emotet | 748ec7754ce328e4b22e34eee3611cde2b51d77bd17c9fe22569e3efa19e151a

General

Target

INVOICE 589 03_23.doc
Size

526.2MB
MD5

b59808aba76dd0095aa06133382de9ed
SHA1

59aed06213b305d2877031e8ef489064ef74ca74
SHA256

2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b
SHA512

134c7c9929c277a3ec0403c2246214059d107c78c0056f8190218e0d16ded3cfaa7a4682d695f9e6212c66220cb222589c8fcd19f6ea70a00994eb06eec6566b
SSDEEP

3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4748	560	regsvr32.exe	84

Loads dropped DLL 3 IoCs

pid	Process
4748	regsvr32.exe
4748	regsvr32.exe
4512	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mCQCqYLS.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VFfGIT\\mCQCqYLS.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
560	WINWORD.EXE
560	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4748	regsvr32.exe
4748	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 4748	560	WINWORD.EXE	89
PID 560 wrote to memory of 4748	560	WINWORD.EXE	89
PID 4748 wrote to memory of 4512	4748	regsvr32.exe	94
PID 4748 wrote to memory of 4512	4748	regsvr32.exe	94

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE 589 03_23.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\112535.tmp"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VFfGIT\mCQCqYLS.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\112535.tmp

Filesize
522.7MB

MD5
1c303e684f6c3e7c290fcb8d69af758a

SHA1
ad884ba9ee33f7839562b938dce7eca27372787b

SHA256
82f6277d83395b80a5938895242db48eb381e5d90148d9d36f1b8c5fd2fdf01f

SHA512
09d7c729a38f08fd264de57be69306e42a4a1403df55b5909d87b62b9ea33a2d952a75a37df6ae02aa202ed6e36b4015e2e75ca6d264e3880da495bae30312ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\112535.tmp

Filesize
522.7MB

MD5
1c303e684f6c3e7c290fcb8d69af758a

SHA1
ad884ba9ee33f7839562b938dce7eca27372787b

SHA256
82f6277d83395b80a5938895242db48eb381e5d90148d9d36f1b8c5fd2fdf01f

SHA512
09d7c729a38f08fd264de57be69306e42a4a1403df55b5909d87b62b9ea33a2d952a75a37df6ae02aa202ed6e36b4015e2e75ca6d264e3880da495bae30312ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\112535.tmp

Filesize
522.7MB

MD5
1c303e684f6c3e7c290fcb8d69af758a

SHA1
ad884ba9ee33f7839562b938dce7eca27372787b

SHA256
82f6277d83395b80a5938895242db48eb381e5d90148d9d36f1b8c5fd2fdf01f

SHA512
09d7c729a38f08fd264de57be69306e42a4a1403df55b5909d87b62b9ea33a2d952a75a37df6ae02aa202ed6e36b4015e2e75ca6d264e3880da495bae30312ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\112541.zip

Filesize
858KB

MD5
d5ddd43ec77e41248c11f61b11549a4d

SHA1
cd0a0882ea0ff7aafbc46bdf9b04f8eef7484eef

SHA256
fc34c3d592129e04cf7aa98b10023d75b6e9cc72dfd6b1a8ae100bd9b5c2c860

SHA512
34c18aec4d515ac27cc54c3d5c51f4e7453960dc7c9e81d717f02d5c6f546cebc28bfad563452b528992b2453cf924a022d5e64b53dc204d839f43abac3d4fb8

Download Submit
C:\Windows\System32\VFfGIT\mCQCqYLS.dll

Filesize
522.7MB

MD5
1c303e684f6c3e7c290fcb8d69af758a

SHA1
ad884ba9ee33f7839562b938dce7eca27372787b

SHA256
82f6277d83395b80a5938895242db48eb381e5d90148d9d36f1b8c5fd2fdf01f

SHA512
09d7c729a38f08fd264de57be69306e42a4a1403df55b5909d87b62b9ea33a2d952a75a37df6ae02aa202ed6e36b4015e2e75ca6d264e3880da495bae30312ab

Download Submit
memory/560-137-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-139-0x00007FFF0CD90000-0x00007FFF0CDA0000-memory.dmp

Filesize
64KB

Download
memory/560-138-0x00007FFF0CD90000-0x00007FFF0CDA0000-memory.dmp

Filesize
64KB

Download
memory/560-217-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-136-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-220-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-135-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-218-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-219-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-134-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/560-133-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/4512-189-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4748-184-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4748-181-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/4748-179-0x0000000002290000-0x0000000002340000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads