Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2023 11:49
Behavioral task
behavioral1
Sample
Invio documento rif.22954796 del 09.03.2023.doc
Resource
win7-20230220-en
General
-
Target
Invio documento rif.22954796 del 09.03.2023.doc
-
Size
545.3MB
-
MD5
f388af2adf5e1b3c0bb6bcfd71a75951
-
SHA1
dc269af3c0df4e7dabde4e838639bfa968c4b6f9
-
SHA256
af7b1a64bcfd9ad2ca2e9bb7a00ca49f3e199dceb7ec188d3906fd3f09dbca48
-
SHA512
1ab90983739b33ebd7c57d8b3d455e7cc7edff0c5da12df6ea0f76db8b545c8cd5d8b42db795bacc0c7587bff95b078447d717607d89cb195d0befffe8635466
-
SSDEEP
6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4
Malware Config
Extracted
emotet
Epoch4
129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
103.75.201.2:443
149.56.131.28:8080
79.137.35.198:8080
5.135.159.50:443
66.228.32.31:7080
91.121.146.47:8080
153.92.5.27:8080
45.235.8.30:8080
72.15.201.15:8080
107.170.39.149:8080
45.176.232.124:443
82.223.21.224:8080
167.172.199.165:8080
213.239.212.5:443
202.129.205.3:8080
94.23.45.86:4143
147.139.166.154:8080
167.172.253.162:8080
91.207.28.33:8080
188.44.20.25:443
104.168.155.143:8080
110.232.117.186:8080
164.68.99.3:8080
1.234.2.232:8080
173.212.193.249:8080
182.162.143.56:443
160.16.142.56:8080
101.50.0.91:8080
103.43.75.120:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2232 4544 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2232 regsvr32.exe 2232 regsvr32.exe 3884 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4544 WINWORD.EXE 4544 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2232 regsvr32.exe 2232 regsvr32.exe 3884 regsvr32.exe 3884 regsvr32.exe 3884 regsvr32.exe 3884 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 4544 WINWORD.EXE 4544 WINWORD.EXE 4544 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4544 WINWORD.EXE 4544 WINWORD.EXE 4544 WINWORD.EXE 4544 WINWORD.EXE 4544 WINWORD.EXE 4544 WINWORD.EXE 4544 WINWORD.EXE 4544 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 4544 wrote to memory of 2232 4544 WINWORD.EXE regsvr32.exe PID 4544 wrote to memory of 2232 4544 WINWORD.EXE regsvr32.exe PID 2232 wrote to memory of 3884 2232 regsvr32.exe regsvr32.exe PID 2232 wrote to memory of 3884 2232 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invio documento rif.22954796 del 09.03.2023.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\125012.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\GIrBkTH\zCouDgtCGjclo.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\125012.tmpFilesize
521.5MB
MD59646fa8b8fa1aa6be170b81a0046841b
SHA154516c50a117c983ffa85acab83dfa35ef667904
SHA256bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2
SHA51263e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3
-
C:\Users\Admin\AppData\Local\Temp\125012.tmpFilesize
521.5MB
MD59646fa8b8fa1aa6be170b81a0046841b
SHA154516c50a117c983ffa85acab83dfa35ef667904
SHA256bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2
SHA51263e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3
-
C:\Users\Admin\AppData\Local\Temp\125012.tmpFilesize
521.5MB
MD59646fa8b8fa1aa6be170b81a0046841b
SHA154516c50a117c983ffa85acab83dfa35ef667904
SHA256bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2
SHA51263e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3
-
C:\Users\Admin\AppData\Local\Temp\125013.zipFilesize
806KB
MD5aaccfff0a071afb57724298e5c8e0b3e
SHA117a763d2535edfa6b5c9f165091b6c08daef07fc
SHA2563f1d83729e12053754741ada50c6a1286aedcd274bf118c08d4be435db31cbac
SHA512d886000bf9cb3e6a3e2f8df1e475cfaeece0cb1ab90e8414b1a36e3abbf0f05d7591b64431b9f565805fd8e2759d7d89b35c47b8ce292190126b1656e2aa320b
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Windows\System32\GIrBkTH\zCouDgtCGjclo.dllFilesize
521.5MB
MD59646fa8b8fa1aa6be170b81a0046841b
SHA154516c50a117c983ffa85acab83dfa35ef667904
SHA256bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2
SHA51263e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3
-
memory/2232-177-0x0000000180000000-0x000000018002D000-memory.dmpFilesize
180KB
-
memory/2232-175-0x0000000002250000-0x00000000022D8000-memory.dmpFilesize
544KB
-
memory/2232-179-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/2232-186-0x0000000002250000-0x00000000022D8000-memory.dmpFilesize
544KB
-
memory/3884-197-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/4544-139-0x00007FFB878D0000-0x00007FFB878E0000-memory.dmpFilesize
64KB
-
memory/4544-138-0x00007FFB878D0000-0x00007FFB878E0000-memory.dmpFilesize
64KB
-
memory/4544-137-0x00007FFB89930000-0x00007FFB89940000-memory.dmpFilesize
64KB
-
memory/4544-136-0x00007FFB89930000-0x00007FFB89940000-memory.dmpFilesize
64KB
-
memory/4544-133-0x00007FFB89930000-0x00007FFB89940000-memory.dmpFilesize
64KB
-
memory/4544-135-0x00007FFB89930000-0x00007FFB89940000-memory.dmpFilesize
64KB
-
memory/4544-134-0x00007FFB89930000-0x00007FFB89940000-memory.dmpFilesize
64KB