emotet | 3f8160af9df1474e7f6c7813a59f138a973c08690d76ea803e3938935642db2b

Resubmissions

14-03-2023 10:30

230314-mj6q3aeh44 10

14-03-2023 10:28

230314-mh6pnseh36 10

Analysis

max time kernel
13s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85_15.doc
Size

546.4MB
MD5

2a5efe48ea409cb16d887ffc7bfc9268
SHA1

9ce3ab622fa94f7aa4eb62cc404cfd8e2582fb1a
SHA256

b72fac6410f1c9bcd93e321271707f27e27e192aaf68c53b5c8d6d86438df385
SHA512

2c4ede6a294ec03f8361eabe02a0975aa5d616d2561546a26caeb6473d397366e4b4bc1d55937e1dd38f3dfe2e86cb81bfb995775c4a3db0f3a129e7e30a1551
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

103.85.95.4:8080

103.224.241.74:8080

178.238.225.252:8080

37.59.103.148:8080

78.47.204.80:443

138.197.14.67:8080

128.199.242.164:8080

54.37.228.122:443

37.44.244.177:8080

139.59.80.108:8080

218.38.121.17:443

82.98.180.154:7080

114.79.130.68:443

159.65.135.222:7080

174.138.33.49:7080

195.77.239.39:8080

193.194.92.175:443

198.199.70.22:8080

85.214.67.203:8080

93.84.115.205:7080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2512	2904	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 43 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2904 WINWORD.EXE
2904 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

2904 WINWORD.EXE
2904 WINWORD.EXE
2904 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

2904 WINWORD.EXE
2904 WINWORD.EXE
2904 WINWORD.EXE
2904 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2904	WINWORD.EXE
2904	WINWORD.EXE

pid	process
2904	WINWORD.EXE
2904	WINWORD.EXE
2904	WINWORD.EXE

pid	process
2904	WINWORD.EXE
2904	WINWORD.EXE
2904	WINWORD.EXE
2904	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2904 wrote to memory of 2512	2904	WINWORD.EXE	regsvr32.exe
PID 2904 wrote to memory of 2512	2904	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\85_15.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\112956.tmp"
2⤵
- Process spawned unexpected child process
PID:2512

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MDlXOF\iOtILgRrk.dll"
3⤵
PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\112956.tmp
Filesize
83.7MB

MD5
c7695b03ccfdcbb4c7761e990c3a5204

SHA1
d4d01444e04e752a907f20bdded29f2d16476856

SHA256
267e033a0acc4f702602e5c07298e0ad5a355022b70d1706aaa9729aef55576f

SHA512
9ea06e6d1d457825f81af4141f60eff4f105e57344db8cdefe2d1c073a9910a6d8478e79fb48905332600a56b5f93b41e2f7b4202153539fad18bee42964ad02

Download Submit
C:\Users\Admin\AppData\Local\Temp\112956.tmp
Filesize
76.9MB

MD5
ea8a926b80973e267643fbf782142ae9

SHA1
1f37ce687b3c1d9fd06e1f7c30712bed22fd5edd

SHA256
4efbd06e08cdf2f1fac24619475c4d77ef649eb1d9151e907761e311084e4034

SHA512
e9339a3be1851d7536e06c1feed0c5308ede4a2195a902c6832f4ab33b3c113f6647d033045d1e3ba995bb579e509301af15e6cbf96a0a574a49e01838211e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\112957.zip
Filesize
834KB

MD5
470c7b86d24d4f0c70eb94d2ebfc35e1

SHA1
c74cec8cf99371810c8a7b2bf53088dbf3df6404

SHA256
498c4a7c1c1ad66267c35639ed643dfd17922febec4360fcaf5459c06359093f

SHA512
3c62e2c9b56d0083fc8e188c5c57cb62c3167a842c99fc6ccf9e0ee2b4b723dbd7d475875086e10504fad538ace384e1d0600f9bc71e06b2839619d3562d1f14

Download Submit
C:\Windows\System32\MDlXOF\iOtILgRrk.dll
Filesize
46.9MB

MD5
1ab4daec8c14998065244a627728b69b

SHA1
b190faa677bf75d60f8a73d36e379b05b186900f

SHA256
17d03035989592f2e2e3c3893a2e6deb274ae72a9a6a4336e6ef46d7d14e0800

SHA512
e00a37ccd67be09cf2294a8534316bc51a93d4119842ac3297c4db97a09036f23c94abaf868ee8d857a1a339f91607b464c67a989bb3fd15d331ebf1a807392d

Download Submit
memory/2512-180-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2512-177-0x00000000013F0000-0x000000000141C000-memory.dmp

Filesize
176KB

Download
memory/2904-136-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/2904-139-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmp

Filesize
64KB

Download
memory/2904-138-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmp

Filesize
64KB

Download
memory/2904-137-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/2904-133-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/2904-135-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download
memory/2904-134-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

Filesize
64KB

Download