emotet | 66477ce15f6c66f63ec772a849b4a9fea8f3810591294878fa6adb63f63c14a4

General

Target

4943633551919646, Great Britain.doc
Size

541.3MB
MD5

c4c9ff74262835e0e6f333cba594c362
SHA1

639a7aa1684350d363eed67a0cfd77ad0d20d984
SHA256

86342b941e496055fe8657b9195f71475c7cb139a42718030a270cbd056706f3
SHA512

d0687f6e5718196af54dd8269195f4fe43be84da48c32c925a15233e81ae782b5f19aefeffe43a252266463f56f887835c5d58fbec55231582ccd076e8ffae24
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2232	2060	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2232 regsvr32.exe
2108 regsvr32.exe

pid	process
2232	regsvr32.exe
2108	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcyJVZ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\PbcsWUhAZRJyRmRPf\\wcyJVZ.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2060 WINWORD.EXE
2060 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2232 regsvr32.exe
2232 regsvr32.exe
2108 regsvr32.exe
2108 regsvr32.exe
2108 regsvr32.exe
2108 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

2060 WINWORD.EXE
2060 WINWORD.EXE
2060 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

2060 WINWORD.EXE
2060 WINWORD.EXE
2060 WINWORD.EXE
2060 WINWORD.EXE
2060 WINWORD.EXE
2060 WINWORD.EXE
2060 WINWORD.EXE
2060 WINWORD.EXE

pid	process
2060	WINWORD.EXE
2060	WINWORD.EXE

pid	process
2232	regsvr32.exe
2232	regsvr32.exe
2108	regsvr32.exe
2108	regsvr32.exe
2108	regsvr32.exe
2108	regsvr32.exe

pid	process
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE

pid	process
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 2060 wrote to memory of 2232	2060	WINWORD.EXE	regsvr32.exe
PID 2060 wrote to memory of 2232	2060	WINWORD.EXE	regsvr32.exe
PID 2232 wrote to memory of 2108	2232	regsvr32.exe	regsvr32.exe
PID 2232 wrote to memory of 2108	2232	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4943633551919646, Great Britain.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\141116.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PbcsWUhAZRJyRmRPf\wcyJVZ.dll"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\141116.tmp
Filesize
309.3MB

MD5
1fcbe43d9261348686fdabea843484e6

SHA1
9831ff41ab9f20e69fad6925d250154be2e4cc5c

SHA256
246cd16f64c0024ca2548b7cbe6955e0065a86df2170d5c721b6eca06e1134f2

SHA512
7b426201c049362ae5375951ac5f0c8ce3e33265389c9da13ffc88990730a67c7568cb6597300f77a4170357dd053f0e32749c7f914395272a4fffc6630a5d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\141116.tmp
Filesize
303.5MB

MD5
06297aecf76460db019bd328b4422ddb

SHA1
82be2031061de410d1eef4ca851dabe0c01e1321

SHA256
3d9ed20c0838842ddcc11c0431288cb61d0cad757fc4f6f6c2e70f9e3e5dd7bf

SHA512
61fc40116b10a6431aee05d84f30bd7c3a878dceb79c50710e29b7b8cba061269b84b224ccedb1fd847f07ce7cf320cde46764316cdc4f0794c8a083325129eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\141123.zip
Filesize
807KB

MD5
29e2d222bd12220dce9a8d50033ccb5c

SHA1
8395359176311bd02d8be06f200ccd2b72bf57d6

SHA256
36a0eba1c1a3a6d28a0bc4ccede8adacd35426e213773fbcba64185697310853

SHA512
c247ac90bfa8c0958bab87b4c186d4a465c15b00e025bb6bc19ac0352c720211075b86ec0feb6254be972b6c6491581d6a24a2fb595ad6c0ed24512495973864

Download Submit
C:\Windows\System32\PbcsWUhAZRJyRmRPf\wcyJVZ.dll
Filesize
300.0MB

MD5
f780c0cd1be9185e03946a2993c3a8df

SHA1
7a287ebc53e2f98dfe54eef1e1f5ddcdcc053c1c

SHA256
133c7fe1483e31f5f5b2ab5a49f9afdd21386cf94690b3612134bce332db2d6c

SHA512
e9e14b53d6028353b390dbe35c85006261f53898bbc810f32d41475802f31cea8916f68f9d513a76825e8fc5eb6b606f864bd7756052d285db08485f199d7174

Download Submit
memory/2060-134-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-138-0x00007FF876570000-0x00007FF876580000-memory.dmp

Filesize
64KB

Download
memory/2060-140-0x00007FF876570000-0x00007FF876580000-memory.dmp

Filesize
64KB

Download
memory/2060-136-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-135-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-137-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-133-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-209-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-208-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-207-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2060-206-0x00007FF878C70000-0x00007FF878C80000-memory.dmp

Filesize
64KB

Download
memory/2232-179-0x0000000002E30000-0x0000000002E5D000-memory.dmp

Filesize
180KB

Download
memory/2232-182-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads