emotet | f1889d6b5f19120e166668f50d96124582b41b2d78a560a9edac1c91e4869ea3

General

Target

invoce N 268 10_03_2023.doc
Size

539.3MB
MD5

e9b82d57e0494351ea5c5ce42e910295
SHA1

4d4568ffaf46fbdd515c1761e58bafe6876647d7
SHA256

52adcb13820354542d9d0913cec63e88bdc914e9e0b6a22932050e4c0b031a00
SHA512

22b718b94bca5410795e7c25d300a5e504fe977b5f90c3f439965c11d6a29c7ac64aea3c1356362ae6613b100293014d12060110a2850a8e89b7ea667ff2f9da
SSDEEP

6144:jkmCUX1RauEA55axdWFyDDIqqmbwbLUW:omC7uz552AFZqXbwbA

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3084	2160	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3084 regsvr32.exe

pid	process
3084	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2160 WINWORD.EXE
2160 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

2160 WINWORD.EXE
2160 WINWORD.EXE
2160 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2160 WINWORD.EXE
2160 WINWORD.EXE
2160 WINWORD.EXE
2160 WINWORD.EXE
2160 WINWORD.EXE
2160 WINWORD.EXE
2160 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2160	WINWORD.EXE
2160	WINWORD.EXE

pid	process
2160	WINWORD.EXE
2160	WINWORD.EXE
2160	WINWORD.EXE

pid	process
2160	WINWORD.EXE
2160	WINWORD.EXE
2160	WINWORD.EXE
2160	WINWORD.EXE
2160	WINWORD.EXE
2160	WINWORD.EXE
2160	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2160 wrote to memory of 3084	2160	WINWORD.EXE	regsvr32.exe
PID 2160 wrote to memory of 3084	2160	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\invoce N 268 10_03_2023.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\100405.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:3084

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JkjaOT\iNufqnrBLHFW.dll"
3⤵
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\100405.tmp

Filesize
533.5MB

MD5
72b025c6b01da3fa825bdd6a9e3711df

SHA1
307040405cba411edf7e6818156fc856a6651ed0

SHA256
aebb9db90a7d39a0c3393bd6aa14e679d2dd298b9c18ba6e99c032c469cce6ed

SHA512
be69bb6d3b7b6fb8bb709cdb8bb393ca7141c2e9a01d105180eb2537fa99132d16d0a1e6e1e0f50c1baea1cd5df7f75fc84f4dd79aa7ca69f19bb73f9775f3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\100405.tmp

Filesize
484.1MB

MD5
75c7eaa95f843c0f5c2d3dee23e1ba67

SHA1
7bd45e43268820b4e2a9467b9d760577aaa01c8a

SHA256
6ce720c3410119bd8fe2079532efb6c2fe31245ac0b21240afea92b6fa6527d1

SHA512
75dabd82edf1c0c6198ff1ed2fd4ac38eb91767550075f7f5ee5b2262b33da479d7c2cb82b00946167d7680892514e4b75cbd08528a8a2a2e254b9f6c08f2e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\100406.zip

Filesize
827KB

MD5
10595e06585b09968be0d22e6e614530

SHA1
bcb0db276e6bbf7158f10d644caf71632be2673b

SHA256
cffa83e50b7e89aa49d6788646378596bf088036a4ebaa79dc0a58d0d7170836

SHA512
72ef02f09381fac1231ce238a2eb85b73bd217edbc935789acea67522965c4c27d4c0c6929aec53bc047b735a74661b158befe697fc3a969a0b85f754a58701b

Download Submit
C:\Windows\System32\JkjaOT\iNufqnrBLHFW.dll

Filesize
526.2MB

MD5
2fee48ed93eccc7889df2c0c23591645

SHA1
de9a532a720939430a8fc53407eab536a97117c2

SHA256
3090100d7adbec931ccdada5a027cd1c72813004ed767696212aff2407a2aed1

SHA512
8a57ea119cf2c417083f227976afd226ea44114f0cd281a5b01fd22c5e053af2b7095e134a3c3b435e996586500fbe52d7a96db2268022549f45302ccb4b0b5f

Download Submit
memory/2160-206-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-138-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

Filesize
64KB

Download
memory/2160-140-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

Filesize
64KB

Download
memory/2160-136-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-135-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-134-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-133-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-137-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-208-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-207-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2160-209-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/3084-177-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/3084-180-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads