emotet | 3643b11034cd76ef14c56d5b1b9f69c1b92b505c8e8ca48df0cb916ad462e271

General

Target

PN9642931951_202303091502.doc
Size

520.2MB
MD5

19b30426e432d8a7d7cf011ccfcbebc7
SHA1

5f721286ccaa5e028c3bded4d6db6065ec3905a9
SHA256

2284acd02af6cfbde6b217b27f1f1a34928daa1e087dad2723dab685768e17f5
SHA512

10f50a4fac0c4ca01d9f4cd6a5d1fb57e3114e1da90f44707160c668620a3f1aa9fbdd2b80b8c62eb985a041326f21dc5dc05ee5cd336d4011da027e7444142c
SSDEEP

3072:vpt3LDPYvrTr3jvZNWGBStinoLVMcXyHtt5YC7EGIuGEMYDDK6:H3AvrTPRUGpmpXqWCoGIuGEMY

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1316	4896	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1316 regsvr32.exe

pid	process
1316	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4896 WINWORD.EXE
4896 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1316 regsvr32.exe
1316 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4896 WINWORD.EXE
4896 WINWORD.EXE
4896 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4896 WINWORD.EXE
4896 WINWORD.EXE
4896 WINWORD.EXE
4896 WINWORD.EXE
4896 WINWORD.EXE
4896 WINWORD.EXE
4896 WINWORD.EXE

pid	process
4896	WINWORD.EXE
4896	WINWORD.EXE

pid	process
1316	regsvr32.exe
1316	regsvr32.exe

pid	process
4896	WINWORD.EXE
4896	WINWORD.EXE
4896	WINWORD.EXE

pid	process
4896	WINWORD.EXE
4896	WINWORD.EXE
4896	WINWORD.EXE
4896	WINWORD.EXE
4896	WINWORD.EXE
4896	WINWORD.EXE
4896	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4896 wrote to memory of 1316	4896	WINWORD.EXE	regsvr32.exe
PID 4896 wrote to memory of 1316	4896	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PN9642931951_202303091502.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\044651.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PvcBYGckxDothoWjL\mdrrObfRzM.dll"
3⤵
PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\044651.tmp

Filesize
531.5MB

MD5
f64544cfce0287fdf9062605f884fc54

SHA1
bd5470a805762a371d72a05e48ba397442e0a8e6

SHA256
83f604c5e5f6856ab2ccfdb732218f87ea0f5704043f5ec384d8fdcc9a85a513

SHA512
2d51dfe44a684305075fc847a652ee04f4bac2900a0f3c677b6a6a70be5201a703a3918993fc994107b66167c7268a1b89b5cf8b53c1fa4af11bff38ef29a7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\044651.tmp

Filesize
531.5MB

MD5
f64544cfce0287fdf9062605f884fc54

SHA1
bd5470a805762a371d72a05e48ba397442e0a8e6

SHA256
83f604c5e5f6856ab2ccfdb732218f87ea0f5704043f5ec384d8fdcc9a85a513

SHA512
2d51dfe44a684305075fc847a652ee04f4bac2900a0f3c677b6a6a70be5201a703a3918993fc994107b66167c7268a1b89b5cf8b53c1fa4af11bff38ef29a7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\044653.zip

Filesize
816KB

MD5
9006266c667b8ed1106575f1a4306748

SHA1
f765b6d7bf484b1c65a9dd1100b943e8f7c7c58f

SHA256
a3944935bc55450b1ac718149f16f6c3cdf393ceda0594bfda5459ab09ce2c40

SHA512
42f45536c6f77ef1615ccc807a7944551311bd4fcb36ea5fbbdd55d6bb759bb741fd77a9f55252608285cb8c2978030b265f79deeee96b724bb756a90475e7ce

Download Submit
C:\Windows\System32\PvcBYGckxDothoWjL\mdrrObfRzM.dll

Filesize
531.5MB

MD5
f64544cfce0287fdf9062605f884fc54

SHA1
bd5470a805762a371d72a05e48ba397442e0a8e6

SHA256
83f604c5e5f6856ab2ccfdb732218f87ea0f5704043f5ec384d8fdcc9a85a513

SHA512
2d51dfe44a684305075fc847a652ee04f4bac2900a0f3c677b6a6a70be5201a703a3918993fc994107b66167c7268a1b89b5cf8b53c1fa4af11bff38ef29a7e7

Download Submit
C:\Windows\System32\PvcBYGckxDothoWjL\mdrrObfRzM.dll

Filesize
531.5MB

MD5
f64544cfce0287fdf9062605f884fc54

SHA1
bd5470a805762a371d72a05e48ba397442e0a8e6

SHA256
83f604c5e5f6856ab2ccfdb732218f87ea0f5704043f5ec384d8fdcc9a85a513

SHA512
2d51dfe44a684305075fc847a652ee04f4bac2900a0f3c677b6a6a70be5201a703a3918993fc994107b66167c7268a1b89b5cf8b53c1fa4af11bff38ef29a7e7

Download Submit
memory/1316-179-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/1316-182-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/4888-185-0x00000000021A0000-0x0000000002228000-memory.dmp

Filesize
544KB

Download
memory/4888-195-0x00000000021A0000-0x0000000002228000-memory.dmp

Filesize
544KB

Download
memory/4896-136-0x00007FFA135B0000-0x00007FFA135C0000-memory.dmp

Filesize
64KB

Download
memory/4896-138-0x00007FFA11250000-0x00007FFA11260000-memory.dmp

Filesize
64KB

Download
memory/4896-139-0x00007FFA11250000-0x00007FFA11260000-memory.dmp

Filesize
64KB

Download
memory/4896-137-0x00007FFA135B0000-0x00007FFA135C0000-memory.dmp

Filesize
64KB

Download
memory/4896-135-0x00007FFA135B0000-0x00007FFA135C0000-memory.dmp

Filesize
64KB

Download
memory/4896-134-0x00007FFA135B0000-0x00007FFA135C0000-memory.dmp

Filesize
64KB

Download
memory/4896-133-0x00007FFA135B0000-0x00007FFA135C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads