emotet | fb7ec650e35e5df2b91422942730d0d31c288d06669c00bddf989d1d149bf0e1

General

Target

Fakturierung.doc
Size

534.3MB
MD5

bf16595909993047ef58203821614b7c
SHA1

cc3715547c98a950ad61842026045de915f6ab98
SHA256

45fb8507138935dda07ec1fb243b61e18954f44691f383e48e32301a4dd5d61c
SHA512

b56d9c99ca78b503ff426536407447a7e750a01af5af9f3ab4f12dc872b8b3a798d83eb2f9867869ee29daefc947fd5b82d953e72d3529e3291e1a5370d3a9b0
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4208	2768	regsvr32.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	176	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	179	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2768	WINWORD.EXE
2768	WINWORD.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 4208	2768	WINWORD.EXE	93
PID 2768 wrote to memory of 4208	2768	WINWORD.EXE	93

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Fakturierung.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132230.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:4208
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TODAlRp\pPkENyYgwsrqQ.dll"
    3⤵
    PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\030658.zip

Filesize
847KB

MD5
8a90eab3b0543c3e548e9efef331c7de

SHA1
15b83e08112dffc5248322f9e5b385c20015d3fd

SHA256
9d79513a2e651d16175c7c627cf87372ddd8bf535b8e33d9f32572b00aa59140

SHA512
cf98252701c7e75f00d1381d1096b1651e9a84352359b5347be6b74fec32cb52726bb1e482668db59a56510de29ac0d0bcca309643ee9ef4880c046ed2cc1c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\132230.tmp

Filesize
541.5MB

MD5
3a03282ee2db20a8f0ff75a634a98b58

SHA1
942e52cfc63ebec0d59afce4c57cc2e267eff19d

SHA256
45038ad922e388ef15efa7fdbbf22c989911e648acfe6f61f55ce0c5c6953fcb

SHA512
899c88e068ec9c5e0b25f0afe1a82ab8cd95c1d8787d1275dd16ca7994bb9446037e35484d2afcf4c6be3ee17ea41135097953fca6157d8c94faf52797d87786

Download Submit
C:\Users\Admin\AppData\Local\Temp\132230.tmp

Filesize
495.1MB

MD5
b1c67dcce71599434d71b6d8741ab607

SHA1
e7dd921456f9a498cc42ead5962b79d05484ce37

SHA256
90f18f05c7497703ad7cf7a1699ec133b4e14ebd426f24c1b1a0797370ba74dc

SHA512
b04f4aaaa1457b781a27ad9851ea04e4ec7e07f74af6e2c10febffe9f0aa1ec889aaac4e9ef062b1a6d848bc0321092173de8bf193ae3b541a93200764c885ff

Download Submit
C:\Windows\System32\TODAlRp\pPkENyYgwsrqQ.dll

Filesize
518.5MB

MD5
a7b2831bf1b26255b8e5a2f87e17a8fc

SHA1
5e4a0980bdbadbc9302ac664f6281cf1da411239

SHA256
9c4a478fbab31215a2fe08e5520f4e53ba0cc7370aad0f66cfffe7b80188cf77

SHA512
6b744f54b1f74ed5e6c196307053cbcc99f1dc5ea2a146bbfbb57aeddfd72acb312eabe2eb129675d4888717cc74ddb243abcb3527b5180f4bf3846630d5f3b0

Download Submit
memory/2768-134-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-138-0x00007FFB8D670000-0x00007FFB8D680000-memory.dmp

Filesize
64KB

Download
memory/2768-139-0x00007FFB8D670000-0x00007FFB8D680000-memory.dmp

Filesize
64KB

Download
memory/2768-136-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-135-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-137-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-133-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-202-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-201-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-203-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/2768-204-0x00007FFB8FA90000-0x00007FFB8FAA0000-memory.dmp

Filesize
64KB

Download
memory/4208-176-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4208-179-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads