emotet | 41d18cf14145a2437afb9d093abec8ac4297cd06f7d56992f5cee74ff4d596f2

General

Target

DATOS_0973.doc
Size

507.3MB
MD5

2b2c491813fa283bcae934cf29381dc4
SHA1

53edd6c15f10e5eceb3aeb231909110ba7bdccab
SHA256

e22072d225a264695a9a3ad92e21c0325a4a49e310c4720627c7da5545ef4e92
SHA512

0fbe386067d285aa0e9459dc97443fccc4bcf6a2078ad78e6a7d09315ef3996017379e648dcdd63d7a928bb28aa2698e02a02d46530b3f169147eb3cd1d55040
SSDEEP

3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2684	3632	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2684 regsvr32.exe
2036 regsvr32.exe

pid	process
2684	regsvr32.exe
2036	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VGSA.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MEMMnZfjiARMhsD\\VGSA.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3632 WINWORD.EXE
3632 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2684 regsvr32.exe
2684 regsvr32.exe
2036 regsvr32.exe
2036 regsvr32.exe
2036 regsvr32.exe
2036 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

3632 WINWORD.EXE
3632 WINWORD.EXE
3632 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

3632 WINWORD.EXE
3632 WINWORD.EXE
3632 WINWORD.EXE
3632 WINWORD.EXE
3632 WINWORD.EXE
3632 WINWORD.EXE
3632 WINWORD.EXE
3632 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3632	WINWORD.EXE
3632	WINWORD.EXE

pid	process
2684	regsvr32.exe
2684	regsvr32.exe
2036	regsvr32.exe
2036	regsvr32.exe
2036	regsvr32.exe
2036	regsvr32.exe

pid	process
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE

pid	process
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 3632 wrote to memory of 2684	3632	WINWORD.EXE	regsvr32.exe
PID 3632 wrote to memory of 2684	3632	WINWORD.EXE	regsvr32.exe
PID 2684 wrote to memory of 2036	2684	regsvr32.exe	regsvr32.exe
PID 2684 wrote to memory of 2036	2684	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DATOS_0973.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132617.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MEMMnZfjiARMhsD\VGSA.dll"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\132617.tmp
Filesize
526.5MB

MD5
efd82875faec2cd3b02db62998348753

SHA1
22c09b81bf4a29d1511d464e9a31c553b57bd862

SHA256
65d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e

SHA512
28927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\132617.tmp
Filesize
526.5MB

MD5
efd82875faec2cd3b02db62998348753

SHA1
22c09b81bf4a29d1511d464e9a31c553b57bd862

SHA256
65d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e

SHA512
28927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\132618.zip
Filesize
811KB

MD5
cfb2efb2b8bc087f29e9c23cfad3caa7

SHA1
e0122816f9548649bc023fc5672a79fefb406bdc

SHA256
844b8324628a400e90f51ff91c865dff28141b108e304005a2879759945e83f5

SHA512
c3117199d445e77d5efdf0466cb0c8e11c7d71e8ca70e7bdac7217aaf45ceca35cea9a68fae28d5c68187871c894fb0281410099432e00c9c66d8a50a97166a8

Download Submit
C:\Windows\System32\MEMMnZfjiARMhsD\VGSA.dll
Filesize
526.5MB

MD5
efd82875faec2cd3b02db62998348753

SHA1
22c09b81bf4a29d1511d464e9a31c553b57bd862

SHA256
65d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e

SHA512
28927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b

Download Submit
memory/2036-187-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-174-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/2684-182-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3632-136-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-135-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-137-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-134-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-139-0x00007FF88CC90000-0x00007FF88CCA0000-memory.dmp

Filesize
64KB

Download
memory/3632-133-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-138-0x00007FF88CC90000-0x00007FF88CCA0000-memory.dmp

Filesize
64KB

Download
memory/3632-214-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-215-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-216-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download
memory/3632-217-0x00007FF88ECF0000-0x00007FF88ED00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads