Analysis
-
max time kernel
313s -
max time network
320s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08/03/2023, 09:27
General
-
Target
427927294761380652236__2023-08-03_1109.doc
-
Size
513.3MB
-
MD5
6564296ad94567c05c8c60c92d58f1b0
-
SHA1
cbf8c111571d4edf4176591f1cc5849a5071bf35
-
SHA256
820936c152fcb0930d83640c9879a04b8b1dc676b4b42d1f376bb92d475257a9
-
SHA512
13946cbac1606449f1da79d946d0df55bb904b35bad78266800bc77b138fac6013f685e739106003dde451e9e8c92ad0544cefc4f623552d8fd42f689058b865
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Extracted
emotet
Epoch4
129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
103.75.201.2:443
149.56.131.28:8080
79.137.35.198:8080
5.135.159.50:443
66.228.32.31:7080
91.121.146.47:8080
153.92.5.27:8080
45.235.8.30:8080
72.15.201.15:8080
107.170.39.149:8080
45.176.232.124:443
82.223.21.224:8080
167.172.199.165:8080
213.239.212.5:443
202.129.205.3:8080
94.23.45.86:4143
147.139.166.154:8080
167.172.253.162:8080
91.207.28.33:8080
188.44.20.25:443
104.168.155.143:8080
110.232.117.186:8080
164.68.99.3:8080
1.234.2.232:8080
173.212.193.249:8080
182.162.143.56:443
160.16.142.56:8080
101.50.0.91:8080
103.43.75.120:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1092 4116 regsvr32.exe 65 -
Loads dropped DLL 1 IoCs
pid Process 1092 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4116 WINWORD.EXE 4116 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1092 regsvr32.exe 1092 regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4116 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4748 7zG.exe Token: 35 4748 7zG.exe Token: SeSecurityPrivilege 4748 7zG.exe Token: SeSecurityPrivilege 4748 7zG.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4748 7zG.exe 4116 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4116 wrote to memory of 1092 4116 WINWORD.EXE 70 PID 4116 wrote to memory of 1092 4116 WINWORD.EXE 70 PID 1092 wrote to memory of 1232 1092 regsvr32.exe 71 PID 1092 wrote to memory of 1232 1092 regsvr32.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\427927294761380652236__2023-08-03_1109.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\102829.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\OoyumLdrXacUmb\DCeHID.dll"3⤵PID:1232
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3768
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\102831\" -spe -an -ai#7zMap17439:92:7zEvent140851⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516.7MB
MD517aa8e88ec9a9880480f13ec5355ac22
SHA17c342e547e70d4d6daae44d4bf0e66d67b06de12
SHA256181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097
SHA5121323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43
-
Filesize
852KB
MD5b68294947488080ff0a99def9ed22c4b
SHA18bf91771e28c84adb2ad80e92e9d4e13e6c52b6c
SHA256ae869a73754e3cd48c17ca12821abf2d188aeea7603b412f4fc7d5d0b6b2d9a3
SHA51268943596f0cac042deddd5893aba1d625cb2420238f858b5a0a372c932228e4fc7f4a0ca9cb1fe84852949137c40192058659ed058f2c0b5d7b1730448d2ad41
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
516.7MB
MD517aa8e88ec9a9880480f13ec5355ac22
SHA17c342e547e70d4d6daae44d4bf0e66d67b06de12
SHA256181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097
SHA5121323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43