Malware Analysis Report

2025-08-06 04:00

Sample ID 230308-gzpvlaec97
Target UUIW_99950751.zip
SHA256 b8c1f06dbbe199412a19a58f60b46e4b94641a392d1fdafcb378ed26e9e537b4
Tags
macro macro_on_action emotet epoch4 banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8c1f06dbbe199412a19a58f60b46e4b94641a392d1fdafcb378ed26e9e537b4

Threat Level: Known bad

The file UUIW_99950751.zip was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker persistence trojan

Process spawned unexpected child process

Emotet

Suspicious Office macro

Office macro that triggers on suspicious action

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 06:15

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 06:14

Reported

2023-03-08 06:18

Platform

win10v2004-20230221-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice Copies 2023-03-07_1554, United States.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gQoZYFZQ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\IxqYEWXFwprGnX\\gQoZYFZQ.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice Copies 2023-03-07_1554, United States.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\071545.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IxqYEWXFwprGnX\gQoZYFZQ.dll"

Network

Country Destination Domain Proto
US 52.137.108.250:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 139.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 52.182.141.63:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
FR 91.121.146.47:8080 91.121.146.47 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp

Files

memory/2744-133-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-134-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-135-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-136-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-137-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-138-0x00007FFCB3C70000-0x00007FFCB3C80000-memory.dmp

memory/2744-139-0x00007FFCB3C70000-0x00007FFCB3C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\071547.zip

MD5 9ad186e479e35bab7859e974b0cbfd65
SHA1 9a6191124de81354ffe01922e6348e6ab0830aee
SHA256 c8861f1708199dd01294e6d66ebf2bb3951980e177ec646b15291999e6b6a291
SHA512 f6578eaefd8a6934a10f0089877494e5c68f2fcf4fb821a5f6f1195b38559fa3086f57a5eaabd0a3efd6c42b4278d6d80d67ce4a4d440e944f9b42da9bde3ecd

C:\Users\Admin\AppData\Local\Temp\071545.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

C:\Users\Admin\AppData\Local\Temp\071545.tmp

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/1668-177-0x0000000180000000-0x000000018002D000-memory.dmp

memory/1668-180-0x0000000000C30000-0x0000000000C31000-memory.dmp

C:\Windows\System32\IxqYEWXFwprGnX\gQoZYFZQ.dll

MD5 8467d39bd97385af80831fec91fc38bb
SHA1 27da57182e02b32adedbdea812d0107506e66a10
SHA256 73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4
SHA512 a340986c205891e4b64405b12e5286d945e05c3278ceaa9fc19523058b982247f9893796632410d50f81045c0a0a2788a5af7a0ffdc7d38c467c728e8a95042e

memory/3776-187-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2744-214-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-216-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-215-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp

memory/2744-217-0x00007FFCB6010000-0x00007FFCB6020000-memory.dmp