emotet | 7be3a629d6a1ea722c525aeaadd57f6f43db20bb70f55caf64a666518f0b0707

Resubmissions

09/03/2023, 13:27

230309-qqgx3ace75 10

09/03/2023, 08:02

230309-jxggjsbc56 8

09/03/2023, 07:55

230309-jskcmsab7t 10

Analysis

max time kernel
33s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-03-09_1641.doc
Size

528.4MB
MD5

2497f00196794d6011c1f95d659fb948
SHA1

c9d0caba43352645f7aee4242350c938a0b4bf4e
SHA256

66b9053b5c63bac17c1ab5fd3f0e385a6c1fd579b0d05ba86aacd3bea54c558a
SHA512

faf794202164330cbaffb01447df2567aa090728f73db5fb2bbba050094b4332c3172fe35438fa76d9adea17b793bef1686baf06f76a9002b95c41b1c65c9e7e
SSDEEP

6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4280	2204	regsvr32.exe	81

Loads dropped DLL 2 IoCs

pid	Process
4280	regsvr32.exe
4460	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4280	regsvr32.exe
4280	regsvr32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4280	2204	WINWORD.EXE	83
PID 2204 wrote to memory of 4280	2204	WINWORD.EXE	83
PID 4280 wrote to memory of 4460	4280	regsvr32.exe	86
PID 4280 wrote to memory of 4460	4280	regsvr32.exe	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-09_1641.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\142856.tmp"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UULpKnQDLORqrgn\YxwiIz.dll"
    3⤵
    - Loads dropped DLL
    PID:4460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\142856.tmp

Filesize
540.5MB

MD5
7fcdfc330ad8d5f2ad852f329991f03d

SHA1
72ff376b4ecaccadc77b72af75b85516d6b7a043

SHA256
0ce4662f0d149cfb6af148c00db1e25f41401eff71e2ba64ea0d8dd17fa852da

SHA512
d0d8ae6a3a709dc2ad4f756612f60c30ded0933a6ff752063649b23b14d7d8c9ae68688fa40d5b53b0610efe9f0306fa189d836df22633807d51f0ebd8b861a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\142856.tmp

Filesize
540.5MB

MD5
7fcdfc330ad8d5f2ad852f329991f03d

SHA1
72ff376b4ecaccadc77b72af75b85516d6b7a043

SHA256
0ce4662f0d149cfb6af148c00db1e25f41401eff71e2ba64ea0d8dd17fa852da

SHA512
d0d8ae6a3a709dc2ad4f756612f60c30ded0933a6ff752063649b23b14d7d8c9ae68688fa40d5b53b0610efe9f0306fa189d836df22633807d51f0ebd8b861a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\142857.zip

Filesize
825KB

MD5
a1c6e1ef24f92cbdd33172c8b81e04d2

SHA1
812b0e57121426326c35eebea4cbc6f24807d490

SHA256
7fb804828c08b783db1e48c749af0c90c63d8ec35005e194e1d69dd7917c63c6

SHA512
a6080670aed4f62896097a71abee4b9966c6fb5e06b73837251d6588f3ea8c4f6d4696752390790e17fe3178d7e9611e3885f6c78dfb7d98c8153e48ce76eef0

Download Submit
C:\Windows\System32\UULpKnQDLORqrgn\YxwiIz.dll

Filesize
540.5MB

MD5
7fcdfc330ad8d5f2ad852f329991f03d

SHA1
72ff376b4ecaccadc77b72af75b85516d6b7a043

SHA256
0ce4662f0d149cfb6af148c00db1e25f41401eff71e2ba64ea0d8dd17fa852da

SHA512
d0d8ae6a3a709dc2ad4f756612f60c30ded0933a6ff752063649b23b14d7d8c9ae68688fa40d5b53b0610efe9f0306fa189d836df22633807d51f0ebd8b861a5

Download Submit
memory/2204-139-0x00007FFEA3ED0000-0x00007FFEA3EE0000-memory.dmp

Filesize
64KB

Download
memory/2204-138-0x00007FFEA3ED0000-0x00007FFEA3EE0000-memory.dmp

Filesize
64KB

Download
memory/2204-133-0x00007FFEA60F0000-0x00007FFEA6100000-memory.dmp

Filesize
64KB

Download
memory/2204-137-0x00007FFEA60F0000-0x00007FFEA6100000-memory.dmp

Filesize
64KB

Download
memory/2204-136-0x00007FFEA60F0000-0x00007FFEA6100000-memory.dmp

Filesize
64KB

Download
memory/2204-135-0x00007FFEA60F0000-0x00007FFEA6100000-memory.dmp

Filesize
64KB

Download
memory/2204-134-0x00007FFEA60F0000-0x00007FFEA6100000-memory.dmp

Filesize
64KB

Download
memory/4280-177-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/4280-180-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4460-187-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download