emotet | d0dd975bf7aa5490d799c198bbd127c088258626191f45c778b9da7cd3f824d4

General

Target

2023-03-10_1848.doc
Size

544.3MB
MD5

27d06c771900f128768225a697b93dd7
SHA1

d914d9f6eb31801f96178fb14811c775ca81c90e
SHA256

6318b8236a03d5dd97245548758affe04655b7a59a089335d16660640c4b8c6b
SHA512

ef0e893f81e4fb3a110925a0dd026529fc8d2ba4cd7f99dd52ebce31bc2c8486a3f9712aa933a135afcfa56cda5678fe212fa318504bd1e3904bf062786fa12d
SSDEEP

6144:jkmCUX1RauEA55axdWFyDDIqqmbwbLUW:omC7uz552AFZqXbwbA

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4960	1392	regsvr32.exe	86

Loads dropped DLL 2 IoCs

pid	Process
4960	regsvr32.exe
4364	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coVFGRxgzHSR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\TxaVibFo\\coVFGRxgzHSR.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1392	WINWORD.EXE
1392	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4960	regsvr32.exe
4960	regsvr32.exe
4364	regsvr32.exe
4364	regsvr32.exe
4364	regsvr32.exe
4364	regsvr32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1392	WINWORD.EXE
1392	WINWORD.EXE
1392	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1392	WINWORD.EXE
1392	WINWORD.EXE
1392	WINWORD.EXE
1392	WINWORD.EXE
1392	WINWORD.EXE
1392	WINWORD.EXE
1392	WINWORD.EXE
1392	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 4960	1392	WINWORD.EXE	91
PID 1392 wrote to memory of 4960	1392	WINWORD.EXE	91
PID 4960 wrote to memory of 4364	4960	regsvr32.exe	93
PID 4960 wrote to memory of 4364	4960	regsvr32.exe	93

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-10_1848.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\105419.tmp"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TxaVibFo\coVFGRxgzHSR.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\105419.tmp

Filesize
540.5MB

MD5
2c8b6027014de58281acf37f91027af2

SHA1
ba70f7816aa9354fd2e87da20d6b44bb6e7a3e14

SHA256
6a87ba01bc61f6f5e5a8ef5e2f19d93e56927481200ca54327c8320892bc3e20

SHA512
e042481dca0bae9d7c58001360956662d9a7c989aecb9f50ad89b4142a8e817b77255ba14af344ab99fc83e26d9dedb0853163ea8e84819ee4c6f2d6fcc5c982

Download Submit
C:\Users\Admin\AppData\Local\Temp\105419.tmp

Filesize
540.5MB

MD5
2c8b6027014de58281acf37f91027af2

SHA1
ba70f7816aa9354fd2e87da20d6b44bb6e7a3e14

SHA256
6a87ba01bc61f6f5e5a8ef5e2f19d93e56927481200ca54327c8320892bc3e20

SHA512
e042481dca0bae9d7c58001360956662d9a7c989aecb9f50ad89b4142a8e817b77255ba14af344ab99fc83e26d9dedb0853163ea8e84819ee4c6f2d6fcc5c982

Download Submit
C:\Users\Admin\AppData\Local\Temp\105420.zip

Filesize
834KB

MD5
efce6390e4c06484cadefbee8a674e02

SHA1
a515ca917425619f32672f0b83fddc42dd8faad3

SHA256
d5ea361764cdfcb3e07f3c3cf33ec6327e04df4937229ee36684fb34803ae311

SHA512
1aa93de650f26482af8977057bc6cd6b760ed6d66bcda7278f982bbc90b089294209dfdfe5709469386e5abd3ee12b14b67ecf8fe41c651a95eeceea8816c439

Download Submit
C:\Windows\System32\TxaVibFo\coVFGRxgzHSR.dll

Filesize
540.5MB

MD5
2c8b6027014de58281acf37f91027af2

SHA1
ba70f7816aa9354fd2e87da20d6b44bb6e7a3e14

SHA256
6a87ba01bc61f6f5e5a8ef5e2f19d93e56927481200ca54327c8320892bc3e20

SHA512
e042481dca0bae9d7c58001360956662d9a7c989aecb9f50ad89b4142a8e817b77255ba14af344ab99fc83e26d9dedb0853163ea8e84819ee4c6f2d6fcc5c982

Download Submit
memory/1392-206-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-138-0x00007FF7F3050000-0x00007FF7F3060000-memory.dmp

Filesize
64KB

Download
memory/1392-139-0x00007FF7F3050000-0x00007FF7F3060000-memory.dmp

Filesize
64KB

Download
memory/1392-136-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-135-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-134-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-133-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-137-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-207-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-208-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/1392-209-0x00007FF7F5150000-0x00007FF7F5160000-memory.dmp

Filesize
64KB

Download
memory/4960-176-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/4960-182-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads