Overview
overview
10Static
static
896afe1c2-c...ce.eml
windows7-x64
696afe1c2-c...ce.eml
windows10-2004-x64
3Rep_97915979.zip
windows7-x64
1Rep_97915979.zip
windows10-2004-x64
1Rep_97915979.doc
windows7-x64
10Rep_97915979.doc
windows10-2004-x64
10email-html-1.html
windows7-x64
1email-html-1.html
windows10-2004-x64
1image001.png
windows7-x64
3image001.png
windows10-2004-x64
3Analysis
-
max time kernel
13s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2023, 08:44
Behavioral task
behavioral1
Sample
96afe1c2-c772-4f3a-bca4-80606734c6ce.eml
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
96afe1c2-c772-4f3a-bca4-80606734c6ce.eml
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
Rep_97915979.zip
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Rep_97915979.zip
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
Rep_97915979.doc
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Rep_97915979.doc
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
email-html-1.html
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
email-html-1.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
image001.png
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
image001.png
Resource
win10v2004-20230220-en
General
-
Target
Rep_97915979.doc
-
Size
534.3MB
-
MD5
e7483391a9b507ecbdfa411553650531
-
SHA1
fdb26fdd782b2ac4dd26bb4e038730c2defb3918
-
SHA256
a99eb971a4d11235924443dfd0308e731205b6320e6939526d94f91a43c64248
-
SHA512
e40f21a2919036fca9f54bc7f2926777cb7890195ac22f789bddab0bf9e08403f69fcb493c3214dd9ffdaa65c0812885fd75d119dcd32a59133a3dccc85e1e1d
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Extracted
emotet
Epoch4
129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
103.75.201.2:443
149.56.131.28:8080
79.137.35.198:8080
5.135.159.50:443
66.228.32.31:7080
91.121.146.47:8080
153.92.5.27:8080
45.235.8.30:8080
72.15.201.15:8080
107.170.39.149:8080
45.176.232.124:443
82.223.21.224:8080
167.172.199.165:8080
213.239.212.5:443
202.129.205.3:8080
94.23.45.86:4143
147.139.166.154:8080
167.172.253.162:8080
91.207.28.33:8080
188.44.20.25:443
104.168.155.143:8080
110.232.117.186:8080
164.68.99.3:8080
1.234.2.232:8080
173.212.193.249:8080
182.162.143.56:443
160.16.142.56:8080
101.50.0.91:8080
103.43.75.120:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4212 2160 regsvr32.exe 85 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2160 WINWORD.EXE 2160 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2160 wrote to memory of 4212 2160 WINWORD.EXE 90 PID 2160 wrote to memory of 4212 2160 WINWORD.EXE 90
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Rep_97915979.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\094702.tmp"2⤵
- Process spawned unexpected child process
PID:4212 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\ClLxcntlEjzyxRZ\bDvnXJbgPN.dll"3⤵PID:4224
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
510.2MB
MD5dd08be60bebf4845e28d2be861ae91bf
SHA1b8acef89dca14d3b0e14edebfce1369c26f5c7e2
SHA256269f1c954921bdf9feb999b5506b514ae8430a948d58baca9b0dc393b87e22b4
SHA512ce109d403e64a148ae277f512a5a7dda8cd79138fb59aa7c625c40cf36e7e002c7b40dcfdae74fbf025a7cf3481fae3c84f9b161a7f896fa3611b63765b9c919
-
Filesize
488.3MB
MD5d8e5609bac43bc33f1181d54efd43ad2
SHA19afa35a90c9c599f4f7dfcab4b5a5ecf76d7d959
SHA2566f5ca58d5dd0b40836bca674f623bbbad13a44d89bf617c1b35bdfea24a7be7e
SHA512ab6258356f340c9de55d6356d27d3c019d43e9e17efc5c6f0c177d0f3e22c8958d483d2b85d942f5e926729f830da9bcf733c8333dd0f1d7878300a029889fc0
-
Filesize
543.7MB
MD510d06673f1cdeb8164c37974f22af5e6
SHA12410d65e5d971d4793e26601ae79aabc3b780811
SHA2560ea8aa916237b8c56266eaa242153eff8f19dd85ade9d6bc0c3c065909415325
SHA512b4142923c6a1c37208f95e59cfb09b4ff885503b0d115a77bf38bc957ee8931b24aeef1895f8e4ff0f7fe7ad3c1eabe3a3c21e9c2b83794a5950ee4f83ce060b
-
Filesize
879KB
MD57d74461b5fd70928dc244547869f8244
SHA10a69beecdd517a2b9e618147856367fceae23bd4
SHA256335051721cda978a48a4e088a1d1cdf3c982a46a64d438fc153b187eef2eb86b
SHA5124f7c40b88e1abfc258d3a8ae620b1c70c47996f57041d39435f32dcbcc7d318dbc48ca41262a2604dd468db15a30532edab8358b5dc8ee8b1f5f16f02a7d20eb
-
Filesize
433.4MB
MD526b68c499429778bfeec6e681401d58b
SHA1c9e6531ce46471c4397c83d0184728501eb92d2a
SHA25687e82be091f7cd189161947d4dd3e4f266c2c81a9e39191fdb786202c3c72be4
SHA512c7f8e08e81afb2ec1d0aab5437df256c88d53c730d363badb5326a621005ae18e213a0835aae5cfc22024fe61d7ff29624e5d273fe70e91e46a9055b4ac1eeab
-
Filesize
383.4MB
MD5b816345283647de22b63703131b0f563
SHA1e4af8f4d9f23b1e70b728d922db497d232c5d1c0
SHA25627d70382518ce0b1ba6eeef36ca39db6432c25df41ba4821566f090968b30037
SHA512ae538022bf426021844ae633d35bce793c279b355aaad778a40a291568c96a4a55c79985978fe92924fb107708b83c33d7c4c882358a7e9f5061c5653e9deaf9