emotet | 27ae9d572f54a43df06de2e7f054508ae1bf186847c8a6cf0b65c63ab6d94fb4

General

Target

80162 (Metal).doc
Size

505.3MB
MD5

92e8b4374d9b0409e216c2fa85784fd7
SHA1

b43e7c2119957c606b2581e60c0d36f79837839c
SHA256

99fafa1d7ae87ff9e4470201827ee2a9bf56de01241909bb8f823623ed070d90
SHA512

3791a50314009a1292df96533764b5a78d1f114bda048c0a238e521d17020a0dad2cc23d96f52f4dc1be4555f61c7a4ae205b7594d8b6db5284597df8bf2196f
SSDEEP

6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3852	2900	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 41 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2900 WINWORD.EXE
2900 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

2900 WINWORD.EXE
2900 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

2900 WINWORD.EXE
2900 WINWORD.EXE
2900 WINWORD.EXE
2900 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2900	WINWORD.EXE
2900	WINWORD.EXE

pid	process
2900	WINWORD.EXE
2900	WINWORD.EXE

pid	process
2900	WINWORD.EXE
2900	WINWORD.EXE
2900	WINWORD.EXE
2900	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\80162 (Metal).doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\133614.tmp"
2⤵
- Process spawned unexpected child process
PID:3852

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OMwKDRMvKgSdP\OwjnaS.dll"
3⤵
PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\133614.tmp

Filesize
452.2MB

MD5
fcee427a57b025dc1932e8875789c029

SHA1
fe12a05e7b7599deb3dcd136bc65d0c66022208f

SHA256
36fc3c88a2caaa6cffdf9bad0b1c726e37c29bf702d2828d7ba23981ed3ebd1a

SHA512
672dccae7bbdf3e3b1e94443b2f4392301b4c3ccd97669f4566ab2a41144c7db8d4603444878a999fa9074c9e4dc5c93fc31fb509c106183b248cad3e2cb79bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\133614.tmp

Filesize
455.3MB

MD5
1feb5569334a20d9ef0480dca2f87582

SHA1
a4879f478e4cd0fc1097ea5772fed79a71eab064

SHA256
5f773b7be5bac25a5835a50d92da5bb6fb045a84f69f41a205b276293cff4d32

SHA512
bca888c61e8d5718a5e1d1a3b1817c4b77591345d70e36b30dc320b7a3412008c12553cddf48e211d36479b575e3ed5d656a0b49619a10a28fdbd935ea4e45e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\133615.zip

Filesize
804KB

MD5
7821adc2f937cd7f7f6fc3499ceda7c3

SHA1
5e4c4bd7a474c4bebe39b3741ccbc54e524692d4

SHA256
95944d22d1e39c3d3f1b7f35fc225b81fd937d711a662b219fa94422e78c8f17

SHA512
f850146e6bd3a1a43da0f01db570c8881642aabf3a315db429a1bb2834cfe7baed183f575cd3774948ef5cd485f7a042d580dbb48f77f47a081e967273bb85cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\System32\OMwKDRMvKgSdP\OwjnaS.dll

Filesize
424.6MB

MD5
6a4931aee6e434d5f92843046c4eeb2e

SHA1
34548a9297cb37ee93e233b27a2bd4b089cf5e03

SHA256
e971a8766d7de8ec7bac526d0e95096916005ee4ed0af0c0302b5b4bcc65af3d

SHA512
3a2068ead87247eb95f29abe4dde2e77fbc9794b7c166a6e26fe0e43061b3229e8a04d8afa6e445d12214485857a946fb0ad550a2b7c16e8a6edabf07767e5be

Download Submit
C:\Windows\System32\OMwKDRMvKgSdP\OwjnaS.dll

Filesize
450.1MB

MD5
8067b4efa5bc3efe501a3777fb766e53

SHA1
a403213828d95aa9538fc642d452965494ef8b1d

SHA256
2831005ef43c0e506632b361a89ebc173e36750432faf61c7eac2891bd7dcab6

SHA512
f5981ae37c64e41ba984cf48650c7498f1274cb93d2246625b68348b8957638553035f076d7322296f277e940492d35cb7ec23334ad811d69f769bc9c7482cf9

Download Submit
memory/2776-197-0x00000000020A0000-0x0000000002128000-memory.dmp

Filesize
544KB

Download
memory/2776-185-0x00000000020A0000-0x0000000002128000-memory.dmp

Filesize
544KB

Download
memory/2900-139-0x00007FFB21AB0000-0x00007FFB21AC0000-memory.dmp

Filesize
64KB

Download
memory/2900-134-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-135-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-136-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-138-0x00007FFB21AB0000-0x00007FFB21AC0000-memory.dmp

Filesize
64KB

Download
memory/2900-133-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-137-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-223-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-224-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-225-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/2900-226-0x00007FFB242D0000-0x00007FFB242E0000-memory.dmp

Filesize
64KB

Download
memory/3852-179-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/3852-182-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads