emotet | 47af0d87b4b1abcfadb98d843add79393805040601ad4c7c27d22df4265bea49

Resubmissions

14-03-2023 10:13

230314-l9a7eagg8z 8

14-03-2023 10:11

230314-l75cgaeg64 10

Analysis

max time kernel
101s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan 2023.14.03_1101.doc
Size

505.3MB
MD5

b4c2209c6345ef88683247df6b90b3bc
SHA1

4b17921aba075e4f2cf39cca0c355d4b51c4f45a
SHA256

8276a5004242be36847f414af565eabd8726fa4746cc1cac9764f4e77ec6818e
SHA512

2ee1b02c381e4d3e7b712daae1fb3c4ccd834ba7c702eddd985df9d5a76faa22663b4ca8afba241a7c81d4bed94cfaa09d18c4f824de6de91294ea1dd2bae11b
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2384	2272	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2272 WINWORD.EXE
2272 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

2272 WINWORD.EXE
2272 WINWORD.EXE
2272 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

2272 WINWORD.EXE
2272 WINWORD.EXE
2272 WINWORD.EXE
2272 WINWORD.EXE

pid	process
2272	WINWORD.EXE
2272	WINWORD.EXE

pid	process
2272	WINWORD.EXE
2272	WINWORD.EXE
2272	WINWORD.EXE

pid	process
2272	WINWORD.EXE
2272	WINWORD.EXE
2272	WINWORD.EXE
2272	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2272 wrote to memory of 2384	2272	WINWORD.EXE	regsvr32.exe
PID 2272 wrote to memory of 2384	2272	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Scan 2023.14.03_1101.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\111237.tmp"
2⤵
- Process spawned unexpected child process
PID:2384

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RoCfpEJ\lOgwhvNE.dll"
3⤵
PID:3920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\111237.tmp
Filesize
317.9MB

MD5
96f74a4069fd59b92f30f6bf5b42d5e5

SHA1
c23e1f3c0ff953ef7537083c9ae64ac157b9e5ef

SHA256
f6eab89e939a8c6e1db50a5567bfa6c86be6d24059a1e4750b48c74d1abf3906

SHA512
e76adf1ce81388c5aa70ff6599a718658ac0ed80c1c5ea65e74ad5b2ae385b0d06189c30bb8595e386f96c25fb6a93a86500196ae6d3eaa3a4d789a8e7d3c302

Download Submit
C:\Users\Admin\AppData\Local\Temp\111237.tmp
Filesize
318.9MB

MD5
41ba1b18fb1501b71f57b7376af24a1a

SHA1
7949cfa86ccfec6bb96d59a0596e6c1a2e0f341a

SHA256
ab24711b4a2cb04f6740a223e49232058a51e0acb76d17abdc93b7ed8296dd09

SHA512
216cbf20e29e6ac1cf3ddad0953de026eeb069656d1654bcdf7e6615b058a3fda68489488436f680321e2bd57650b35d9d51230d298af043a39a627450bf8411

Download Submit
C:\Users\Admin\AppData\Local\Temp\111406.zip
Filesize
854KB

MD5
4e68ba145fa85af5242dfb5be4ac1f24

SHA1
5e948284d6378eee6ec448c944faff43bb2eea37

SHA256
5e73dbb35541709ac1a5887167dd503e7b1bffd3f5acf115df521cb8ea9a63ff

SHA512
9b4b16b253ed6120d97c60f36203e3a764e093902e59d0d415086eb3154ffc6f98d41d81c3c93462fdbbe0d23482cd54e270faa23a480846ea5f2e12af1ba4fc

Download Submit
C:\Windows\System32\RoCfpEJ\lOgwhvNE.dll
Filesize
145.4MB

MD5
7ebd93d1f2cbcedf3ef82c8378ecce9d

SHA1
1d33c6e169f280a12f111f09ffa061b3a77c61b5

SHA256
34cecd18035cf0d017dc881238c00d001361100a86610523d90ca0f2f5b3aae3

SHA512
bca33c448d02cf2ff0f076bc2271e6efb3d2d2849d582fd501ff865d36f6614705873ffebf899e554435427a81be1cdd6c735ef95d98bf47f24bde1984f70790

Download Submit
memory/2272-139-0x00007FFC79FD0000-0x00007FFC79FE0000-memory.dmp

Filesize
64KB

Download
memory/2272-138-0x00007FFC79FD0000-0x00007FFC79FE0000-memory.dmp

Filesize
64KB

Download
memory/2272-133-0x00007FFC7C930000-0x00007FFC7C940000-memory.dmp

Filesize
64KB

Download
memory/2272-137-0x00007FFC7C930000-0x00007FFC7C940000-memory.dmp

Filesize
64KB

Download
memory/2272-136-0x00007FFC7C930000-0x00007FFC7C940000-memory.dmp

Filesize
64KB

Download
memory/2272-134-0x00007FFC7C930000-0x00007FFC7C940000-memory.dmp

Filesize
64KB

Download
memory/2272-135-0x00007FFC7C930000-0x00007FFC7C940000-memory.dmp

Filesize
64KB

Download
memory/2384-183-0x0000000002840000-0x000000000286D000-memory.dmp

Filesize
180KB

Download
memory/2384-186-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download