emotet | f616da0ebb4f984aecd40da922c0cdf70987643a86afadc969aa76598120cd5d

General

Target

2023-03-08_1338.doc
Size

522.3MB
MD5

2148a6a2bef5a35ce5665cbc12d5e474
SHA1

2e87b33309c888ab7d655e92a45a31f15753fdee
SHA256

f616da0ebb4f984aecd40da922c0cdf70987643a86afadc969aa76598120cd5d
SHA512

fb232985018569cdbba001273278a6128af1395e1dc4631b023a0c49fefffd43a93dd6b0332c2cc634aa87d850ea2866614cacb6b064e57f4d48c7b41b60ea4c
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2828	1312	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

2828 regsvr32.exe
2828 regsvr32.exe

pid	process
2828	regsvr32.exe
2828	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1312 WINWORD.EXE
1312 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

1312 WINWORD.EXE
1312 WINWORD.EXE
1312 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1312 WINWORD.EXE
1312 WINWORD.EXE
1312 WINWORD.EXE
1312 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1312	WINWORD.EXE
1312	WINWORD.EXE

pid	process
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE

pid	process
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1312 wrote to memory of 2828	1312	WINWORD.EXE	regsvr32.exe
PID 1312 wrote to memory of 2828	1312	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1338.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\194740.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:2828

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BZkHFIbHUBJMTXsSE\dPBYcZlTFpaZ.dll"
3⤵
PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\194740.tmp

Filesize
509.8MB

MD5
e708b66c3e960ef1106cc30ce21982cf

SHA1
3bd3c9c39fce7da58e895899c7d199ee8d54cd2e

SHA256
197f4eea0af385fb21b806ad1e622d9d22e9aa12c1dc077028cd9295952d49f3

SHA512
e28a13c0e742471f11404a24be4c507366d9efe1a8e50a605a1e2e42d9aef227ff56620ec3d982936b07333fab1e5ce164105b0c626ae8523d0fe06265102115

Download Submit
C:\Users\Admin\AppData\Local\Temp\194740.tmp

Filesize
507.5MB

MD5
d54a7b80bc4b9e604aa7085fdec85383

SHA1
23dc9be26793ddf281c9491c216360341347dc5a

SHA256
52d9e716c2b92bf780de2afd99d63f4382c9a87c196a9c19998cc7a771282b62

SHA512
69dd1c6a7e3651088dd8c7190452059d7f3fc3245af9e89df11447b3740176445b1cd38c59da28500987be93e688f96f353f2b5ea395f5432c1c546fdcdb67ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\194740.tmp

Filesize
465.4MB

MD5
4ff6e46b407782ab602a6af81d37a637

SHA1
a4c80fad90de6aaa0878fa2b1eb3f6925a7c55c7

SHA256
d48a35cd3be9954307a832276b08a29839d5debc3b266230a856ca0311019e08

SHA512
1528a32a8a3998e9ab6b84d4808cad5e27f7b431eebea28e336c44b6d02ddcb7fb4a98cf8819b483fe4f981aa1abc39a68ceaaf7a8952fdb286e47ae8fe302c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\194742.zip

Filesize
867KB

MD5
6c839d892fef2f37d973ca28ce5e7a3b

SHA1
175ee07dc770ad81455d1f95152f1ae07e875e0e

SHA256
b2f19314b692f584203e6711e8d54f32b91a7864adbd203a4eaf6785042d47d9

SHA512
18a1ffa1876554a0e7716cbe5d77ce26a373aeb16992986bb8baaece2af502b576d7001a4271ceda09cec6fbbe750c06c8d40d4449ff8b52d01a924a49462af7

Download Submit
C:\Windows\System32\BZkHFIbHUBJMTXsSE\dPBYcZlTFpaZ.dll

Filesize
419.8MB

MD5
7aa2f80320c13f0d4cf922dede6224a1

SHA1
8ae2c0461f1807b4adc6c3b30a8ca1eb07b0765d

SHA256
cac50a46b5186780dba32fa079ee460e2df33b2c1fd40acb69c3c9fe5022796a

SHA512
b0dc302d865464698cd596be33f9d1e39433380b2cac681b6673dba8e3fd7fae27d56bba5b914eac83617c0072d194fd8a0e6a2a8e5ee80f1126232427b11ae1

Download Submit
C:\Windows\System32\BZkHFIbHUBJMTXsSE\dPBYcZlTFpaZ.dll

Filesize
463.8MB

MD5
2b69cd5c636935b886910cd72b4bb546

SHA1
b1e5deef1e3fb788b9d88147c3a8992383fa15b5

SHA256
16a598bf03085686c30ea94e27b4feef335c3d0a23407adfaf0c5b08be0e665f

SHA512
49fb227427fe91a189ac3c27a97b008dfbc88b5083d17987191ed8c827188ba90e31c5d4e974cacdbe150f93aaca0d86ba706a0552628e9132aa20e9f95ff364

Download Submit
memory/1312-138-0x00007FFB71A60000-0x00007FFB71A70000-memory.dmp

Filesize
64KB

Download
memory/1312-223-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-133-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-137-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-139-0x00007FFB71A60000-0x00007FFB71A70000-memory.dmp

Filesize
64KB

Download
memory/1312-136-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-225-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-227-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-224-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-134-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/1312-135-0x00007FFB74230000-0x00007FFB74240000-memory.dmp

Filesize
64KB

Download
memory/2828-175-0x0000000002090000-0x0000000002151000-memory.dmp

Filesize
772KB

Download
memory/2828-183-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2828-177-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/4756-193-0x0000000002350000-0x0000000002411000-memory.dmp

Filesize
772KB

Download
memory/4756-188-0x0000000002350000-0x0000000002411000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads