emotet | 41d18cf14145a2437afb9d093abec8ac4297cd06f7d56992f5cee74ff4d596f2

General

Target

DATOS_0973.doc
Size

507.3MB
MD5

2b2c491813fa283bcae934cf29381dc4
SHA1

53edd6c15f10e5eceb3aeb231909110ba7bdccab
SHA256

e22072d225a264695a9a3ad92e21c0325a4a49e310c4720627c7da5545ef4e92
SHA512

0fbe386067d285aa0e9459dc97443fccc4bcf6a2078ad78e6a7d09315ef3996017379e648dcdd63d7a928bb28aa2698e02a02d46530b3f169147eb3cd1d55040
SSDEEP

3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2884	452	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

2884 regsvr32.exe
2884 regsvr32.exe

pid	process
2884	regsvr32.exe
2884	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

452 WINWORD.EXE
452 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

452 WINWORD.EXE
452 WINWORD.EXE
452 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

452 WINWORD.EXE
452 WINWORD.EXE
452 WINWORD.EXE
452 WINWORD.EXE
452 WINWORD.EXE
452 WINWORD.EXE
452 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
452	WINWORD.EXE
452	WINWORD.EXE

pid	process
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE

pid	process
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 452 wrote to memory of 2884	452	WINWORD.EXE	regsvr32.exe
PID 452 wrote to memory of 2884	452	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DATOS_0973.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\184653.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:2884

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FMdyjzcSHCrOHY\drYsjcFIPD.dll"
3⤵
PID:2756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\184653.tmp

Filesize
510.8MB

MD5
65c93d69b3d64fb1f538b4f901adefcc

SHA1
1776f309907951c8b7d40b0ee80542196303c27a

SHA256
958e571e2b6cc54856fb3f531b50c0bf2cfd857e5812c6914770955d9736bea0

SHA512
8ff1321e4d7b521be2d6529c54cf9e26ead103f4673ef9a929a08c929ea638ba494589ca3ada9910aa7c0786faf56964a3caff15fd8d4b3bed351d479f1efffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\184653.tmp

Filesize
498.7MB

MD5
235f5bf7ee54ff118e74a3d8a362e227

SHA1
6ed44cd5a7a91928cb7d99f187cca64be272e7eb

SHA256
760e21961adeb714c3441acc483ef6da2afade2e31a50a4ef3f7ce175da7ab5f

SHA512
fde7d43d941969d8ec6f2b2cf6bfbc4870f6580307a2ec5f256f1f170001fb725593fe2a5c86d46fc873ab76ff8329f32ca7ed905c9058fd2ae63784918a7a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\184653.tmp

Filesize
455.9MB

MD5
999f57d9e7f194f0395c94a615a9b90b

SHA1
520ebde8ddb828d99c8c6065d3522f2afeb9286e

SHA256
e4ae25adc321e0cc899389127c9f21757ce70150abe6859c105b8023d58b7d60

SHA512
e7b5afee146748aa942016fad150d881603eeeaab60ce878c07196259c65adbfa5041bf0266ec1a3f4a2a0c760a6418a059522de2d322a835f10897e9ed08a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\184653.zip

Filesize
817KB

MD5
bbbafd0396a4860db8c0badc26a76af3

SHA1
dc6069aafecbd34dd519ccee1a76dbe464b234e7

SHA256
2756678f1865dead86ac8787fcc85486dfa31d886b57bcf77473f73234207f72

SHA512
1d6b93ebc2236553b26417b2bb42e116d2c7eb95428e92cff91eaf037239442eeefaaeb72c3b567776759726eab7ed3dc5bc8c45011232e5be08e5a3d47ceee4

Download Submit
C:\Windows\System32\FMdyjzcSHCrOHY\drYsjcFIPD.dll

Filesize
394.8MB

MD5
e7797c9ea97eec7bf609707bf59c3df4

SHA1
9a43534bf3c775ef460df20a6472e4d84902161b

SHA256
1120f9019cdb3fa62f9dc250235a9c594b71241a008fb176395663bb978490c0

SHA512
799d63edbefefb0fa2398d029d4925075a8f9b085e34d14dc9437e094c248c464771056878564129f69c54b3fe2c6a6ec722461b83791d10430c9ed77570c1d5

Download Submit
C:\Windows\System32\FMdyjzcSHCrOHY\drYsjcFIPD.dll

Filesize
435.2MB

MD5
5854e3f08291e7bc3acb8aaec9ad52d5

SHA1
cb52ea7f1f82c922ab75de2f6cafcbb3810061b8

SHA256
2539acd55d1cd9b9b48edcfbed0883a323964e9b536a3072f3e3d33ed5aba1e0

SHA512
49dce89bf50ab0eb8969cdd860a5838c58fc978ef725420f38d1ece672eec8e6c556001817b9abad3af4744f7b3728455d5fb219719459776d1d52f251968828

Download Submit
memory/452-137-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/452-139-0x00007FFF0CD90000-0x00007FFF0CDA0000-memory.dmp

Filesize
64KB

Download
memory/452-138-0x00007FFF0CD90000-0x00007FFF0CDA0000-memory.dmp

Filesize
64KB

Download
memory/452-133-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/452-136-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/452-134-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/452-135-0x00007FFF0F210000-0x00007FFF0F220000-memory.dmp

Filesize
64KB

Download
memory/2756-188-0x00000000020A0000-0x0000000002128000-memory.dmp

Filesize
544KB

Download
memory/2756-193-0x00000000020A0000-0x0000000002128000-memory.dmp

Filesize
544KB

Download
memory/2884-178-0x0000000002100000-0x0000000002188000-memory.dmp

Filesize
544KB

Download
memory/2884-180-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/2884-183-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads