Overview

overview

10

Static

static

8

sample.doc

windows10-1703-x64

10

Analysis

  • max time kernel
    467s
  • max time network
    447s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-ja
  • resource tags

    arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows
  • submitted
    09/03/2023, 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.doc

  • Size

    534.6MB

  • MD5

    dd60ed0547b347f146a8d8fd942d57c3

  • SHA1

    2656c98d128ce9cbaf703cd379d383dc10445f19

  • SHA256

    f9d896ea5854244772384362280d3a735bf2b429caadbbb88960078c87054a94

  • SHA512

    4c6ed237238685b23403613f5d11803db917777a734d9140413d0f2c4b1ae85aede404e89d4fba3ffca6c76a7dfe044459b631118b8bd9b490aecb30e56ea605

  • SSDEEP

    12288:sSVFHNUr1LCHFIAHrQk6VDL6P+4f1IzSmkuH3gv:sSVFH48HFIABZfSzQ

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\013522.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3316
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KEUoUqMcSYw\VDbXicdrzXqhL.dll"
        3⤵
          PID:3196
    • C:\Windows\System32\IME\SHARED\imebroker.exe
      C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
      1⤵
        PID:212

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\013522.tmp
        Filesize

        520.7MB

        MD5

        3ad250e672001b0f3c865ab576ec846d

        SHA1

        77a824d78d8675a762c9235b9ec7b642d032d4e0

        SHA256

        498a6c9da1f8dcbdc1656cc4df4b6392663f73e2d8007e4dc192cf86551c4c0a

        SHA512

        247c52bb3ca1bd1b6a0542746d3da5589562390b0629b4a249609037d98b8316ffa21cf988591a848962af26c00dea66b5239c95eeebec103125bb8f911c5a72

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\013524.zip
        Filesize

        844KB

        MD5

        8b4f1cdf5598d9cd16b4fd752d171e34

        SHA1

        38f23baaab5874157efce30026c272baa53294e2

        SHA256

        95ca4c9562becf8c0314f9a99b0028a42665124ddb00ca3e8fa9644d59a27fa2

        SHA512

        b63d0bc8fc332de09fcd65aa22b4ba6fb66fdefd4498ebc1c4489e6a6fc9ff9b6ddc48e8878de9f2b5f224e77a5d4de541e6245fd1c34d06ab0a2fdeaaa12e0b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
        Filesize

        18KB

        MD5

        d1f6bf8fa6aa65791a9fcf700b36581b

        SHA1

        60fe74ef93af269dc82fff3b7abd8e626c12a5d5

        SHA256

        faf3743d803b267056d54c822256b6bed43ec0d9e79cec080b54718ad4ae661c

        SHA512

        1244213bb05ef4811c7084889271ebe9c9efca757ba55d6a5b24c2543350ff665a46e356a2859dff6afdaa393c4918bec1f653c967f83b6b9f0af5fd5c516a60

        Download Submit

      • \Users\Admin\AppData\Local\Temp\013522.tmp
        Filesize

        520.7MB

        MD5

        3ad250e672001b0f3c865ab576ec846d

        SHA1

        77a824d78d8675a762c9235b9ec7b642d032d4e0

        SHA256

        498a6c9da1f8dcbdc1656cc4df4b6392663f73e2d8007e4dc192cf86551c4c0a

        SHA512

        247c52bb3ca1bd1b6a0542746d3da5589562390b0629b4a249609037d98b8316ffa21cf988591a848962af26c00dea66b5239c95eeebec103125bb8f911c5a72

        Download Submit

      • memory/3316-350-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB

        Download

      • memory/3316-328-0x0000000180000000-0x000000018002D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3316-343-0x0000000000400000-0x00000000004C1000-memory.dmp

        Filesize

        772KB

        Download

      • memory/3316-334-0x0000000000A30000-0x0000000000A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3708-121-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-126-0x00007FFD0E5C0000-0x00007FFD0E5D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-122-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-125-0x00007FFD0E5C0000-0x00007FFD0E5D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-119-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-120-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-435-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-434-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-436-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-437-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmp

        Filesize

        64KB

        Download