Overview

overview

10

Static

static

8

t_gescannt...51.doc

windows7-x64

10

t_gescannt...51.doc

windows10-1703-x64

10

Analysis

  • max time kernel
    376s
  • max time network
    439s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-03-2023 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    t_gescanntes-Dokument 2023.09.03_0851.doc

  • Size

    381KB

  • MD5

    1640c9beb6c7afe550ba2e2d7584f179

  • SHA1

    74e2fcb40aa441192b94d57cb46d6aed9bd1b353

  • SHA256

    558017ae9c3c65e65d03ded1a32e0c873c379be2bcf52c321b5cb4a12d04f18a

  • SHA512

    9b0869ad92708cee4446781589589a48bb4d3cb433ed9695e79d5ce65e8b962e9cea51dbd2885a85892f6c0bdcf4dea2e3ebdaac14ede15d8659f1be029a5287

  • SSDEEP

    6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\t_gescanntes-Dokument 2023.09.03_0851.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\173539.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DxQKTOC\mBePitAGPvJNK.dll"
        3⤵
          PID:1960

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\173539.tmp
      Filesize

      524.5MB

      MD5

      a0287a67f0e7ead4fe5b79aa2ce9c137

      SHA1

      1189232ef27f4fd2781c6a53e5254ce45feec8d4

      SHA256

      05209852a496328059098627af1904363a7ee4e6ca55e0668a86c6cb41593c98

      SHA512

      42e6b694fbf2712be497a61263d0eb89a5ea154a28c0bf8ee51cec430e277cba6bea2799068468891f8cd1d9acbdf7f80275c49aff965156c50b8e3076fdc012

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\173540.zip
      Filesize

      809KB

      MD5

      63d58614f9189e23ee7b8333f4b4f6e8

      SHA1

      acbda6886b6df41e63c147e017519a0db73ab1dc

      SHA256

      2731682e54ae177a22dac9194431be2be3224da56bce5efbbb56c793fe2ad4c5

      SHA512

      ae40bacf465b6ec265775ffb071def8d6ca35994f6a3910242e436f86264964b9cb223fe9a40750bfff0a780a9d612f17288c3f97979d7b48ae588f5863775ad

      Download Submit
    • \Users\Admin\AppData\Local\Temp\173539.tmp
      Filesize

      524.5MB

      MD5

      a0287a67f0e7ead4fe5b79aa2ce9c137

      SHA1

      1189232ef27f4fd2781c6a53e5254ce45feec8d4

      SHA256

      05209852a496328059098627af1904363a7ee4e6ca55e0668a86c6cb41593c98

      SHA512

      42e6b694fbf2712be497a61263d0eb89a5ea154a28c0bf8ee51cec430e277cba6bea2799068468891f8cd1d9acbdf7f80275c49aff965156c50b8e3076fdc012

      Download Submit
    • memory/828-368-0x0000000000400000-0x0000000000488000-memory.dmp
      Filesize

      544KB

      Download
    • memory/828-328-0x0000000001050000-0x0000000001051000-memory.dmp
      Filesize

      4KB

      Download
    • memory/828-324-0x0000000180000000-0x000000018002D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4244-126-0x00007FF849AE0000-0x00007FF849AF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-127-0x00007FF849AE0000-0x00007FF849AF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-120-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-123-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-122-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-121-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-445-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-447-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-448-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4244-446-0x00007FF84CA50000-0x00007FF84CA60000-memory.dmp
      Filesize

      64KB

      Download