Malware Analysis Report

2025-08-06 04:00

Sample ID 230308-hnqs7aed98
Target form.zip
SHA256 b3ee14db12d9b5ac16771d557eb1d16491aaff3e6ac09fc55a830603d5d8bda4
Tags
macro macro_on_action emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3ee14db12d9b5ac16771d557eb1d16491aaff3e6ac09fc55a830603d5d8bda4

Threat Level: Known bad

The file form.zip was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker trojan

Emotet

Process spawned unexpected child process

Office macro that triggers on suspicious action

Suspicious Office macro

Loads dropped DLL

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Script User-Agent

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 06:53

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 06:53

Reported

2023-03-08 06:56

Platform

win7-20230220-en

Max time kernel

32s

Max time network

33s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\form.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1784 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1784 wrote to memory of 1560 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1784 wrote to memory of 1560 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1784 wrote to memory of 1560 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1784 wrote to memory of 1560 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1784 wrote to memory of 1560 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1784 wrote to memory of 1560 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1784 wrote to memory of 1560 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\form.doc"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\075429.tmp"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\075429.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KwJDGTQXOojYAHwdY\nXjeneOHykGkBu.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp

Files

memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2024-58-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-60-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-59-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-62-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-65-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-66-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-67-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-68-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-70-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-71-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-73-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-76-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-77-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-78-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-79-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-81-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-82-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-83-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-87-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-88-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-86-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-90-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-91-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-93-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-92-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-96-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-98-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-97-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-95-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-94-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-89-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-85-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-84-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-80-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-75-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-74-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-72-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-69-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-64-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-63-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-61-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-99-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2024-57-0x00000000002E0000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\075433.zip

MD5 d347a9e713947d67f6f575738ef07cd7
SHA1 f51f3983960517b07bb97f5ba5495480a31c8c0f
SHA256 22babdda065e864cc6309f90833994a36353ae21d3a7be6e3aafaf51024448f0
SHA512 5aef4fe8dbf87c3ff7e11af5e76912ef4e91e51246935132ee38a404c1f86cc464b527c2d47750930472121a23d1741e7c8e57f5ce41904af0d065bf6555a651

memory/2024-1077-0x0000000006060000-0x0000000006061000-memory.dmp

\Users\Admin\AppData\Local\Temp\075429.tmp

MD5 a450f2a4073e704e95bd1f21bad9f9cd
SHA1 62a0e112e8daea434bf1ad7222028e391a3d7909
SHA256 0844eef4a53e5f0f91a19aba6a6d106d4a4bed48f54558aa946c22638d318869
SHA512 ab0e87dd4bf18b43e694717f88f70c278ae2aaf01943aac9d997d6737ff01854f4d4d0823ed32ce2612c987ce5fb83396b629371a373f0cb987f58bf013b475c

C:\Users\Admin\AppData\Local\Temp\075429.tmp

MD5 f9d2c9e31f29c24c240d8db4857fb187
SHA1 811afec2d2beed880c87daa4fcfd679522672bc6
SHA256 3bdd9e4e04591f6f28a5ffdbc006bed2e75a235b97fbd1e4ec431fa8b1c6041c
SHA512 22c01329b354d172316ec4cc44076d9ef9a73459a9a08c458a3bb7e7f8b78c7f374854faa3c0cec923b173508dfec9edd00923766026eea7af8b92496d798265

\Users\Admin\AppData\Local\Temp\075429.tmp

MD5 d0989e0e5ea83286f75cac3ebd94a1e2
SHA1 da8faa54bbf18318375370c5d32fd5245d8ed47a
SHA256 9c633f01fcd1d722a1a71e1a44a7d4074135c02e55ac8be4cafafaaf473e18e6
SHA512 3666799faa71eb62d23ea25d3a73749e2780478e5bd90b2767740a1f3a0cb5d7cf22d3273fbb37ceecb197e0397718ebdfe14dea591f7875748eab3a090aa5f0

memory/1560-1264-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2024-1269-0x0000000006060000-0x0000000006061000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e3ada3faffe5af2cde3f67621977c9d2
SHA1 ea3e9f88152f1c46ed1ef95e501f1504f9dd2504
SHA256 f68b9133ebdd2b693a3e4baed71f69c3ba22beb8bcbdd488235f918db6bf8e55
SHA512 ff5c6b875534e7a53f58deea7d41a1e03b587a04d48a781057fa992763c1ab42f3e540fdfb9af0315fa5a3939dfab53086aef7de2a11c1ba4caf2f9a165d3849

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 06:53

Reported

2023-03-08 06:56

Platform

win10v2004-20230220-en

Max time kernel

13s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\form.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2104 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\regsvr32.exe
PID 1248 wrote to memory of 2104 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\System32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\form.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\065421.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TjcZlW\ttwwzs.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 13.89.179.8:443 tcp
IE 20.54.89.15:443 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FR 91.121.146.47:8080 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp

Files

memory/1248-133-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-134-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-135-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-136-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-137-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-138-0x00007FFBAF200000-0x00007FFBAF210000-memory.dmp

memory/1248-139-0x00007FFBAF200000-0x00007FFBAF210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\065422.zip

MD5 d347a9e713947d67f6f575738ef07cd7
SHA1 f51f3983960517b07bb97f5ba5495480a31c8c0f
SHA256 22babdda065e864cc6309f90833994a36353ae21d3a7be6e3aafaf51024448f0
SHA512 5aef4fe8dbf87c3ff7e11af5e76912ef4e91e51246935132ee38a404c1f86cc464b527c2d47750930472121a23d1741e7c8e57f5ce41904af0d065bf6555a651

C:\Users\Admin\AppData\Local\Temp\065421.tmp

MD5 0e3445d2565da4c9419297fab373e115
SHA1 8b8b3363d94b0f06647ad25daf95aca5523d5961
SHA256 e7cc20c21ca5ce575ff1573236e5b1a227c44c986370037ef5ecfbf2ebf5cbec
SHA512 751f80c5b676755a3c0d21fade9d8272a37a0cba6e87142fb79a842aeeb1b50b9b0f5ec882491fc347efd13405a822d6972db96bac148d8350ef246eb41caf66

memory/2104-179-0x0000000180000000-0x000000018002D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\065421.tmp

MD5 e5c229a4ccec23ca846171bd86c412c0
SHA1 929fe5dad8f1644b2cb9f15552f43058f9bc88d6
SHA256 d46499b58a137410b48341170df32f4198887bf30137d5826810985c49609b31
SHA512 5b16b0a07ba1c3468a83929ae8050317dca3a620e2b1e1287b34a94324147498501c408a893372f42852190f84ce29da30f177ef6e7c40ef3dfd1544c03bdd41

memory/2104-182-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/3016-185-0x0000000001EE0000-0x0000000001F90000-memory.dmp

C:\Windows\System32\TjcZlW\ttwwzs.dll

MD5 c086903a8faca99ea2dfc2be798dd849
SHA1 ea6602068a8f462947231af3ac35d466113b69c4
SHA256 039a412ee1923407ab2dda4cd527c9951d4718274afe8f5efc703df7a1ed4bd5
SHA512 733a0117b24cd8dd881ab79aac7e3fd9e12cd57b2bcf8b009d3004e0b073abfc3cfec49c98a2668b46895a184a091b63cef505e7bcd6ce3ed68d7fd5f8ec4237

C:\Windows\System32\TjcZlW\ttwwzs.dll

MD5 07a480ad3a268a67af282e20d89eb6ac
SHA1 db3e2d51d86afe6444b0cb8b28fb4d6e0ca64ef2
SHA256 b270238430615a32797c9b9ca7b3263e45e8136f6cb0f47d9db499c13c5742ee
SHA512 e9a610ea23202511c867903c93f9676e61b8c4fbec6f6958803acee597848e0907dff82536b5fcd2afe8b2fae0f4de73347c746f08ce5d70440dcee3a35dd566

memory/3016-191-0x0000000001EE0000-0x0000000001F90000-memory.dmp

memory/1248-219-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-218-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-220-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

memory/1248-217-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp