emotet | 766c70e83a04cda63620b7aa518e3dbe478b0f9711ba1a287d6869a41b480f7d

General

Target

OPAST GROUP.doc
Size

528.3MB
MD5

befdaa335353a775312c9a7b4954e69a
SHA1

b11ec5f7865f32b0edcda0afb951248c16c9ac62
SHA256

79b7d6166464e263a601c3c1449b0ca7c84d8d4ac0659061699a606285c651ea
SHA512

6b99e01771f1ab9e20d1b03f1ba557a5f2482f6b3a56f0fd93e05e02325a411cebd3fce4e8932740dabb32dd756164bca76eb15fd8efa4e76225e9ccd750c44b
SSDEEP

6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

129.232.188.93:443

164.90.222.65:443

159.65.88.10:8080

172.105.226.75:8080

115.68.227.76:8080

187.63.160.88:80

169.57.156.166:8080

185.4.135.165:8080

153.126.146.25:7080

197.242.150.244:8080

139.59.126.41:443

186.194.240.217:443

103.132.242.26:8080

206.189.28.199:8080

163.44.196.120:8080

95.217.221.146:8080

159.89.202.34:443

119.59.103.152:8080

183.111.227.137:8080

201.94.166.162:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3644	4120	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3644 regsvr32.exe
2428 regsvr32.exe

pid	process
3644	regsvr32.exe
2428	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ePZYlFHJ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\QPfcJcdQ\\ePZYlFHJ.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 41 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4120 WINWORD.EXE
4120 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3644 regsvr32.exe
3644 regsvr32.exe
2428 regsvr32.exe
2428 regsvr32.exe
2428 regsvr32.exe
2428 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4120	WINWORD.EXE
4120	WINWORD.EXE

pid	process
3644	regsvr32.exe
3644	regsvr32.exe
2428	regsvr32.exe
2428	regsvr32.exe
2428	regsvr32.exe
2428	regsvr32.exe

pid	process
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE

pid	process
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 4120 wrote to memory of 3644	4120	WINWORD.EXE	regsvr32.exe
PID 4120 wrote to memory of 3644	4120	WINWORD.EXE	regsvr32.exe
PID 3644 wrote to memory of 2428	3644	regsvr32.exe	regsvr32.exe
PID 3644 wrote to memory of 2428	3644	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\OPAST GROUP.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\121452.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QPfcJcdQ\ePZYlFHJ.dll"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\121452.tmp

Filesize
519.5MB

MD5
8369f8222def57832e649eb39fd2e1cb

SHA1
d42f215ae5af681e8e0125c7a8399759803f6f01

SHA256
290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

SHA512
2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\121452.tmp

Filesize
519.5MB

MD5
8369f8222def57832e649eb39fd2e1cb

SHA1
d42f215ae5af681e8e0125c7a8399759803f6f01

SHA256
290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

SHA512
2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\121455.zip

Filesize
804KB

MD5
7821adc2f937cd7f7f6fc3499ceda7c3

SHA1
5e4c4bd7a474c4bebe39b3741ccbc54e524692d4

SHA256
95944d22d1e39c3d3f1b7f35fc225b81fd937d711a662b219fa94422e78c8f17

SHA512
f850146e6bd3a1a43da0f01db570c8881642aabf3a315db429a1bb2834cfe7baed183f575cd3774948ef5cd485f7a042d580dbb48f77f47a081e967273bb85cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\System32\QPfcJcdQ\ePZYlFHJ.dll

Filesize
519.5MB

MD5
8369f8222def57832e649eb39fd2e1cb

SHA1
d42f215ae5af681e8e0125c7a8399759803f6f01

SHA256
290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

SHA512
2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

Download Submit
memory/2428-194-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3644-179-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/3644-182-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3644-183-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4120-136-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-133-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-137-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-138-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmp

Filesize
64KB

Download
memory/4120-139-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmp

Filesize
64KB

Download
memory/4120-135-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-134-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-220-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-221-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-222-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/4120-223-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads