emotet | 922116d96a87d62e02fb7571b39e943929b3a9774dc3ddc47c503cecae42d0b1

General

Target

2023-08-03_1003.doc
Size

501.3MB
MD5

0b73336fd74afdbaa04abb044c6733fd
SHA1

1f91b4b74c9643631318b4d58f6660bb4d292782
SHA256

922116d96a87d62e02fb7571b39e943929b3a9774dc3ddc47c503cecae42d0b1
SHA512

99141d9b8694a12e89134c2ebd91b2887a7011df4b44498ff55471314ca57bfeabbf30ee90800d9b68615b7c730fda496123b1083378b2c44457e22df044f3e6
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2228	4952	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4952 WINWORD.EXE
4952 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

4952 WINWORD.EXE
4952 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

4952 WINWORD.EXE
4952 WINWORD.EXE
4952 WINWORD.EXE
4952 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4952	WINWORD.EXE
4952	WINWORD.EXE

pid	process
4952	WINWORD.EXE
4952	WINWORD.EXE

pid	process
4952	WINWORD.EXE
4952	WINWORD.EXE
4952	WINWORD.EXE
4952	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-08-03_1003.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\054018.tmp"
2⤵
- Process spawned unexpected child process
PID:2228

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DSxFVAj\GPfy.dll"
3⤵
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\054018.tmp

Filesize
435.3MB

MD5
118d176e943b87d0751ead2de34bee0f

SHA1
bd40e8176a17949a0b348bfe92b40edf5c322364

SHA256
269b7667d14f144dee8087ee7395769622baf9698bf7fa9c39002f42a4d9dc05

SHA512
9fce54623ee7e9debca5951b7462e89e0f9ca072d38cdc3cfa9bb51b564f65d84c8b040599e015a7bc65e9b99dc577690d7b2db3bee4d9e4371c651e9b2c6c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\054018.tmp

Filesize
459.1MB

MD5
2c331e3c4ccf783e774ea4b275226a3c

SHA1
3852d1b541581d5cd3c42c17423c210b67525cc7

SHA256
3a558c1891aebfe9ef3b1ec2f0080179506b5544fe86fca0407bebf5e2ee0400

SHA512
521607751c8f5413748091e388038ea100f21e9e36d1f1e5ea10cad27a6a9e7a75d8408a5a9dd8724ea1595ecf231acf064d75727e6a9225b66ab8bad31eab36

Download Submit
C:\Users\Admin\AppData\Local\Temp\054018.tmp

Filesize
418.2MB

MD5
1faf6bcfd4003f87cf327e278a2ce77b

SHA1
0b2ed2f83206b0ff76349dace42bc435121f3a05

SHA256
c39477153ad99b27e4af3be524caa876befb7ee39f5e93ca10d8ac19c89575fe

SHA512
557efe9a0deca1d7ae04ca8819370e5ff5df35c52e927437a73d3ca495d3ce81dbe397e624af9c6a92ce4776535d17df9af46d8ed798398a9d0df0be9d158ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\054020.zip

Filesize
867KB

MD5
6c839d892fef2f37d973ca28ce5e7a3b

SHA1
175ee07dc770ad81455d1f95152f1ae07e875e0e

SHA256
b2f19314b692f584203e6711e8d54f32b91a7864adbd203a4eaf6785042d47d9

SHA512
18a1ffa1876554a0e7716cbe5d77ce26a373aeb16992986bb8baaece2af502b576d7001a4271ceda09cec6fbbe750c06c8d40d4449ff8b52d01a924a49462af7

Download Submit
C:\Windows\System32\DSxFVAj\GPfy.dll

Filesize
422.2MB

MD5
095c6472b8bbaea576635ddb130a4e11

SHA1
22b48ef004f260415f64fbfdfefbbfa6b0f6c49f

SHA256
4daa3aa7ea960bf1f0a04f1ba4c6847b26e709a2f9bf64151e6857ac2c56c88e

SHA512
a178600ff1a0ee122aafe9969c6bd306326357e5e36c46d13541622fe6dd23eb9322c8cb335e392c40d2a0b738a097217e8c46717f2849d73520a15f0074b951

Download Submit
C:\Windows\System32\DSxFVAj\GPfy.dll

Filesize
417.3MB

MD5
dcdcd4946f6bcb937b7efa5094d5fd0b

SHA1
4a264d5bb76cd7743314b00273fa05e903bcf1f5

SHA256
fde99c84bedf13a8d6872146ffb8b7d0096271659534db81b7c8ddf430c43741

SHA512
931225b19756e5c9778e7108be240580244cd839518966ff13447116188fe585347c632efe1b16c34107a4191eb24183f218f977f8d5ba36af983fd0a6a3905b

Download Submit
memory/2228-180-0x0000000001F10000-0x0000000001FD1000-memory.dmp

Filesize
772KB

Download
memory/2228-185-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2228-182-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/4952-223-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-135-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-136-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-137-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-138-0x00007FFC46C50000-0x00007FFC46C60000-memory.dmp

Filesize
64KB

Download
memory/4952-133-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-134-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-139-0x00007FFC46C50000-0x00007FFC46C60000-memory.dmp

Filesize
64KB

Download
memory/4952-224-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-225-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4952-227-0x00007FFC49050000-0x00007FFC49060000-memory.dmp

Filesize
64KB

Download
memory/4960-188-0x0000000001E50000-0x0000000001F11000-memory.dmp

Filesize
772KB

Download
memory/4960-193-0x0000000001E50000-0x0000000001F11000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads