Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 13:16
Behavioral task
behavioral1
Sample
PO.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO.doc
Resource
win10v2004-20230220-en
General
-
Target
PO.doc
-
Size
510.3MB
-
MD5
732336a4ffdffb6af529c92240c52aaa
-
SHA1
0f132ee237e3c419422d33a7fdc8687d3a62068f
-
SHA256
76e94f1bf0af4acd2e3dd307c9cb05ff1cce879a7c611e9e3dc01d8fd7a7f2cc
-
SHA512
683ea54a98b83cbc857299e9511a165371d99a3f3e08f968faf4f3dba53c13de79d8676203f79a71f91cd68892157a1c37766951d4d81a57468e62be809d436a
-
SSDEEP
6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4280 864 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4280 regsvr32.exe 952 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SJENLPQaoG.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NwPdrUb\\SJENLPQaoG.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 47 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 53 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 864 WINWORD.EXE 864 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4280 regsvr32.exe 4280 regsvr32.exe 952 regsvr32.exe 952 regsvr32.exe 952 regsvr32.exe 952 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 864 WINWORD.EXE 864 WINWORD.EXE 864 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 864 WINWORD.EXE 864 WINWORD.EXE 864 WINWORD.EXE 864 WINWORD.EXE 864 WINWORD.EXE 864 WINWORD.EXE 864 WINWORD.EXE 864 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 864 wrote to memory of 4280 864 WINWORD.EXE regsvr32.exe PID 864 wrote to memory of 4280 864 WINWORD.EXE regsvr32.exe PID 4280 wrote to memory of 952 4280 regsvr32.exe regsvr32.exe PID 4280 wrote to memory of 952 4280 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\141652.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NwPdrUb\SJENLPQaoG.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\141652.tmpFilesize
501.5MB
MD5302f08a45be2b11a9b8c89cb1cda8d0e
SHA1cb7870c9b5af1f19cdf0a05339596722213d3fb5
SHA2567fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5
SHA5125b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2
-
C:\Users\Admin\AppData\Local\Temp\141652.tmpFilesize
501.5MB
MD5302f08a45be2b11a9b8c89cb1cda8d0e
SHA1cb7870c9b5af1f19cdf0a05339596722213d3fb5
SHA2567fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5
SHA5125b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2
-
C:\Users\Admin\AppData\Local\Temp\141722.zipFilesize
807KB
MD529e2d222bd12220dce9a8d50033ccb5c
SHA18395359176311bd02d8be06f200ccd2b72bf57d6
SHA25636a0eba1c1a3a6d28a0bc4ccede8adacd35426e213773fbcba64185697310853
SHA512c247ac90bfa8c0958bab87b4c186d4a465c15b00e025bb6bc19ac0352c720211075b86ec0feb6254be972b6c6491581d6a24a2fb595ad6c0ed24512495973864
-
C:\Windows\System32\NwPdrUb\SJENLPQaoG.dllFilesize
501.5MB
MD5302f08a45be2b11a9b8c89cb1cda8d0e
SHA1cb7870c9b5af1f19cdf0a05339596722213d3fb5
SHA2567fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5
SHA5125b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2
-
memory/864-134-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-138-0x00007FFE775C0000-0x00007FFE775D0000-memory.dmpFilesize
64KB
-
memory/864-139-0x00007FFE775C0000-0x00007FFE775D0000-memory.dmpFilesize
64KB
-
memory/864-136-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-135-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-137-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-133-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-206-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-207-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-208-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/864-209-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmpFilesize
64KB
-
memory/4280-179-0x0000000002920000-0x000000000294D000-memory.dmpFilesize
180KB
-
memory/4280-181-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB