Overview

overview

10

Static

static

8

2023-03-09_1641.doc

windows7-x64

10

2023-03-09_1641.doc

windows10-2004-x64

10

Resubmissions

09/03/2023, 13:27

230309-qqgx3ace75 10

09/03/2023, 08:02

230309-jxggjsbc56 8

09/03/2023, 07:55

230309-jskcmsab7t 10

Analysis

  • max time kernel
    16s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2023, 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-03-09_1641.doc

  • Size

    528.4MB

  • MD5

    2497f00196794d6011c1f95d659fb948

  • SHA1

    c9d0caba43352645f7aee4242350c938a0b4bf4e

  • SHA256

    66b9053b5c63bac17c1ab5fd3f0e385a6c1fd579b0d05ba86aacd3bea54c558a

  • SHA512

    faf794202164330cbaffb01447df2567aa090728f73db5fb2bbba050094b4332c3172fe35438fa76d9adea17b793bef1686baf06f76a9002b95c41b1c65c9e7e

  • SSDEEP

    6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-09_1641.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\085649.tmp"
      2⤵
      • Process spawned unexpected child process
      PID:2124
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PpvcVLkdrwAgsoha\NVNbtzeGP.dll"
        3⤵
          PID:4900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\085649.tmp
      Filesize

      470.2MB

      MD5

      f55597207105f560b40e8730386d869d

      SHA1

      daabe6290c03646f75b29b495d9c54258d8eb957

      SHA256

      e62824afd6c91b89f57756dcd674e846f77bdd175a18ea05dccc7b9e6e5b56c2

      SHA512

      0a5e03bf8778ed876b699f9168687ba80b7cc3d3b655228273d48493ca9c89e49b442cf9d875a4ed1ef627b55eac5a30daa9dfc6255ebaefaf8bc594bea996cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\085649.tmp
      Filesize

      451.1MB

      MD5

      0249dd8f37adbd81431265b67f5e22ba

      SHA1

      28b0582f6dd917a256a907a2bc1a7e2922cde49b

      SHA256

      1ff535812bf3a16842161c16f48f9ab8fe7b064d215c4ec6a4f37bbfc6a9e83b

      SHA512

      29185c72af9fc3950d9591125488b7a2cbb825e7dc0fa1ed6863ed5fab4246c0eece548f5c48c42fc2c9828e3698f059b0abd252159b3558af619e87deb951cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\085650.zip
      Filesize

      866KB

      MD5

      911bea9b5f1d414a7b5829cc4f25d3f8

      SHA1

      62e42ddd37d1f7d22c9787dd337b5b2109e99eb9

      SHA256

      ea8351aed2d8080994b8b0c855ca3e4f3013923d0698290df6d05687f9fa6b14

      SHA512

      6f58135c8724d403f5f874796d3ba0f0beefa839ec56efc1b852bed96409c0f5928dd5deb86d05528726e89829a95aa9df18ce3445b796c9eedbc23a2c28f9da

      Download Submit

    • C:\Windows\System32\PpvcVLkdrwAgsoha\NVNbtzeGP.dll
      Filesize

      431.4MB

      MD5

      119fb4b16ee48e3e1147af1e367c89f8

      SHA1

      56c0d3be7846007758b7363ce6beb2e2880b3fa2

      SHA256

      dc85861ae598c14bf9705d3bce71fc2cc1f933af7065c9b9c5623a97794584f6

      SHA512

      e39b221584ba702be8a04647b3a5520c498aebd636b8d49aacfd2b1f5805c090f250922cd50f89bc7da5317ae76fca91ed27ac1c220371b4f5c3b3d37ea80ce0

      Download Submit

    • C:\Windows\System32\PpvcVLkdrwAgsoha\NVNbtzeGP.dll
      Filesize

      419.3MB

      MD5

      016f3e0df61283f38ae16195e2276e0a

      SHA1

      4a38e8781085b4aacd180e72c98b449adedef9c8

      SHA256

      4f15d2d7b5e371fbee14493fa72476f89c233bb11c2bfba1c85cb0833d70823a

      SHA512

      21da4608eb3b297c602772a889cdb7ec5f5b872683d6fc7f2cfb57c7038e5aec86aa22355affddd85d259f14ede1e40881a0e12d335021c90226b97c10f8ca01

      Download Submit

    • memory/2124-176-0x00000000029B0000-0x00000000029B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2124-173-0x0000000180000000-0x000000018002D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3508-138-0x00007FFB939F0000-0x00007FFB93A00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-139-0x00007FFB939F0000-0x00007FFB93A00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-133-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-136-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-137-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-135-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-134-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-219-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-218-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-220-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-221-0x00007FFB95E70000-0x00007FFB95E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4900-181-0x0000000000980000-0x0000000000A41000-memory.dmp

      Filesize

      772KB

      Download

    • memory/4900-189-0x0000000000980000-0x0000000000A41000-memory.dmp

      Filesize

      772KB

      Download