Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-es -
resource tags
arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
09-03-2023 12:25
Behavioral task
behavioral1
Sample
DATOS_0973.doc
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
DATOS_0973.doc
Resource
win10v2004-20230220-es
General
-
Target
DATOS_0973.doc
-
Size
507.3MB
-
MD5
2b2c491813fa283bcae934cf29381dc4
-
SHA1
53edd6c15f10e5eceb3aeb231909110ba7bdccab
-
SHA256
e22072d225a264695a9a3ad92e21c0325a4a49e310c4720627c7da5545ef4e92
-
SHA512
0fbe386067d285aa0e9459dc97443fccc4bcf6a2078ad78e6a7d09315ef3996017379e648dcdd63d7a928bb28aa2698e02a02d46530b3f169147eb3cd1d55040
-
SSDEEP
3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR
Malware Config
Extracted
emotet
Epoch4
129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
103.75.201.2:443
149.56.131.28:8080
79.137.35.198:8080
5.135.159.50:443
66.228.32.31:7080
91.121.146.47:8080
153.92.5.27:8080
45.235.8.30:8080
72.15.201.15:8080
107.170.39.149:8080
45.176.232.124:443
82.223.21.224:8080
167.172.199.165:8080
213.239.212.5:443
202.129.205.3:8080
94.23.45.86:4143
147.139.166.154:8080
167.172.253.162:8080
91.207.28.33:8080
188.44.20.25:443
104.168.155.143:8080
110.232.117.186:8080
164.68.99.3:8080
1.234.2.232:8080
173.212.193.249:8080
182.162.143.56:443
160.16.142.56:8080
101.50.0.91:8080
103.43.75.120:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2684 3632 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2684 regsvr32.exe 2036 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VGSA.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MEMMnZfjiARMhsD\\VGSA.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3632 WINWORD.EXE 3632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2684 regsvr32.exe 2684 regsvr32.exe 2036 regsvr32.exe 2036 regsvr32.exe 2036 regsvr32.exe 2036 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 3632 wrote to memory of 2684 3632 WINWORD.EXE regsvr32.exe PID 3632 wrote to memory of 2684 3632 WINWORD.EXE regsvr32.exe PID 2684 wrote to memory of 2036 2684 regsvr32.exe regsvr32.exe PID 2684 wrote to memory of 2036 2684 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DATOS_0973.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132617.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\MEMMnZfjiARMhsD\VGSA.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\132617.tmpFilesize
526.5MB
MD5efd82875faec2cd3b02db62998348753
SHA122c09b81bf4a29d1511d464e9a31c553b57bd862
SHA25665d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e
SHA51228927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b
-
C:\Users\Admin\AppData\Local\Temp\132617.tmpFilesize
526.5MB
MD5efd82875faec2cd3b02db62998348753
SHA122c09b81bf4a29d1511d464e9a31c553b57bd862
SHA25665d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e
SHA51228927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b
-
C:\Users\Admin\AppData\Local\Temp\132618.zipFilesize
811KB
MD5cfb2efb2b8bc087f29e9c23cfad3caa7
SHA1e0122816f9548649bc023fc5672a79fefb406bdc
SHA256844b8324628a400e90f51ff91c865dff28141b108e304005a2879759945e83f5
SHA512c3117199d445e77d5efdf0466cb0c8e11c7d71e8ca70e7bdac7217aaf45ceca35cea9a68fae28d5c68187871c894fb0281410099432e00c9c66d8a50a97166a8
-
C:\Windows\System32\MEMMnZfjiARMhsD\VGSA.dllFilesize
526.5MB
MD5efd82875faec2cd3b02db62998348753
SHA122c09b81bf4a29d1511d464e9a31c553b57bd862
SHA25665d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e
SHA51228927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b
-
memory/2036-187-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2684-174-0x0000000180000000-0x000000018002D000-memory.dmpFilesize
180KB
-
memory/2684-182-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/3632-136-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-135-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-137-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-134-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-139-0x00007FF88CC90000-0x00007FF88CCA0000-memory.dmpFilesize
64KB
-
memory/3632-133-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-138-0x00007FF88CC90000-0x00007FF88CCA0000-memory.dmpFilesize
64KB
-
memory/3632-214-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-215-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-216-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB
-
memory/3632-217-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmpFilesize
64KB