Malware Analysis Report

2025-08-05 12:45

Sample ID 230308-lrg71aef8s
Target 1.zip
SHA256 cbffa04ee57c448e4c73219fd536593b2b408c9fd121627fbc87768f10fc2152
Tags
macro macro_on_action emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbffa04ee57c448e4c73219fd536593b2b408c9fd121627fbc87768f10fc2152

Threat Level: Known bad

The file 1.zip was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action emotet epoch4 banker trojan

Process spawned unexpected child process

Emotet

Office macro that triggers on suspicious action

Suspicious Office macro

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 09:46

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 09:45

Reported

2023-03-08 09:49

Platform

win7-20230220-en

Max time kernel

23s

Max time network

33s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1.doc"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\094651.tmp"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\094651.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YhLsgkKrtjtM\EQOiPJHyYqkwRYo.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp

Files

memory/1980-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1980-57-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-58-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-59-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-61-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-60-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-62-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-63-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-64-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-65-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-67-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-66-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-68-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-69-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-72-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-74-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-73-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-71-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-78-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-77-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-75-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-76-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-70-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-99-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-109-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1980-141-0x0000000000630000-0x0000000000730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\094654.zip

MD5 b68294947488080ff0a99def9ed22c4b
SHA1 8bf91771e28c84adb2ad80e92e9d4e13e6c52b6c
SHA256 ae869a73754e3cd48c17ca12821abf2d188aeea7603b412f4fc7d5d0b6b2d9a3
SHA512 68943596f0cac042deddd5893aba1d625cb2420238f858b5a0a372c932228e4fc7f4a0ca9cb1fe84852949137c40192058659ed058f2c0b5d7b1730448d2ad41

memory/1980-1077-0x0000000006060000-0x0000000006061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\094651.tmp

MD5 7475c86d57ee370f2cf2d9c30908ca7c
SHA1 16fcb70a6d7289bb778d416e1f0d645fd1f6dac0
SHA256 6356816e8a8a9ffd4d32f96bec65000e4ac7d7d7088e0f08ed98b749289de5dd
SHA512 5d6a50b9eb3e6bc6b0cd0eb7cf12f1a5e4547b6fdbc5822580cfb9d1273725cc4d985494e97d1789b7cf8892f3f2031adaf7df6a3a72be8011f47469f9dc3642

\Users\Admin\AppData\Local\Temp\094651.tmp

MD5 981e9024ce2d688158194e94a6124d39
SHA1 7b8f552e0d1234faa44c542fce6dd36f8234db35
SHA256 f7fd2b56bd4d42c441641e4408beb6803005cf7e5faa84269af8c80ea0cfb0b5
SHA512 ab1ced44a1f5a22f05bb24259b7cd5ae7853bdb21339972ecf2cb2217a4dfe6d5f932a3a04bebed0473038e14b932a6f85639e19f2f86f2cc3321e2cbbbfc1ff

\Users\Admin\AppData\Local\Temp\094651.tmp

MD5 688a29f6cd1173e6678f32c3da53f1d1
SHA1 55951768617fff688d8b4266283befb826602831
SHA256 3a547e0c80968626f2d6603bcbf7c16d5d99c78c74a8adf1bf99c053666b3492
SHA512 66f5e87899705151da7aff57cef3fe58f9b6f2919659f01a5f04e086a1447a41df34891938148c84efe783ffb7b5aeb49131365d2df06a662a191d2ee432dd1f

memory/468-1264-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1980-1270-0x0000000006060000-0x0000000006061000-memory.dmp

memory/1908-1271-0x00000000002F0000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 625678b0a890a9773350e53fbb5b2c00
SHA1 b1a6da6c2cc1f7f93192a66320097d4a187477f9
SHA256 61a19c93664059a9ed0dc660a5dbde02a95b3a601e3e152bb278a5870603430e
SHA512 208bd5b04087f98ada5b1f4a2f8b6ff7560199df0f4658c7a3e55a096f22a74b1f9a22f5335194c5212a13c77100e4c5f6550f71f2f846121ec962812d991b4b

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 09:45

Reported

2023-03-08 09:49

Platform

win10v2004-20230220-en

Max time kernel

15s

Max time network

160s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\104649.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RRxly\fwbMXIgM.dll"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 141.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 143.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.dnautik.com udp
RS 195.252.110.130:80 www.dnautik.com tcp
US 8.8.8.8:53 130.110.252.195.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 20.50.201.195:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
FR 91.121.146.47:8080 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp

Files

memory/3096-133-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-134-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-135-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-136-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-137-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-138-0x00007FF82AB60000-0x00007FF82AB70000-memory.dmp

memory/3096-139-0x00007FF82AB60000-0x00007FF82AB70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\104651.zip

MD5 b68294947488080ff0a99def9ed22c4b
SHA1 8bf91771e28c84adb2ad80e92e9d4e13e6c52b6c
SHA256 ae869a73754e3cd48c17ca12821abf2d188aeea7603b412f4fc7d5d0b6b2d9a3
SHA512 68943596f0cac042deddd5893aba1d625cb2420238f858b5a0a372c932228e4fc7f4a0ca9cb1fe84852949137c40192058659ed058f2c0b5d7b1730448d2ad41

memory/3096-163-0x0000029D5C6C0000-0x0000029D5C6E7000-memory.dmp

memory/3096-164-0x0000029D5D4F0000-0x0000029D5D515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\104649.tmp

MD5 17aa8e88ec9a9880480f13ec5355ac22
SHA1 7c342e547e70d4d6daae44d4bf0e66d67b06de12
SHA256 181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097
SHA512 1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

memory/4736-182-0x00000000020C0000-0x0000000002170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\104649.tmp

MD5 17aa8e88ec9a9880480f13ec5355ac22
SHA1 7c342e547e70d4d6daae44d4bf0e66d67b06de12
SHA256 181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097
SHA512 1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

C:\Users\Admin\AppData\Local\Temp\104649.tmp

MD5 17aa8e88ec9a9880480f13ec5355ac22
SHA1 7c342e547e70d4d6daae44d4bf0e66d67b06de12
SHA256 181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097
SHA512 1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

memory/4736-184-0x0000000180000000-0x000000018002D000-memory.dmp

memory/4736-187-0x00000000008E0000-0x00000000008E1000-memory.dmp

C:\Windows\System32\RRxly\fwbMXIgM.dll

MD5 17aa8e88ec9a9880480f13ec5355ac22
SHA1 7c342e547e70d4d6daae44d4bf0e66d67b06de12
SHA256 181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097
SHA512 1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

memory/3416-194-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3096-240-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-241-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-242-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-243-0x00007FF82D290000-0x00007FF82D2A0000-memory.dmp

memory/3096-244-0x0000029D5D4F0000-0x0000029D5D515000-memory.dmp