5e008828774992d42ddd66a00cda20e0d29b4a6
SHA256 e184e3130db13b0f2c4079a7d19e669f1873a7029f79fc928f07829007dbaca8
SHA512 0a1e10ded8a5dc96776571afbd84b735fac9b7c3baa2acaa576d26edf6cf81cfa28ebdcbba00ba70c99c655f49ed78ff1202ceed22425c92ec441df740edc7c5

memory/1636-1077-0x00000000060E0000-0x00000000060E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\072025.tmp

MD5 e1b2d20c8bdc29f4b998d80ac9a4dd3e
SHA1 25e3ecb94527fd6d891ddaca38905aea7da34144
SHA256 b683b0147646504a5cafa3a5c235eed86371c3d2640401bafed47c28629b1ef8
SHA512 3dfd8657130ba08a66f359d89c420892efe05672e9aa3dfadaef6bbce5903aacb32be59a38076c839e18d8712325bd2e85e563d6c4a4f05c10a4cb1f266467e7

\Users\Admin\AppData\Local\Temp\072025.tmp

MD5 a34bfb95e5e1ecb024e8c69baef691c4
SHA1 1591af6f0191e9d9fcbe62cbd98d1afbc5e281db
SHA256 4de9469e98b53a2b151f2c8ea3d69fca77d53e13efb55ef2aeab5e1d49f4be7b
SHA512 47c6fb422971a25d4f50e2544aa6362a6ea29211eee5cc3c773523adef2e29c9348cef2d432329f1055194acbf79f787690f13914b379f8450b924f0cf06102d

\Users\Admin\AppData\Local\Temp\072025.tmp

MD5 5e24f0b1c4646d5e68cae44b7ac973a3
SHA1 e08e20c2ac56156badaaf10f9afe32aa61135ba9
SHA256 1d8776b07c090119a91d735d8ea0f83806758759c4c15fc7f452f325ac112434
SHA512 eab99651fc0c29e13823fe5094026528a883520d90a5cbd40f25646e440538c7e1ca0ddd461b3958f4850b53b551c72d0ffe17a1e7cc7dfa4e3962f03fd80332

memory/1484-1268-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1620-1270-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1636-1271-0x00000000060E0000-0x00000000060E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 c30f7745c2fb9cdf4565da087a63aafa
SHA1 a161c02e1d5ea51ea83c4eab99f0ba3fe7e233f5
SHA256 c42d8a602c788c6924ba9b59320d2c4944fda247ac0e4cbe63e1aae9af5c04ad
SHA512 d4cef71f64fbf95aaf0d3b469f1d70e64e1c2ca8ccb79fc7a0e53389c71f0baad2b046bbb7ff8d2545283b5122f97f19cd85a555821ab2de83b40c1650870f62

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 06:16

Reported

2023-03-08 07:22

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1509.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1509.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\082021.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XhtEn\VCOgUrJ.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
FR 40.79.141.152:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/1560-133-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-134-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-135-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-136-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-137-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-138-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

memory/1560-139-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\082023.zip

MD5 d5700e1ee975acb953e76eac021dc57d
SHA1 a5e008828774992d42ddd66a00cda20e0d29b4a6
SHA256 e184e3130db13b0f2c4079a7d19e669f1873a7029f79fc928f07829007dbaca8
SHA512 0a1e10ded8a5dc96776571afbd84b735fac9b7c3baa2acaa576d26edf6cf81cfa28ebdcbba00ba70c99c655f49ed78ff1202ceed22425c92ec441df740edc7c5

C:\Users\Admin\AppData\Local\Temp\082021.tmp

MD5 19bff3aa06ddc8c0c808d8be5cc49275
SHA1 98e500a3fdb186aaae72b3ac985d28e693c46c54
SHA256 c9b6bf7242684234d57a3ea22bb08ef61dab6b8dc716d68466fb0fe497dd76ba
SHA512 8732eef028d3021b64c79da521c4808bdb202ef4181bed55a26610d430b4afb553c6397311661e323132a866e6ad669c3bf2849aeba8fb8a48e607badfaffeda

C:\Users\Admin\AppData\Local\Temp\082021.tmp

MD5 19bff3aa06ddc8c0c808d8be5cc49275
SHA1 98e500a3fdb186aaae72b3ac985d28e693c46c54
SHA256 c9b6bf7242684234d57a3ea22bb08ef61dab6b8dc716d68466fb0fe497dd76ba
SHA512 8732eef028d3021b64c79da521c4808bdb202ef4181bed55a26610d430b4afb553c6397311661e323132a866e6ad669c3bf2849aeba8fb8a48e607badfaffeda

memory/1524-178-0x0000000001EC0000-0x0000000001F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\082021.tmp

MD5 19bff3aa06ddc8c0c808d8be5cc49275
SHA1 98e500a3fdb186aaae72b3ac985d28e693c46c54
SHA256 c9b6bf7242684234d57a3ea22bb08ef61dab6b8dc716d68466fb0fe497dd76ba
SHA512 8732eef028d3021b64c79da521c4808bdb202ef4181bed55a26610d430b4afb553c6397311661e323132a866e6ad669c3bf2849aeba8fb8a48e607badfaffeda

memory/1524-180-0x0000000180000000-0x000000018002D000-memory.dmp

memory/1524-183-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Windows\System32\XhtEn\VCOgUrJ.dll

MD5 19bff3aa06ddc8c0c808d8be5cc49275
SHA1 98e500a3fdb186aaae72b3ac985d28e693c46c54
SHA256 c9b6bf7242684234d57a3ea22bb08ef61dab6b8dc716d68466fb0fe497dd76ba
SHA512 8732eef028d3021b64c79da521c4808bdb202ef4181bed55a26610d430b4afb553c6397311661e323132a866e6ad669c3bf2849aeba8fb8a48e607badfaffeda

memory/4872-191-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1560-218-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-219-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-220-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/1560-221-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp