Analysis
-
max time kernel
14s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
09-03-2023 19:25
General
-
Target
0342702a71124fffdac2de5f6b0f757bff935c0fc1ef67449bf824cd7f618224.doc
-
Size
520.4MB
-
MD5
1e7d4a30102ab604d4cd45e82903ef3f
-
SHA1
3f7ce2963d76280aba60520c2231fef419310ceb
-
SHA256
0342702a71124fffdac2de5f6b0f757bff935c0fc1ef67449bf824cd7f618224
-
SHA512
f6e1d697c0c48287aa5e8237660a34c42f8cdba825d4253f5775c07c40a95d9db187e802833d0e9193b12267d9bc8712eca35e92d7a20c97effe81ff777074ec
-
SSDEEP
6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF
Malware Config
Extracted
emotet
Epoch4
129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0342702a71124fffdac2de5f6b0f757bff935c0fc1ef67449bf824cd7f618224.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\192749.tmp"2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\IQeRG\dexiUNLQcX.dll"3⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
538.5MB
MD58443c2a7d8c6de7ce160bc6d4dfc204c
SHA17db9176a6760f26d456f59198336afbb5a970715
SHA2566a13ec3f13380e8434debc4a65b64dfc3005443b96335256221623e7d50e1911
SHA512f15ced316efd1c4f3b8e1f112bbbe17a35119ddd55da80a12fedd9181906130ed01b5538cfb89c278efcbfccc98fd2d89fac7fb009d854607d8f9a0280a0f2d2
-
Filesize
823KB
MD52d5d3c9bb257f2b606708042366eb18d
SHA1052573937b572da33031c0f0fdadd2e51bf3ae78
SHA2567e3624c1dd4ad65173481013be0a854fb17849988ee68e8fada8e0cefac0e02f
SHA512fef70c33000d1b08537f37d30080e8cf232a33ad435ecaa2e2522b84332e841c1c2fd25ad3a6bd724d51d4f03c08c372be88221e54fa438f8d9b03d9817038da
-
Filesize
538.5MB
MD58443c2a7d8c6de7ce160bc6d4dfc204c
SHA17db9176a6760f26d456f59198336afbb5a970715
SHA2566a13ec3f13380e8434debc4a65b64dfc3005443b96335256221623e7d50e1911
SHA512f15ced316efd1c4f3b8e1f112bbbe17a35119ddd55da80a12fedd9181906130ed01b5538cfb89c278efcbfccc98fd2d89fac7fb009d854607d8f9a0280a0f2d2
-
Filesize
544KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB