emotet | 65175173709587d0e291f7663dac866f0bbfcc06d706b63db74e17877f9373b3

General

Target

INVOICE 589 03_23.doc
Size

526.2MB
MD5

b59808aba76dd0095aa06133382de9ed
SHA1

59aed06213b305d2877031e8ef489064ef74ca74
SHA256

2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b
SHA512

134c7c9929c277a3ec0403c2246214059d107c78c0056f8190218e0d16ded3cfaa7a4682d695f9e6212c66220cb222589c8fcd19f6ea70a00994eb06eec6566b
SSDEEP

3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3544	4460	regsvr32.exe	27

Loads dropped DLL 2 IoCs

pid	Process
3544	regsvr32.exe
3544	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4460	WINWORD.EXE
4460	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4460	WINWORD.EXE
4460	WINWORD.EXE
4460	WINWORD.EXE
4460	WINWORD.EXE
4460	WINWORD.EXE
4460	WINWORD.EXE
4460	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3544	4460	WINWORD.EXE	96
PID 4460 wrote to memory of 3544	4460	WINWORD.EXE	96

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE 589 03_23.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\014339.tmp"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  PID:3544
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QMmuHOXCnKIxbhqRK\UChblzXMbz.dll"
    3⤵
    PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\014339.tmp

Filesize
398.3MB

MD5
5f74d8c56f86e4f7cbed566e43a3dfde

SHA1
6bcb76f18c46dbacd4b51c85f875fb5cef23635f

SHA256
e095f87bc766102fbbc5110272cadd184c034e2318640741d0c84c7be3385638

SHA512
1682439bf3d508f568d608850c1fb1045b4ee4068e5be41c3e98d02211757aef11d76c015ae6098c1716cc00e4bb189ce0b8cd140a57d1f05cfd39bb62232321

Download Submit
C:\Users\Admin\AppData\Local\Temp\014339.tmp

Filesize
385.4MB

MD5
dcc3a2dfca3c6460290f27569810b69d

SHA1
a6812b2d436bd9a19f7896e46c310c7ee07ed0f6

SHA256
4c546bf79d81f4b0c7855004dcdbd7c502925e795c71af82b36d450bcdd6f400

SHA512
711e882a12ea1d6609dd968e52d57a60ca1f444cc3edebbded3e4529625fbc476d18919484bbd66bfbc445daed950ba82d73830944a6a17355dcac8fd8f07d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\014339.tmp

Filesize
365.6MB

MD5
b8f0c1a0a0347bc85726cd3625de0971

SHA1
4ac2d42112c61a1ce656e26af3a3fe29c2e84794

SHA256
75a48df6acf734b8801c2ed824d95938c9491b4b41b2b5b830cf2b41768314ae

SHA512
9386876cbc2a8c27abaa317ae981fc3cd6ec3fd98ffefc45517ec63907230246e4b32ce1d80a6c71e36a7fa5a3f190363c2c9e3fd4456a24aa6e06a83815217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\014347.zip

Filesize
840KB

MD5
aa663d64a0e1164fd612c1dff38f36d5

SHA1
0986063484497cd55c98a3b7f195559d3b111312

SHA256
b72374c4d360de02f476a0dac5e490b0fa91a92168e6fa4dc26602f2e6e7b185

SHA512
5d340e2b45d07ca88ad92cfdbfbe9f67b6d414f0ee3336b6c501d1d071f9988e209a3bb98fa40f4ab8d81519be61d00447a013211e7f832ebae0027b372023a9

Download Submit
C:\Windows\System32\QMmuHOXCnKIxbhqRK\UChblzXMbz.dll

Filesize
370.5MB

MD5
40d79ccfd7b871dcb86cc07c1eca1d81

SHA1
d02e025c587e36aec8f7847d74b558dcbfb7a28a

SHA256
db52db981903a327bf49cd7b6b8025e0c307bc0177ad91804040ec8af3549bb6

SHA512
a7e9bb6d7dbf0094cbc697ada42b01f4174ea7d044c6882be29a9f300560bc8e20f8ba82577635a32810408b6ac8559e2f5cc99bda5ee27f7f880ed3a57c9f5a

Download Submit
C:\Windows\System32\QMmuHOXCnKIxbhqRK\UChblzXMbz.dll

Filesize
369.3MB

MD5
c896a1a60db4028691003d6f4a7e74a6

SHA1
e256d2bd3a6b8cba7c4a334e0a9d06bf02058dea

SHA256
786924b40a80d712e93ce5bd39cdd0b1c4181ce8fd9a773d4441dbe2dedbccdf

SHA512
f2b619963d91d645490adfc96633fd4254f03fe0ebb4c700fae5525caf1790a98507f5ee3447081b7787d3718dcd3d76152bd4c3cfb1136f29083e2c9da179d7

Download Submit
memory/3544-181-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/3544-179-0x0000000002270000-0x0000000002331000-memory.dmp

Filesize
772KB

Download
memory/3544-184-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3820-187-0x0000000002090000-0x0000000002151000-memory.dmp

Filesize
772KB

Download
memory/3820-193-0x0000000002090000-0x0000000002151000-memory.dmp

Filesize
772KB

Download
memory/4460-139-0x00007FFF7B470000-0x00007FFF7B480000-memory.dmp

Filesize
64KB

Download
memory/4460-138-0x00007FFF7B470000-0x00007FFF7B480000-memory.dmp

Filesize
64KB

Download
memory/4460-137-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/4460-136-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/4460-134-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/4460-133-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/4460-135-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads