Analysis
-
max time kernel
13s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 10:28
General
-
Target
85_15.doc
-
Size
546.4MB
-
MD5
2a5efe48ea409cb16d887ffc7bfc9268
-
SHA1
9ce3ab622fa94f7aa4eb62cc404cfd8e2582fb1a
-
SHA256
b72fac6410f1c9bcd93e321271707f27e27e192aaf68c53b5c8d6d86438df385
-
SHA512
2c4ede6a294ec03f8361eabe02a0975aa5d616d2561546a26caeb6473d397366e4b4bc1d55937e1dd38f3dfe2e86cb81bfb995775c4a3db0f3a129e7e30a1551
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Extracted
emotet
Epoch5
103.85.95.4:8080
103.224.241.74:8080
178.238.225.252:8080
37.59.103.148:8080
78.47.204.80:443
138.197.14.67:8080
128.199.242.164:8080
54.37.228.122:443
37.44.244.177:8080
139.59.80.108:8080
218.38.121.17:443
82.98.180.154:7080
114.79.130.68:443
159.65.135.222:7080
174.138.33.49:7080
195.77.239.39:8080
193.194.92.175:443
198.199.70.22:8080
85.214.67.203:8080
93.84.115.205:7080
186.250.48.5:443
46.101.98.60:8080
160.16.143.191:8080
64.227.55.231:8080
175.126.176.79:8080
85.25.120.45:8080
178.62.112.199:8080
185.148.169.10:8080
128.199.217.206:443
103.41.204.169:8080
209.239.112.82:8080
202.28.34.99:8080
139.196.72.155:8080
87.106.97.83:7080
93.104.209.107:8080
104.244.79.94:443
115.178.55.22:80
83.229.80.93:8080
103.254.12.236:7080
62.171.178.147:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2512 2904 regsvr32.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 43 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2904 WINWORD.EXE 2904 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 2904 WINWORD.EXE 2904 WINWORD.EXE 2904 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 2904 WINWORD.EXE 2904 WINWORD.EXE 2904 WINWORD.EXE 2904 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2904 wrote to memory of 2512 2904 WINWORD.EXE regsvr32.exe PID 2904 wrote to memory of 2512 2904 WINWORD.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\85_15.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\112956.tmp"2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\MDlXOF\iOtILgRrk.dll"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\112956.tmpFilesize
83.7MB
MD5c7695b03ccfdcbb4c7761e990c3a5204
SHA1d4d01444e04e752a907f20bdded29f2d16476856
SHA256267e033a0acc4f702602e5c07298e0ad5a355022b70d1706aaa9729aef55576f
SHA5129ea06e6d1d457825f81af4141f60eff4f105e57344db8cdefe2d1c073a9910a6d8478e79fb48905332600a56b5f93b41e2f7b4202153539fad18bee42964ad02
-
C:\Users\Admin\AppData\Local\Temp\112956.tmpFilesize
76.9MB
MD5ea8a926b80973e267643fbf782142ae9
SHA11f37ce687b3c1d9fd06e1f7c30712bed22fd5edd
SHA2564efbd06e08cdf2f1fac24619475c4d77ef649eb1d9151e907761e311084e4034
SHA512e9339a3be1851d7536e06c1feed0c5308ede4a2195a902c6832f4ab33b3c113f6647d033045d1e3ba995bb579e509301af15e6cbf96a0a574a49e01838211e43
-
C:\Users\Admin\AppData\Local\Temp\112957.zipFilesize
834KB
MD5470c7b86d24d4f0c70eb94d2ebfc35e1
SHA1c74cec8cf99371810c8a7b2bf53088dbf3df6404
SHA256498c4a7c1c1ad66267c35639ed643dfd17922febec4360fcaf5459c06359093f
SHA5123c62e2c9b56d0083fc8e188c5c57cb62c3167a842c99fc6ccf9e0ee2b4b723dbd7d475875086e10504fad538ace384e1d0600f9bc71e06b2839619d3562d1f14
-
C:\Windows\System32\MDlXOF\iOtILgRrk.dllFilesize
46.9MB
MD51ab4daec8c14998065244a627728b69b
SHA1b190faa677bf75d60f8a73d36e379b05b186900f
SHA25617d03035989592f2e2e3c3893a2e6deb274ae72a9a6a4336e6ef46d7d14e0800
SHA512e00a37ccd67be09cf2294a8534316bc51a93d4119842ac3297c4db97a09036f23c94abaf868ee8d857a1a339f91607b464c67a989bb3fd15d331ebf1a807392d
-
memory/2512-180-0x00000000010F0000-0x00000000010F1000-memory.dmpFilesize
4KB
-
memory/2512-177-0x00000000013F0000-0x000000000141C000-memory.dmpFilesize
176KB
-
memory/2904-136-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmpFilesize
64KB
-
memory/2904-139-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmpFilesize
64KB
-
memory/2904-138-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmpFilesize
64KB
-
memory/2904-137-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmpFilesize
64KB
-
memory/2904-133-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmpFilesize
64KB
-
memory/2904-135-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmpFilesize
64KB
-
memory/2904-134-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmpFilesize
64KB