Malware Analysis Report

2025-08-05 12:45

Sample ID 230308-kmcahseh93
Target Copia Fattura.doc
SHA256 a99eb971a4d11235924443dfd0308e731205b6320e6939526d94f91a43c64248
Tags
macro macro_on_action emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a99eb971a4d11235924443dfd0308e731205b6320e6939526d94f91a43c64248

Threat Level: Known bad

The file Copia Fattura.doc was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker trojan

Process spawned unexpected child process

Emotet

Office macro that triggers on suspicious action

Suspicious Office macro

Loads dropped DLL

Office loads VBA resources, possible macro or embedded object present

Script User-Agent

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 08:43

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 08:42

Reported

2023-03-08 09:02

Platform

win7-20230220-en

Max time kernel

22s

Max time network

34s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Copia Fattura.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Copia Fattura.doc"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\085955.tmp"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\085955.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NNyvhcQBMHfWzL\ijviVujK.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp

Files

memory/944-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/944-57-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-58-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-59-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-60-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-61-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-62-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-64-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-63-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-65-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-66-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-67-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-68-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-69-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-70-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-72-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-71-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-74-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-73-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-75-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-76-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-78-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-77-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-80-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-79-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-81-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-86-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-87-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-85-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-89-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-88-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-84-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-83-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-82-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-93-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-94-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-95-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-91-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-92-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-97-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-98-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-96-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-90-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-99-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-101-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/944-107-0x00000000004D0000-0x00000000005D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\090000.zip

MD5 7d74461b5fd70928dc244547869f8244
SHA1 0a69beecdd517a2b9e618147856367fceae23bd4
SHA256 335051721cda978a48a4e088a1d1cdf3c982a46a64d438fc153b187eef2eb86b
SHA512 4f7c40b88e1abfc258d3a8ae620b1c70c47996f57041d39435f32dcbcc7d318dbc48ca41262a2604dd468db15a30532edab8358b5dc8ee8b1f5f16f02a7d20eb

memory/944-1077-0x00000000060A0000-0x00000000060A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\085955.tmp

MD5 833598ad56f8d69deadab66b03a56877
SHA1 fa3ef77035fd251ee7c57acce60d97e35cb3dd87
SHA256 cbc47b757830f14fe3a4dbb3ad9d13746119b9357ef09e990b12a8af244f23c0
SHA512 a4a145c77271e562ad84f2592817f835b277e33fad6c48a5a9771cf80468660a3ee93a3308115b655123e17a51a2c046d5ffd7782d2c266f0f06c0ab9b214acb

\Users\Admin\AppData\Local\Temp\085955.tmp

MD5 1a70cb58ead966d091d91045c115d055
SHA1 548692dee82d809e41aa95dee8e1bbd2a99cb049
SHA256 1f1e98ce55ec46b3037ff9a9be561e55af6bdcb45454c8762bdd33a4da457bff
SHA512 0f9150188d25e9c74bd752406acb004e12af6b3b2da88c79bf9461c2d963d156a5f124913ea0485be2dfa94f6b0ae4342434a4677d2859b249251b79488470d4

\Users\Admin\AppData\Local\Temp\085955.tmp

MD5 aa58f0094179f0518b44b4273f66d3d5
SHA1 2d46081eb25fba4458fd42f3370574377613421f
SHA256 ce08b8527fd963d1eef0118d4f1f3ce3a2f2d6403da09e7f456e3dfe33c55c94
SHA512 fa1ba76185506bfc93ba6f89ad566c7fa494448afb811c32e2ea14e428c65541643c8786c8cf0e2f6e65e148d3ae8ea1acda3f66825852359074b9d8556ee48f

memory/1264-1264-0x0000000000350000-0x0000000000351000-memory.dmp

memory/840-1269-0x0000000000200000-0x0000000000201000-memory.dmp

memory/944-1271-0x00000000060A0000-0x00000000060A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 43fd1703ab999f66a757400882bd73bc
SHA1 4fc91d33c8909ed01a113056eb0b68f1b31055bf
SHA256 1bb10b80da3ce7d67c55979055d35666d59f25b1b6448b00ef4acbad1a3bd99d
SHA512 e7e88f7169e74dd87ef67ddbed36e40387672fc2027bff9c64e6daa41a06180ca54e7c365d08b30e9b5956e9cae08081eaa6f2e6e0ea11a453c8cd0a3ca92972

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 08:42

Reported

2023-03-08 09:01

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Copia Fattura.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Copia Fattura.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\095916.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SHYuutbUdWZTEZEKs\IbBbooiPpdiSwT.dll"

Network

Country Destination Domain Proto
NL 8.238.179.126:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 32.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 8.8.8.8:53 16.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 52.182.141.63:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
FR 91.121.146.47:8080 91.121.146.47 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp

Files

memory/628-133-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-135-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-134-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-136-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-137-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-138-0x00007FF961DC0000-0x00007FF961DD0000-memory.dmp

memory/628-139-0x00007FF961DC0000-0x00007FF961DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\095918.zip

MD5 7d74461b5fd70928dc244547869f8244
SHA1 0a69beecdd517a2b9e618147856367fceae23bd4
SHA256 335051721cda978a48a4e088a1d1cdf3c982a46a64d438fc153b187eef2eb86b
SHA512 4f7c40b88e1abfc258d3a8ae620b1c70c47996f57041d39435f32dcbcc7d318dbc48ca41262a2604dd468db15a30532edab8358b5dc8ee8b1f5f16f02a7d20eb

C:\Users\Admin\AppData\Local\Temp\095916.tmp

MD5 10d06673f1cdeb8164c37974f22af5e6
SHA1 2410d65e5d971d4793e26601ae79aabc3b780811
SHA256 0ea8aa916237b8c56266eaa242153eff8f19dd85ade9d6bc0c3c065909415325
SHA512 b4142923c6a1c37208f95e59cfb09b4ff885503b0d115a77bf38bc957ee8931b24aeef1895f8e4ff0f7fe7ad3c1eabe3a3c21e9c2b83794a5950ee4f83ce060b

memory/3748-178-0x0000000002280000-0x0000000002330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\095916.tmp

MD5 10d06673f1cdeb8164c37974f22af5e6
SHA1 2410d65e5d971d4793e26601ae79aabc3b780811
SHA256 0ea8aa916237b8c56266eaa242153eff8f19dd85ade9d6bc0c3c065909415325
SHA512 b4142923c6a1c37208f95e59cfb09b4ff885503b0d115a77bf38bc957ee8931b24aeef1895f8e4ff0f7fe7ad3c1eabe3a3c21e9c2b83794a5950ee4f83ce060b

C:\Users\Admin\AppData\Local\Temp\095916.tmp

MD5 10d06673f1cdeb8164c37974f22af5e6
SHA1 2410d65e5d971d4793e26601ae79aabc3b780811
SHA256 0ea8aa916237b8c56266eaa242153eff8f19dd85ade9d6bc0c3c065909415325
SHA512 b4142923c6a1c37208f95e59cfb09b4ff885503b0d115a77bf38bc957ee8931b24aeef1895f8e4ff0f7fe7ad3c1eabe3a3c21e9c2b83794a5950ee4f83ce060b

memory/3748-181-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/3748-180-0x0000000180000000-0x000000018002D000-memory.dmp

C:\Windows\System32\SHYuutbUdWZTEZEKs\IbBbooiPpdiSwT.dll

MD5 10d06673f1cdeb8164c37974f22af5e6
SHA1 2410d65e5d971d4793e26601ae79aabc3b780811
SHA256 0ea8aa916237b8c56266eaa242153eff8f19dd85ade9d6bc0c3c065909415325
SHA512 b4142923c6a1c37208f95e59cfb09b4ff885503b0d115a77bf38bc957ee8931b24aeef1895f8e4ff0f7fe7ad3c1eabe3a3c21e9c2b83794a5950ee4f83ce060b

memory/1580-192-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/628-220-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-219-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-221-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

memory/628-222-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp