Analysis
-
max time kernel
106s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 13:10
Behavioral task
behavioral1
Sample
4943633551919646, Great Britain.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4943633551919646, Great Britain.doc
Resource
win10v2004-20230220-en
General
-
Target
4943633551919646, Great Britain.doc
-
Size
541.3MB
-
MD5
c4c9ff74262835e0e6f333cba594c362
-
SHA1
639a7aa1684350d363eed67a0cfd77ad0d20d984
-
SHA256
86342b941e496055fe8657b9195f71475c7cb139a42718030a270cbd056706f3
-
SHA512
d0687f6e5718196af54dd8269195f4fe43be84da48c32c925a15233e81ae782b5f19aefeffe43a252266463f56f887835c5d58fbec55231582ccd076e8ffae24
-
SSDEEP
6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2232 2060 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2232 regsvr32.exe 2108 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcyJVZ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\PbcsWUhAZRJyRmRPf\\wcyJVZ.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2060 WINWORD.EXE 2060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2232 regsvr32.exe 2232 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 2060 WINWORD.EXE 2060 WINWORD.EXE 2060 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2060 WINWORD.EXE 2060 WINWORD.EXE 2060 WINWORD.EXE 2060 WINWORD.EXE 2060 WINWORD.EXE 2060 WINWORD.EXE 2060 WINWORD.EXE 2060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 2060 wrote to memory of 2232 2060 WINWORD.EXE regsvr32.exe PID 2060 wrote to memory of 2232 2060 WINWORD.EXE regsvr32.exe PID 2232 wrote to memory of 2108 2232 regsvr32.exe regsvr32.exe PID 2232 wrote to memory of 2108 2232 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4943633551919646, Great Britain.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\141116.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PbcsWUhAZRJyRmRPf\wcyJVZ.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\141116.tmpFilesize
309.3MB
MD51fcbe43d9261348686fdabea843484e6
SHA19831ff41ab9f20e69fad6925d250154be2e4cc5c
SHA256246cd16f64c0024ca2548b7cbe6955e0065a86df2170d5c721b6eca06e1134f2
SHA5127b426201c049362ae5375951ac5f0c8ce3e33265389c9da13ffc88990730a67c7568cb6597300f77a4170357dd053f0e32749c7f914395272a4fffc6630a5d28
-
C:\Users\Admin\AppData\Local\Temp\141116.tmpFilesize
303.5MB
MD506297aecf76460db019bd328b4422ddb
SHA182be2031061de410d1eef4ca851dabe0c01e1321
SHA2563d9ed20c0838842ddcc11c0431288cb61d0cad757fc4f6f6c2e70f9e3e5dd7bf
SHA51261fc40116b10a6431aee05d84f30bd7c3a878dceb79c50710e29b7b8cba061269b84b224ccedb1fd847f07ce7cf320cde46764316cdc4f0794c8a083325129eb
-
C:\Users\Admin\AppData\Local\Temp\141123.zipFilesize
807KB
MD529e2d222bd12220dce9a8d50033ccb5c
SHA18395359176311bd02d8be06f200ccd2b72bf57d6
SHA25636a0eba1c1a3a6d28a0bc4ccede8adacd35426e213773fbcba64185697310853
SHA512c247ac90bfa8c0958bab87b4c186d4a465c15b00e025bb6bc19ac0352c720211075b86ec0feb6254be972b6c6491581d6a24a2fb595ad6c0ed24512495973864
-
C:\Windows\System32\PbcsWUhAZRJyRmRPf\wcyJVZ.dllFilesize
300.0MB
MD5f780c0cd1be9185e03946a2993c3a8df
SHA17a287ebc53e2f98dfe54eef1e1f5ddcdcc053c1c
SHA256133c7fe1483e31f5f5b2ab5a49f9afdd21386cf94690b3612134bce332db2d6c
SHA512e9e14b53d6028353b390dbe35c85006261f53898bbc810f32d41475802f31cea8916f68f9d513a76825e8fc5eb6b606f864bd7756052d285db08485f199d7174
-
memory/2060-134-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-138-0x00007FF876570000-0x00007FF876580000-memory.dmpFilesize
64KB
-
memory/2060-140-0x00007FF876570000-0x00007FF876580000-memory.dmpFilesize
64KB
-
memory/2060-136-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-135-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-137-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-133-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-209-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-208-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-207-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2060-206-0x00007FF878C70000-0x00007FF878C80000-memory.dmpFilesize
64KB
-
memory/2232-179-0x0000000002E30000-0x0000000002E5D000-memory.dmpFilesize
180KB
-
memory/2232-182-0x0000000002DF0000-0x0000000002DF1000-memory.dmpFilesize
4KB