emotet | eaf050eabdfffde46a85a1651438dbbae8a3e048090c80f231efddef019895a0

General

Target

08032023.doc
Size

525.3MB
MD5

d2dee88803a04a6457a9c62840e53223
SHA1

1be346c29ae7d0bfa91b50532bd16bba6c0bf624
SHA256

eaf050eabdfffde46a85a1651438dbbae8a3e048090c80f231efddef019895a0
SHA512

42e7a7dc77e54575563378be4f605baaee5fe7df2ffb823caeec1c06eae140e5bcaa34c74def12ebc8c8eb274be30e5b9c2eb696f13c0b4b0d410867acf5eea7
SSDEEP

3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	844	4004	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

844 regsvr32.exe

pid	process
844	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4004 WINWORD.EXE
4004 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

844 regsvr32.exe
844 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4004 WINWORD.EXE
4004 WINWORD.EXE
4004 WINWORD.EXE

pid	process
844	regsvr32.exe
844	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

WINWORD.EXE

pid	process
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 4004 wrote to memory of 844	4004	WINWORD.EXE	regsvr32.exe
PID 4004 wrote to memory of 844	4004	WINWORD.EXE	regsvr32.exe
PID 844 wrote to memory of 2040	844	regsvr32.exe	regsvr32.exe
PID 844 wrote to memory of 2040	844	regsvr32.exe	regsvr32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\08032023.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\181952.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZawlSTLzQ\qtgT.dll"
3⤵
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\181952.tmp

Filesize
527.5MB

MD5
d4d306a6d9d1ae637e0cfacf04f7431a

SHA1
68b7fb0aa0d65569aa62937620f58a50bd3e9fdd

SHA256
a6e1b44ccb61a67b8e16ddc67eccacdd4b9b31a9de1fd048793c5c46b22337e2

SHA512
d473a2c746eba2b0add8252f5d44eca39b5a862978de80bc8e0d83f3adfee4601f21bcba3f63caa4fda02fc4c79cae704ac0905f4c938af8abbc2381332f682c

Download Submit
C:\Users\Admin\AppData\Local\Temp\181955.zip

Filesize
821KB

MD5
f1ec7bd22e219fdb389f5e2a0a8132df

SHA1
fe8cf0aa2da1a147024c82ac45989795e5b467e0

SHA256
8582757782e4048ba84898de0953c7c9710d84c2e764d1fca8b1d393c436dbc8

SHA512
2b77027da8f0811f7cfc3735e579c4fd7e3506d85fa78ad667e88bd43dc0ab376d2b8b0c6aab3d35678810a9ee6e589b93d60aa481239ad3acf91cadc88f4969

Download Submit
\Users\Admin\AppData\Local\Temp\181952.tmp

Filesize
527.5MB

MD5
d4d306a6d9d1ae637e0cfacf04f7431a

SHA1
68b7fb0aa0d65569aa62937620f58a50bd3e9fdd

SHA256
a6e1b44ccb61a67b8e16ddc67eccacdd4b9b31a9de1fd048793c5c46b22337e2

SHA512
d473a2c746eba2b0add8252f5d44eca39b5a862978de80bc8e0d83f3adfee4601f21bcba3f63caa4fda02fc4c79cae704ac0905f4c938af8abbc2381332f682c

Download Submit
memory/844-331-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/844-340-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4004-120-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/4004-121-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/4004-122-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/4004-123-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/4004-126-0x00007FFC4EE60000-0x00007FFC4EE70000-memory.dmp

Filesize
64KB

Download
memory/4004-127-0x00007FFC4EE60000-0x00007FFC4EE70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads