emotet | d0e6255ab16f755bd8891fc51c9a35ba203a1d4fdb38fd34f3c7580f8252841c

General

Target

Copia Fattura.doc
Size

506.3MB
MD5

9c1afe1b563063ea4c5a2b5158ac3dc6
SHA1

6242fbcf8325eeaba07d7bfb739d6eb276d31fc7
SHA256

19ffe678ba37ad6317085f3dfcc05e01aa8d0bf0ae245619dd7f98b023471b76
SHA512

2f39fc302fd23861f3ef0d3af98afb5192ef00b9fc31cf0df217bf47e1e6079032c4c2b340715b588f151b5dc9f9eda5bbc4f61974f45b6bb7a1c37dbe690eae
SSDEEP

6144:jkmCUX1RauEA55axdWFyDDIqqmbwbLUW:omC7uz552AFZqXbwbA

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3180	1220	regsvr32.exe	44

Loads dropped DLL 2 IoCs

pid	Process
3180	regsvr32.exe
4152	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RzUZlIWgeApQA.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\KkENThDinoYmyghWH\\RzUZlIWgeApQA.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1220	WINWORD.EXE
1220	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3180	regsvr32.exe
3180	regsvr32.exe
4152	regsvr32.exe
4152	regsvr32.exe
4152	regsvr32.exe
4152	regsvr32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 3180	1220	WINWORD.EXE	91
PID 1220 wrote to memory of 3180	1220	WINWORD.EXE	91
PID 3180 wrote to memory of 4152	3180	regsvr32.exe	94
PID 3180 wrote to memory of 4152	3180	regsvr32.exe	94

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Copia Fattura.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\093808.tmp"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KkENThDinoYmyghWH\RzUZlIWgeApQA.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\093808.tmp

Filesize
541.5MB

MD5
cc5a6dafb168e3c0b57df56dfba84790

SHA1
bb00c82377c368a99fa7a63adec6ea44c6a75d1d

SHA256
215dbd2932b892182c30ae84639260238711d81a916b0152255e87dd0db4ea6e

SHA512
ad109251fc0e085e992229419c22b4ec2b7ed3f14db7d3cf7eb01a602cb62618d11d4479d1649f2bf8c687c38c897d0f4d7ee2aa24d5f0271b2d60c5bb621740

Download Submit
C:\Users\Admin\AppData\Local\Temp\093808.tmp

Filesize
541.5MB

MD5
cc5a6dafb168e3c0b57df56dfba84790

SHA1
bb00c82377c368a99fa7a63adec6ea44c6a75d1d

SHA256
215dbd2932b892182c30ae84639260238711d81a916b0152255e87dd0db4ea6e

SHA512
ad109251fc0e085e992229419c22b4ec2b7ed3f14db7d3cf7eb01a602cb62618d11d4479d1649f2bf8c687c38c897d0f4d7ee2aa24d5f0271b2d60c5bb621740

Download Submit
C:\Users\Admin\AppData\Local\Temp\093808.zip

Filesize
835KB

MD5
5e2955b0a0a51f064c1d9afae702e5f6

SHA1
4700bdfa456462300db4124f115e1dc19922f7ce

SHA256
1a3cab33071e2cafd2e0970d5f747e850e79f1e1c6e40e2c2ec5f0618b825b96

SHA512
932bfb272316cc36f0adfcb561bb1d9cfd93533bbdeb2da854cf504ae092ff1eb1cad04ff49f85880dd64893af4df208b9efb03f5a6d71055329068f70a4159a

Download Submit
C:\Windows\System32\KkENThDinoYmyghWH\RzUZlIWgeApQA.dll

Filesize
541.5MB

MD5
cc5a6dafb168e3c0b57df56dfba84790

SHA1
bb00c82377c368a99fa7a63adec6ea44c6a75d1d

SHA256
215dbd2932b892182c30ae84639260238711d81a916b0152255e87dd0db4ea6e

SHA512
ad109251fc0e085e992229419c22b4ec2b7ed3f14db7d3cf7eb01a602cb62618d11d4479d1649f2bf8c687c38c897d0f4d7ee2aa24d5f0271b2d60c5bb621740

Download Submit
memory/1220-206-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-138-0x00007FFC051B0000-0x00007FFC051C0000-memory.dmp

Filesize
64KB

Download
memory/1220-139-0x00007FFC051B0000-0x00007FFC051C0000-memory.dmp

Filesize
64KB

Download
memory/1220-136-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-134-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-135-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-133-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-137-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-209-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-208-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-207-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/3180-177-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/3180-179-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads