Malware Analysis Report

2025-08-06 03:59

Sample ID 230308-gx47haec93
Target Form.zip
SHA256 da92928558092647db39b68cb896dea008440c29c8fe9f0d92006468520445fd
Tags
macro macro_on_action emotet epoch4 banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da92928558092647db39b68cb896dea008440c29c8fe9f0d92006468520445fd

Threat Level: Known bad

The file Form.zip was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker persistence trojan

Process spawned unexpected child process

Emotet

Suspicious Office macro

Office macro that triggers on suspicious action

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 06:12

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 06:11

Reported

2023-03-08 06:16

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Form.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MVZVkXzsp.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\XeThkoWPGOxpOzL\\MVZVkXzsp.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Form.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\061341.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XeThkoWPGOxpOzL\MVZVkXzsp.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 160.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
FR 91.121.146.47:8080 91.121.146.47 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp

Files

memory/2224-133-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

memory/2224-134-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

memory/2224-135-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

memory/2224-136-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

memory/2224-137-0x00007FFBFD110000-0x00007FFBFD120000-memory.dmp

memory/2224-138-0x00007FFBFA960000-0x00007FFBFA970000-memory.dmp

memory/2224-139-0x00007FFBFA960000-0x00007FFBFA970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\061342.zip

MD5 9ad186e479e35bab7859e974b0cbfd65
SHA1 9a6191124de81354ffe01922e6348e6ab0830aee
SHA256 c8861f1708199dd01294e6d66ebf2bb3951980e177ec646b15291999e6b6a291
SHA512 f6578eaefd8a6934a10f0089877494e5c68f2fcf4fb821a5f6f1195b38559fa3086f57a5eaabd0a3efd6c42b4278d6d80d67ce4a4d440e944f9b42da9bde3ecd

C:\Users\Admin\AppData\Local\Temp\061341.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/1924-179-0x0000000180000000-0x000000018002D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\061341.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/1924-182-0x0000000002680000-0x0000000002681000-memory.dmp

C:\Windows\System32\XeThkoWPGOxpOzL\MVZVkXzsp.dll

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/4100-188-0x0000000000400000-0x00000000004B0000-memory.dmp