Analysis
-
max time kernel
93s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 10:43
Behavioral task
behavioral1
Sample
Invoice Number 979646.doc
Resource
win7-20230220-en
General
-
Target
Invoice Number 979646.doc
-
Size
535.3MB
-
MD5
2855f6b1a3801c210b75146462a1d704
-
SHA1
224516c91e780e7917521182ddc5b14afad7de6d
-
SHA256
5be08e46bbe7dc937ad38deb70d95fa9d64595191baf16afb84f45a58ea494c1
-
SHA512
442209ea678952e34699e91dd6ae50c445cd201caa7ec085e73a5c3ebc2cd0516ee89bcc600fd4e5653e4824c2c4604dae02f57bc21c46bc7e1d33f197b82695
-
SSDEEP
6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3484 1588 regsvr32.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1588 WINWORD.EXE 1588 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1588 WINWORD.EXE 1588 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1588 wrote to memory of 3484 1588 WINWORD.EXE regsvr32.exe PID 1588 wrote to memory of 3484 1588 WINWORD.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice Number 979646.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\114404.tmp"2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\HEXFGwdsxR\TdJhRoHW.dll"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\114404.tmpFilesize
313.3MB
MD5bcfdd6d9f3e2b912514a4acf2f658d58
SHA10a69a92aec60a190ce83c0912c6363ee359a533a
SHA256efccd795d682d97f24a63c1390ae3928179dc56cd14e8f039389f607857b8900
SHA5127bc992a07a1b4ea37b242cf5e490e113c791d2e9869f294dc971fa20c946a8ccab106ad0fdcb3f44ebc1b309a2200a3efeadf851b82ba60300e2694cd0a1474e
-
C:\Users\Admin\AppData\Local\Temp\114404.tmpFilesize
326.7MB
MD5ecfbb5a265dd51be1e56de4d41a5820d
SHA1dadff65fdff81662ba783b39de6dd45a1aba36a1
SHA2560a1c9279f42be26ebe803d73d337ddd8eb644117f067cd8b58bf2fca834345bc
SHA5121e01a0586c2ee11bec033615e05a5c36b475e9ff1cf821d702a6321e5c44da8d3a94b2a7ee736481a9dea912717c9668a0170f3ad6daf625458e848a335fd556
-
C:\Users\Admin\AppData\Local\Temp\114526.zipFilesize
826KB
MD5cd29b97669086317dc0efb6a4070d671
SHA1f44fab5b63a797115944caae4e9c25a2c3da9d0f
SHA25656f87aebf126f019f553d125995f61ac3bef0b53fc896f17dad8597662d44389
SHA51294ca9bcc40ac967d9ad5f7c2814010b54140f81d08be89076e5427960e291c5103fa98bcc706e65843c0485ecf89468c4b2268dbddd5f2079372cf0735b87cb1
-
C:\Windows\System32\HEXFGwdsxR\TdJhRoHW.dllFilesize
216.0MB
MD5848d8ffa1868e04a69f02e8fd530f1a5
SHA1da667f92b29c2e3a84bd77d5f70c997cf654abf6
SHA2562c898038e7beee55a08d79acc757f47e4f356e2253f0cbda0b708d89242134bd
SHA51242780cb6065dd9a89a6ad9b6072dda74aec3324ce445608920530f9f9ee091333afb233d75215be155386529baf03253bcbae6162786327d7194a845bac64ebf
-
memory/1588-137-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-135-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-139-0x00007FF840A10000-0x00007FF840A20000-memory.dmpFilesize
64KB
-
memory/1588-151-0x00000148649F0000-0x0000014864C4F000-memory.dmpFilesize
2.4MB
-
memory/1588-133-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-220-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-136-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-138-0x00007FF840A10000-0x00007FF840A20000-memory.dmpFilesize
64KB
-
memory/1588-222-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-134-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-215-0x00000148649F0000-0x0000014864C4F000-memory.dmpFilesize
2.4MB
-
memory/1588-219-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/1588-221-0x00007FF842D90000-0x00007FF842DA0000-memory.dmpFilesize
64KB
-
memory/3484-195-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/3484-192-0x0000000000E00000-0x0000000000E2D000-memory.dmpFilesize
180KB