Overview

overview

10

Static

static

8

emotet_v6

windows10-1703-x64

1

emotet_doc

windows10-1703-x64

10

Resubmissions

27-12-2023 22:21

231227-19sh1seghr 8

09-03-2023 19:25

230309-x4w3gabe4x 10

Analysis

  • max time kernel
    14s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-03-2023 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0342702a71124fffdac2de5f6b0f757bff935c0fc1ef67449bf824cd7f618224.doc

  • Size

    520.4MB

  • MD5

    1e7d4a30102ab604d4cd45e82903ef3f

  • SHA1

    3f7ce2963d76280aba60520c2231fef419310ceb

  • SHA256

    0342702a71124fffdac2de5f6b0f757bff935c0fc1ef67449bf824cd7f618224

  • SHA512

    f6e1d697c0c48287aa5e8237660a34c42f8cdba825d4253f5775c07c40a95d9db187e802833d0e9193b12267d9bc8712eca35e92d7a20c97effe81ff777074ec

  • SSDEEP

    6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0342702a71124fffdac2de5f6b0f757bff935c0fc1ef67449bf824cd7f618224.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\192749.tmp"
      2⤵
      • Process spawned unexpected child process
      PID:1632
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IQeRG\dexiUNLQcX.dll"
        3⤵
          PID:4116

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\192749.tmp
      Filesize

      538.5MB

      MD5

      8443c2a7d8c6de7ce160bc6d4dfc204c

      SHA1

      7db9176a6760f26d456f59198336afbb5a970715

      SHA256

      6a13ec3f13380e8434debc4a65b64dfc3005443b96335256221623e7d50e1911

      SHA512

      f15ced316efd1c4f3b8e1f112bbbe17a35119ddd55da80a12fedd9181906130ed01b5538cfb89c278efcbfccc98fd2d89fac7fb009d854607d8f9a0280a0f2d2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\192751.zip
      Filesize

      823KB

      MD5

      2d5d3c9bb257f2b606708042366eb18d

      SHA1

      052573937b572da33031c0f0fdadd2e51bf3ae78

      SHA256

      7e3624c1dd4ad65173481013be0a854fb17849988ee68e8fada8e0cefac0e02f

      SHA512

      fef70c33000d1b08537f37d30080e8cf232a33ad435ecaa2e2522b84332e841c1c2fd25ad3a6bd724d51d4f03c08c372be88221e54fa438f8d9b03d9817038da

      Download Submit
    • \Users\Admin\AppData\Local\Temp\192749.tmp
      Filesize

      538.5MB

      MD5

      8443c2a7d8c6de7ce160bc6d4dfc204c

      SHA1

      7db9176a6760f26d456f59198336afbb5a970715

      SHA256

      6a13ec3f13380e8434debc4a65b64dfc3005443b96335256221623e7d50e1911

      SHA512

      f15ced316efd1c4f3b8e1f112bbbe17a35119ddd55da80a12fedd9181906130ed01b5538cfb89c278efcbfccc98fd2d89fac7fb009d854607d8f9a0280a0f2d2

      Download Submit
    • memory/1632-390-0x0000000000400000-0x0000000000488000-memory.dmp
      Filesize

      544KB

      Download
    • memory/1632-368-0x00000000024D0000-0x00000000024D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1632-361-0x0000000180000000-0x000000018002D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2412-127-0x00007FFB7CBD0000-0x00007FFB7CBE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-128-0x00007FFB7CBD0000-0x00007FFB7CBE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-121-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-124-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-123-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-122-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-472-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-474-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-475-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2412-473-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp
      Filesize

      64KB

      Download