emotet | ec210125cc000c482efe8e7af7e2a2f57e22b3a66f191cb735a2d33fb4d47a8e

General

Target

100498851360482388129.doc
Size

505.4MB
MD5

9f436098a3a2acd867a23ba4d00be24f
SHA1

6ffa087b98d968e326c3f8365ff14a9f3e3f0659
SHA256

11224b24b3619d4ebfe265875f9745fc542553158813aa112d77a0cb4fe654cc
SHA512

ab9f91583656d8f3002a667c6bde72f202e7c48ff89c77a7be68a78dd92eade668b74c09dc612332fa5da85f1260fa447b2119f0007754069cb034b7d930f223
SSDEEP

6144:ogJI9kbGiyDlVYoD2qe2qBgYZDyc+1Jg+CHf8biy/xllXQQgI2V:suyvDlGoUXZDyc0HCHf2Jxpg

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2604	4372	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4372 WINWORD.EXE
4372 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4372 WINWORD.EXE
4372 WINWORD.EXE
4372 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

4372 WINWORD.EXE
4372 WINWORD.EXE
4372 WINWORD.EXE
4372 WINWORD.EXE

pid	process
4372	WINWORD.EXE
4372	WINWORD.EXE

pid	process
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE

pid	process
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4372 wrote to memory of 2604	4372	WINWORD.EXE	regsvr32.exe
PID 4372 wrote to memory of 2604	4372	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\100498851360482388129.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\113506.tmp"
2⤵
- Process spawned unexpected child process
PID:2604

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VYmiB\GHiphsQu.dll"
3⤵
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\113506.tmp

Filesize
315.8MB

MD5
6a46887b834c4f636224dc24c2e653dd

SHA1
3e9f6d0fe1acec7e3b07bb603ccc081d1f678b23

SHA256
2540ef5ffd877213509908459dde3c1cdaee300f2e16b8d9eeeb52edec201137

SHA512
fb8e8c194263c17bc7ae110bbe6aa4376531c3baa7cd5a671310ef89b475043b8e534dff44882dc3a3153d68459f5c058ed1d499aa7a0f5d7e7989c62d134899

Download Submit
C:\Users\Admin\AppData\Local\Temp\113506.tmp

Filesize
321.6MB

MD5
d31b310cbc411f4217f0e8fb25f30c74

SHA1
93d7faf944fa624c43cd1f902fa1b95faafed8d2

SHA256
23e0f073fdb27adf02c11546225949eb2a8e174b940726dd7732819d43a27190

SHA512
63ddc41bbf8d3cf9abe16002c50e9e0f628fcf73b6b94f33e5e98490e60c83d928f6a8dc77373b21243a1d398283b41e7695bcb2db063732ebb88dca173f2b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\113506.tmp

Filesize
320.2MB

MD5
dca176d6dda679a4e8e6ca4c1f4d31bf

SHA1
a41165da42585c6b13ee8d8e852fe3305305f0dd

SHA256
4218153ae0e1a301d4a1af58c25d65c034b4549b4f2b9223126f84370ce31fe2

SHA512
f139197ad0e5de86d6138e618ec81da4dd22aa42916c5780c50c8339b1299ac4393da4afcc31c1e52e64d7a4aefec92a3f64073da2a0d25e5726d38c7581925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\113507.zip

Filesize
816KB

MD5
e9d64df104a187f329b391a9c55d4be3

SHA1
70e4cf2b0c68ebfbf524e05325e5f1cbb59b8ff5

SHA256
23f2849e311775c6c463ebfca76e278e3352529567df97ed743f9e296ef362c4

SHA512
0eb004c505e4fbe082b8a8b362deb228cb5936f25bd823175abf7bc752e62192491fc54ccd9f84ecc58e42dba5154470faeafb3538f3723fb5486bdf40844c06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\System32\VYmiB\GHiphsQu.dll

Filesize
310.9MB

MD5
6901323eb50631cc6e6d528599c57bd2

SHA1
b58ed77a9d4b5fa622b6a1c8ce912be35d8e0fc9

SHA256
45aa64eb78617780ff5f64e926f7e3554c8e9c06954745cd70297aad51ae8d04

SHA512
43a31502165c77913ef21c0aad6631db2d23900a8404c2359b4c0658445fd83b5cf9dfc6e70f1c4aa3bc0aec89afa79aa12c8c33094ee90fc75c2ca28baa6c75

Download Submit
memory/552-197-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2604-185-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2604-180-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/2604-175-0x0000000002050000-0x00000000020D8000-memory.dmp

Filesize
544KB

Download
memory/4372-137-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-134-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-135-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-138-0x00007FFB21AB0000-0x00007FFB21AC0000-memory.dmp

Filesize
64KB

Download
memory/4372-136-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-133-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-139-0x00007FFB21AB0000-0x00007FFB21AC0000-memory.dmp

Filesize
64KB

Download
memory/4372-226-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-225-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-224-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/4372-223-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads