emotet | 0c80b796c3239e78e9d954f529da20c21d88b639537908056ed51496ea111577

General

Target

Invio documento rif.22954796 del 09.03.2023.doc
Size

545.3MB
MD5

f388af2adf5e1b3c0bb6bcfd71a75951
SHA1

dc269af3c0df4e7dabde4e838639bfa968c4b6f9
SHA256

af7b1a64bcfd9ad2ca2e9bb7a00ca49f3e199dceb7ec188d3906fd3f09dbca48
SHA512

1ab90983739b33ebd7c57d8b3d455e7cc7edff0c5da12df6ea0f76db8b545c8cd5d8b42db795bacc0c7587bff95b078447d717607d89cb195d0befffe8635466
SSDEEP

6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2232	4544	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2232 regsvr32.exe
2232 regsvr32.exe
3884 regsvr32.exe

pid	process
2232	regsvr32.exe
2232	regsvr32.exe
3884	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4544 WINWORD.EXE
4544 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2232 regsvr32.exe
2232 regsvr32.exe
3884 regsvr32.exe
3884 regsvr32.exe
3884 regsvr32.exe
3884 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4544 WINWORD.EXE
4544 WINWORD.EXE
4544 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

4544 WINWORD.EXE
4544 WINWORD.EXE
4544 WINWORD.EXE
4544 WINWORD.EXE
4544 WINWORD.EXE
4544 WINWORD.EXE
4544 WINWORD.EXE
4544 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4544	WINWORD.EXE
4544	WINWORD.EXE

pid	process
2232	regsvr32.exe
2232	regsvr32.exe
3884	regsvr32.exe
3884	regsvr32.exe
3884	regsvr32.exe
3884	regsvr32.exe

pid	process
4544	WINWORD.EXE
4544	WINWORD.EXE
4544	WINWORD.EXE

pid	process
4544	WINWORD.EXE
4544	WINWORD.EXE
4544	WINWORD.EXE
4544	WINWORD.EXE
4544	WINWORD.EXE
4544	WINWORD.EXE
4544	WINWORD.EXE
4544	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 4544 wrote to memory of 2232	4544	WINWORD.EXE	regsvr32.exe
PID 4544 wrote to memory of 2232	4544	WINWORD.EXE	regsvr32.exe
PID 2232 wrote to memory of 3884	2232	regsvr32.exe	regsvr32.exe
PID 2232 wrote to memory of 3884	2232	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invio documento rif.22954796 del 09.03.2023.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\125012.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GIrBkTH\zCouDgtCGjclo.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\125012.tmp
Filesize
521.5MB

MD5
9646fa8b8fa1aa6be170b81a0046841b

SHA1
54516c50a117c983ffa85acab83dfa35ef667904

SHA256
bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2

SHA512
63e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\125012.tmp
Filesize
521.5MB

MD5
9646fa8b8fa1aa6be170b81a0046841b

SHA1
54516c50a117c983ffa85acab83dfa35ef667904

SHA256
bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2

SHA512
63e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\125012.tmp
Filesize
521.5MB

MD5
9646fa8b8fa1aa6be170b81a0046841b

SHA1
54516c50a117c983ffa85acab83dfa35ef667904

SHA256
bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2

SHA512
63e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\125013.zip
Filesize
806KB

MD5
aaccfff0a071afb57724298e5c8e0b3e

SHA1
17a763d2535edfa6b5c9f165091b6c08daef07fc

SHA256
3f1d83729e12053754741ada50c6a1286aedcd274bf118c08d4be435db31cbac

SHA512
d886000bf9cb3e6a3e2f8df1e475cfaeece0cb1ab90e8414b1a36e3abbf0f05d7591b64431b9f565805fd8e2759d7d89b35c47b8ce292190126b1656e2aa320b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\System32\GIrBkTH\zCouDgtCGjclo.dll
Filesize
521.5MB

MD5
9646fa8b8fa1aa6be170b81a0046841b

SHA1
54516c50a117c983ffa85acab83dfa35ef667904

SHA256
bbce9dece94598edf5628487d1420bd57b38d979a5a6d170d9091fe188b5a8a2

SHA512
63e61aa9cf547ec68db73345c7a87d0b804853865fec9bd5679c773414e56a2964936b77ebb4d25b902fad23a9e10af150071cf3e333b9cfd5531176602bdce3

Download Submit
memory/2232-177-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/2232-175-0x0000000002250000-0x00000000022D8000-memory.dmp

Filesize
544KB

Download
memory/2232-179-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2232-186-0x0000000002250000-0x00000000022D8000-memory.dmp

Filesize
544KB

Download
memory/3884-197-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4544-139-0x00007FFB878D0000-0x00007FFB878E0000-memory.dmp

Filesize
64KB

Download
memory/4544-138-0x00007FFB878D0000-0x00007FFB878E0000-memory.dmp

Filesize
64KB

Download
memory/4544-137-0x00007FFB89930000-0x00007FFB89940000-memory.dmp

Filesize
64KB

Download
memory/4544-136-0x00007FFB89930000-0x00007FFB89940000-memory.dmp

Filesize
64KB

Download
memory/4544-133-0x00007FFB89930000-0x00007FFB89940000-memory.dmp

Filesize
64KB

Download
memory/4544-135-0x00007FFB89930000-0x00007FFB89940000-memory.dmp

Filesize
64KB

Download
memory/4544-134-0x00007FFB89930000-0x00007FFB89940000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads