emotet | f80fa80d06d97ca28d5c02be2555ffa286eb3c9d13a1d8ff4ec9f7213b26dcac

General

Target

FGC3993015382_202303091516.doc
Size

547.2MB
MD5

88201cf279a01df657e8832e4734cb64
SHA1

bfb94055681293709a4d02fd9bc9ad5e57fd2036
SHA256

acdd26138af21fea8b35145200075fd7751d24310b3355a2c14058871f54b7eb
SHA512

123871889d320563577d9ec1605487c0d8dfee5055a9cc12325acb1cbf5d6e3d78ba361953a2dad30e8e23dd24261da6c3223d399c8e7b9c38ec861dd9a6df7e
SSDEEP

3072:vpt3LDPYvrTr3jvZNWGBStinoLVMcXyHtt5YC7EGIuGEMYDDK6:H3AvrTPRUGpmpXqWCoGIuGEMY

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4080	2764	regsvr32.exe	46

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2764	WINWORD.EXE
2764	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2764	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\FGC3993015382_202303091516.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2764
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\100034.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77D0C49F74F2ECE6F447F6693BF217EA

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77D0C49F74F2ECE6F447F6693BF217EA

Filesize
398B

MD5
12ee153fac4b0a59302e75119b1656a2

SHA1
2e9f06dea37c66782ee3b936ce508cd43303e22e

SHA256
fad87eee837c35752ac3338b880db196c12ce2af2bc388dea686d4c5edaba0f5

SHA512
cdcaf0698bca0238f16b15795e5000dca7642042ddd38deb6ea2044a58ae337a4623bf2e0124d93c8ecad88b98fdc0d3d957d7c4d9b2fb45e9edb1594794d6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\100034.tmp

Filesize
3.7MB

MD5
f30666b819a892584d500f02020a991c

SHA1
dad735a073877479b9e141e7d0b10c32c086ad65

SHA256
3c542dbd9549be299ea3b33ba324e686b5ab6791483195a78419966afe8cf3b7

SHA512
47e85dd8de004de68d796b81dd17c52f42be822b66bc0ff322ce3cdee959948d455f86afcf3c4d891f877ca54bf9cbf37aab3fd0072dd01be565dbd38e164544

Download Submit
C:\Users\Admin\AppData\Local\Temp\100034.tmp

Filesize
1.3MB

MD5
261793c8bff061e5ad1da9393df2dd8e

SHA1
bba4cf3ffbf897c4618a11623e286f73cc7010f6

SHA256
121f231e2a1cb5f4dbed32eb91f1f6df6e4f0804321b5a0f6e27c19bd9d5bf7c

SHA512
5d00d586be1d64a873d5d0845e109eb508c359f465ddcd1e95d3d11ae9f9dc1ea01563d7ef8b8b0571b5255e161a365319a54a2b6a71e2b073b87c37db116170

Download Submit
C:\Users\Admin\AppData\Local\Temp\100044.zip

Filesize
847KB

MD5
3896f882c55761b6d987430a948a3bb3

SHA1
2945bfa7dd29ff3b8cfe5cf222e24cd9946769a7

SHA256
d9e4c823ed301ec5c75a3030e3f9f807195fc4b4f36041caf40ad2ee51dd1143

SHA512
eeb92052493fd803bfebf054a4e98c1461dd9cbb95cde2fa477434d31f2dea3869ff4b31ec10cb1af5d410af63339d7b11c1607595585991c3aaaa6ae51ea183

Download Submit
memory/2764-136-0x00007FFA94230000-0x00007FFA94240000-memory.dmp

Filesize
64KB

Download
memory/2764-139-0x00007FFA92070000-0x00007FFA92080000-memory.dmp

Filesize
64KB

Download
memory/2764-138-0x00007FFA92070000-0x00007FFA92080000-memory.dmp

Filesize
64KB

Download
memory/2764-137-0x00007FFA94230000-0x00007FFA94240000-memory.dmp

Filesize
64KB

Download
memory/2764-133-0x00007FFA94230000-0x00007FFA94240000-memory.dmp

Filesize
64KB

Download
memory/2764-135-0x00007FFA94230000-0x00007FFA94240000-memory.dmp

Filesize
64KB

Download
memory/2764-134-0x00007FFA94230000-0x00007FFA94240000-memory.dmp

Filesize
64KB

Download
memory/4080-197-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads