emotet | 25bde3ebce59179044418d4fe498021ec46acbaf813b51218103b7caf0a2886b

General

Target

2023-03-08_1357.doc
Size

535.3MB
MD5

cbf82b8ccffc9bf818b695812626950d
SHA1

5db537eb2730b1c97399781c77256c36d9eba7c0
SHA256

25bde3ebce59179044418d4fe498021ec46acbaf813b51218103b7caf0a2886b
SHA512

26aa55e728859e26a24480d5a9f993ec524e66f2710efa20a0083b56455790e22bb2ec7e75807396842076938a5044e4f27c2641dbb0ca723bca2e02282ffd8f
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1884	4308	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 45 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4308 WINWORD.EXE
4308 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4308 WINWORD.EXE
4308 WINWORD.EXE
4308 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

4308 WINWORD.EXE
4308 WINWORD.EXE
4308 WINWORD.EXE
4308 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4308	WINWORD.EXE
4308	WINWORD.EXE

pid	process
4308	WINWORD.EXE
4308	WINWORD.EXE
4308	WINWORD.EXE

pid	process
4308	WINWORD.EXE
4308	WINWORD.EXE
4308	WINWORD.EXE
4308	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4308 wrote to memory of 1884	4308	WINWORD.EXE	regsvr32.exe
PID 4308 wrote to memory of 1884	4308	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1357.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\183907.tmp"
2⤵
- Process spawned unexpected child process
PID:1884

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AnoURwtK\orNyxqFBBC.dll"
3⤵
PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\183907.tmp

Filesize
363.9MB

MD5
8c94c6d49d6251a8786d6d16ad576b4e

SHA1
e4a09d38b9c2a228a5e5dcc42d33b7cb97ae0849

SHA256
e252917226eaa9c3bb0d1604378fa57f2980884218bfe25a8c5193cee4d850f6

SHA512
2c8a75dff8f0a1856b874c1586f6f7339159e5b5b7af002f5d7b4f91b6e68426c960091565168fd96bf50f626c943f2af7ebb2ff98de3eb0326d232ed0b68455

Download Submit
C:\Users\Admin\AppData\Local\Temp\183907.tmp

Filesize
376.1MB

MD5
9aeeb9fb19a2b2fecfdf58f069a6dfc8

SHA1
9afa21ab42275b0dfa9bb3900148feccbc9e33b4

SHA256
634c6a2a0295bcfe1ebe541d918f8915bcd1dc0edf51eeceb9c563824cdf43c9

SHA512
902648640f4ac582f0bc3b5ecc3fd52053d28bc5942b2be01c6fa4cd615bbbf986c896e182be31afb74b9af24aaae28f7c26f0335dba92de3fd594a2e6b60293

Download Submit
C:\Users\Admin\AppData\Local\Temp\183908.zip

Filesize
867KB

MD5
6c839d892fef2f37d973ca28ce5e7a3b

SHA1
175ee07dc770ad81455d1f95152f1ae07e875e0e

SHA256
b2f19314b692f584203e6711e8d54f32b91a7864adbd203a4eaf6785042d47d9

SHA512
18a1ffa1876554a0e7716cbe5d77ce26a373aeb16992986bb8baaece2af502b576d7001a4271ceda09cec6fbbe750c06c8d40d4449ff8b52d01a924a49462af7

Download Submit
C:\Windows\System32\AnoURwtK\orNyxqFBBC.dll

Filesize
351.7MB

MD5
055b34b3650c78b43b4e3cce1783a4f5

SHA1
dc895566753d6c71ff41d63cbcb7a876d4b5573d

SHA256
9cd9abd6b7e733240178bc8bb965159ce23b39393380bf791185f0e7ed7de5ba

SHA512
f10d1c74adc4ab52d42968c4c4afb89bdf502fe67f0c8ce221fbdd3bb0b9c74f246fdc9098bd2bb667bf7123edb27bb1bd6ece6fdd6f2243f1291561355106c9

Download Submit
C:\Windows\System32\AnoURwtK\orNyxqFBBC.dll

Filesize
345.8MB

MD5
2159699a6115dfe0adc6d41ec28b663d

SHA1
0bf66989814848d17a7a2b614a631a142c54a860

SHA256
f8ec20c5c68b3611f4fc7ae081300fe76db5cb1fa7610d7cf7cc7bb8a70654c9

SHA512
acb37da399de2041d8191bfd497db41fbbdfbcf20b66a73053bb8ae9c8a80e106fd0e3c1ccd396ce14e245f09f3dc29214c5d880fb16a6640af00b0e3aa2d385

Download Submit
memory/1884-185-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/1884-182-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/2960-194-0x0000000001FC0000-0x0000000002081000-memory.dmp

Filesize
772KB

Download
memory/2960-188-0x0000000001FC0000-0x0000000002081000-memory.dmp

Filesize
772KB

Download
memory/4308-142-0x00007FFEB8F60000-0x00007FFEB8F70000-memory.dmp

Filesize
64KB

Download
memory/4308-141-0x00007FFEB8F60000-0x00007FFEB8F70000-memory.dmp

Filesize
64KB

Download
memory/4308-140-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-139-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-137-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-138-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-136-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-224-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-222-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-223-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download
memory/4308-221-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads