emotet | 96912bdc44215d8d228e66c2d16809643a70e0f9ff64b13d1881b5befee7c0ca

General

Target

Invoice Number 979646.doc
Size

535.3MB
MD5

2855f6b1a3801c210b75146462a1d704
SHA1

224516c91e780e7917521182ddc5b14afad7de6d
SHA256

5be08e46bbe7dc937ad38deb70d95fa9d64595191baf16afb84f45a58ea494c1
SHA512

442209ea678952e34699e91dd6ae50c445cd201caa7ec085e73a5c3ebc2cd0516ee89bcc600fd4e5653e4824c2c4604dae02f57bc21c46bc7e1d33f197b82695
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3484	1588	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1588 WINWORD.EXE
1588 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1588 WINWORD.EXE
1588 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1588 WINWORD.EXE
1588 WINWORD.EXE
1588 WINWORD.EXE
1588 WINWORD.EXE

pid	process
1588	WINWORD.EXE
1588	WINWORD.EXE

pid	process
1588	WINWORD.EXE
1588	WINWORD.EXE

pid	process
1588	WINWORD.EXE
1588	WINWORD.EXE
1588	WINWORD.EXE
1588	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1588 wrote to memory of 3484	1588	WINWORD.EXE	regsvr32.exe
PID 1588 wrote to memory of 3484	1588	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice Number 979646.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\114404.tmp"
2⤵
- Process spawned unexpected child process
PID:3484

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HEXFGwdsxR\TdJhRoHW.dll"
3⤵
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\114404.tmp
Filesize
313.3MB

MD5
bcfdd6d9f3e2b912514a4acf2f658d58

SHA1
0a69a92aec60a190ce83c0912c6363ee359a533a

SHA256
efccd795d682d97f24a63c1390ae3928179dc56cd14e8f039389f607857b8900

SHA512
7bc992a07a1b4ea37b242cf5e490e113c791d2e9869f294dc971fa20c946a8ccab106ad0fdcb3f44ebc1b309a2200a3efeadf851b82ba60300e2694cd0a1474e

Download Submit
C:\Users\Admin\AppData\Local\Temp\114404.tmp
Filesize
326.7MB

MD5
ecfbb5a265dd51be1e56de4d41a5820d

SHA1
dadff65fdff81662ba783b39de6dd45a1aba36a1

SHA256
0a1c9279f42be26ebe803d73d337ddd8eb644117f067cd8b58bf2fca834345bc

SHA512
1e01a0586c2ee11bec033615e05a5c36b475e9ff1cf821d702a6321e5c44da8d3a94b2a7ee736481a9dea912717c9668a0170f3ad6daf625458e848a335fd556

Download Submit
C:\Users\Admin\AppData\Local\Temp\114526.zip
Filesize
826KB

MD5
cd29b97669086317dc0efb6a4070d671

SHA1
f44fab5b63a797115944caae4e9c25a2c3da9d0f

SHA256
56f87aebf126f019f553d125995f61ac3bef0b53fc896f17dad8597662d44389

SHA512
94ca9bcc40ac967d9ad5f7c2814010b54140f81d08be89076e5427960e291c5103fa98bcc706e65843c0485ecf89468c4b2268dbddd5f2079372cf0735b87cb1

Download Submit
C:\Windows\System32\HEXFGwdsxR\TdJhRoHW.dll
Filesize
216.0MB

MD5
848d8ffa1868e04a69f02e8fd530f1a5

SHA1
da667f92b29c2e3a84bd77d5f70c997cf654abf6

SHA256
2c898038e7beee55a08d79acc757f47e4f356e2253f0cbda0b708d89242134bd

SHA512
42780cb6065dd9a89a6ad9b6072dda74aec3324ce445608920530f9f9ee091333afb233d75215be155386529baf03253bcbae6162786327d7194a845bac64ebf

Download Submit
memory/1588-137-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-135-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-139-0x00007FF840A10000-0x00007FF840A20000-memory.dmp

Filesize
64KB

Download
memory/1588-151-0x00000148649F0000-0x0000014864C4F000-memory.dmp

Filesize
2.4MB

Download
memory/1588-133-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-220-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-136-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-138-0x00007FF840A10000-0x00007FF840A20000-memory.dmp

Filesize
64KB

Download
memory/1588-222-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-134-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-215-0x00000148649F0000-0x0000014864C4F000-memory.dmp

Filesize
2.4MB

Download
memory/1588-219-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/1588-221-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/3484-195-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3484-192-0x0000000000E00000-0x0000000000E2D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads