Overview

overview

10

Static

static

8

80162 (Metal).doc

windows7-x64

10

80162 (Metal).doc

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2023 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80162 (Metal).doc

  • Size

    505.3MB

  • MD5

    92e8b4374d9b0409e216c2fa85784fd7

  • SHA1

    b43e7c2119957c606b2581e60c0d36f79837839c

  • SHA256

    99fafa1d7ae87ff9e4470201827ee2a9bf56de01241909bb8f823623ed070d90

  • SHA512

    3791a50314009a1292df96533764b5a78d1f114bda048c0a238e521d17020a0dad2cc23d96f52f4dc1be4555f61c7a4ae205b7594d8b6db5284597df8bf2196f

  • SSDEEP

    6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\80162 (Metal).doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2900
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\133614.tmp"
      2⤵
      • Process spawned unexpected child process
      PID:3852
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OMwKDRMvKgSdP\OwjnaS.dll"
        3⤵
          PID:2776

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\133614.tmp
      Filesize

      452.2MB

      MD5

      fcee427a57b025dc1932e8875789c029

      SHA1

      fe12a05e7b7599deb3dcd136bc65d0c66022208f

      SHA256

      36fc3c88a2caaa6cffdf9bad0b1c726e37c29bf702d2828d7ba23981ed3ebd1a

      SHA512

      672dccae7bbdf3e3b1e94443b2f4392301b4c3ccd97669f4566ab2a41144c7db8d4603444878a999fa9074c9e4dc5c93fc31fb509c106183b248cad3e2cb79bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\133614.tmp
      Filesize

      455.3MB

      MD5

      1feb5569334a20d9ef0480dca2f87582

      SHA1

      a4879f478e4cd0fc1097ea5772fed79a71eab064

      SHA256

      5f773b7be5bac25a5835a50d92da5bb6fb045a84f69f41a205b276293cff4d32

      SHA512

      bca888c61e8d5718a5e1d1a3b1817c4b77591345d70e36b30dc320b7a3412008c12553cddf48e211d36479b575e3ed5d656a0b49619a10a28fdbd935ea4e45e9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\133615.zip
      Filesize

      804KB

      MD5

      7821adc2f937cd7f7f6fc3499ceda7c3

      SHA1

      5e4c4bd7a474c4bebe39b3741ccbc54e524692d4

      SHA256

      95944d22d1e39c3d3f1b7f35fc225b81fd937d711a662b219fa94422e78c8f17

      SHA512

      f850146e6bd3a1a43da0f01db570c8881642aabf3a315db429a1bb2834cfe7baed183f575cd3774948ef5cd485f7a042d580dbb48f77f47a081e967273bb85cb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit
    • C:\Windows\System32\OMwKDRMvKgSdP\OwjnaS.dll
      Filesize

      424.6MB

      MD5

      6a4931aee6e434d5f92843046c4eeb2e

      SHA1

      34548a9297cb37ee93e233b27a2bd4b089cf5e03

      SHA256

      e971a8766d7de8ec7bac526d0e95096916005ee4ed0af0c0302b5b4bcc65af3d

      SHA512

      3a2068ead87247eb95f29abe4dde2e77fbc9794b7c166a6e26fe0e43061b3229e8a04d8afa6e445d12214485857a946fb0ad550a2b7c16e8a6edabf07767e5be

      Download Submit
    • C:\Windows\System32\OMwKDRMvKgSdP\OwjnaS.dll
      Filesize

      450.1MB

      MD5

      8067b4efa5bc3efe501a3777fb766e53

      SHA1

      a403213828d95aa9538fc642d452965494ef8b1d

      SHA256

      2831005ef43c0e506632b361a89ebc173e36750432faf61c7eac2891bd7dcab6

      SHA512

      f5981ae37c64e41ba984cf48650c7498f1274cb93d2246625b68348b8957638553035f076d7322296f277e940492d35cb7ec23334ad811d69f769bc9c7482cf9

      Download Submit
    • memory/2776-197-0x00000000020A0000-0x0000000002128000-memory.dmp
      Filesize

      544KB

      Download
    • memory/2776-185-0x00000000020A0000-0x0000000002128000-memory.dmp
      Filesize

      544KB

      Download
    • memory/2900-139-0x00007FFB21AB0000-0x00007FFB21AC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-134-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-135-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-136-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-138-0x00007FFB21AB0000-0x00007FFB21AC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-133-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-137-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-223-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-224-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-225-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2900-226-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3852-179-0x0000000180000000-0x000000018002D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3852-182-0x0000000000A20000-0x0000000000A21000-memory.dmp
      Filesize

      4KB

      Download