emotet | b657ff2eedb3a695ad0803581491dbadb4e8269d84e7d29044852fe8d5ef2c2f

General

Target

Details-1403.doc
Size

543.4MB
MD5

fab228ccf98106058a380fa34a81785c
SHA1

4cdf518b8c83fdeda252e098a1c58a729413c4f6
SHA256

d49c3094888646282364efd6b28f66b99fbe8aa2f8dc2be86daddd3320ae04c9
SHA512

8c65c417e79dfc7995e46e2e53da52c15ab2d2c71233a51d7812df9ccee7c5e326ee227db83bd23f35816a0391bc5b081678b0d24037306a537302cb24701cd7
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

103.85.95.4:8080

103.224.241.74:8080

178.238.225.252:8080

37.59.103.148:8080

78.47.204.80:443

138.197.14.67:8080

128.199.242.164:8080

54.37.228.122:443

37.44.244.177:8080

139.59.80.108:8080

218.38.121.17:443

82.98.180.154:7080

114.79.130.68:443

159.65.135.222:7080

174.138.33.49:7080

195.77.239.39:8080

193.194.92.175:443

198.199.70.22:8080

85.214.67.203:8080

93.84.115.205:7080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2552	1220	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2552 regsvr32.exe
4400 regsvr32.exe

pid	process
2552	regsvr32.exe
4400	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1220 WINWORD.EXE
1220 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2552 regsvr32.exe
2552 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

1220 WINWORD.EXE
1220 WINWORD.EXE
1220 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

1220 WINWORD.EXE
1220 WINWORD.EXE
1220 WINWORD.EXE
1220 WINWORD.EXE
1220 WINWORD.EXE
1220 WINWORD.EXE
1220 WINWORD.EXE
1220 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1220	WINWORD.EXE
1220	WINWORD.EXE

pid	process
2552	regsvr32.exe
2552	regsvr32.exe

pid	process
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE

pid	process
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE
1220	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 1220 wrote to memory of 2552	1220	WINWORD.EXE	regsvr32.exe
PID 1220 wrote to memory of 2552	1220	WINWORD.EXE	regsvr32.exe
PID 2552 wrote to memory of 4400	2552	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 4400	2552	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Details-1403.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\140603.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OxgLPNDQvMOphnMG\vrepPEtbzalLwQl.dll"
3⤵
- Loads dropped DLL
PID:4400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\140603.tmp
Filesize
426.2MB

MD5
67fbc7ac8e0a0cf003ad30de924de3db

SHA1
d841261ab7456f6dd8049616324262c4c03a1228

SHA256
b5fb282528eb9c3807672f9ba7c15ece356713013bcb04dab7b4ebd970f18f0d

SHA512
1a9cb27257bdbf7c3163e2572010bfbbd0267c810dfad7d68d3ca306e5d10d2578f0adec8bb1227b69c932ea96a299c1d213f79786fbcbdd765112bf3377becc

Download Submit
C:\Users\Admin\AppData\Local\Temp\140603.tmp
Filesize
422.5MB

MD5
5f80c8e949c8754ca7ff9c23b38c2b28

SHA1
360fcc91445b0e2254ff94a5d7c46bec6791b1ee

SHA256
41dd9771eb31365064308f79b3c4cd10a261624cbc8f884f19cc44f51393701d

SHA512
54ab6821d4382bec9520ab954720b708316348aa8758037d5675a28efc1316224bbbf5984e17c089726216d990c22c8ae696a2de10dcc3115463f829576dd288

Download Submit
C:\Users\Admin\AppData\Local\Temp\140603.zip
Filesize
834KB

MD5
470c7b86d24d4f0c70eb94d2ebfc35e1

SHA1
c74cec8cf99371810c8a7b2bf53088dbf3df6404

SHA256
498c4a7c1c1ad66267c35639ed643dfd17922febec4360fcaf5459c06359093f

SHA512
3c62e2c9b56d0083fc8e188c5c57cb62c3167a842c99fc6ccf9e0ee2b4b723dbd7d475875086e10504fad538ace384e1d0600f9bc71e06b2839619d3562d1f14

Download Submit
C:\Windows\System32\OxgLPNDQvMOphnMG\vrepPEtbzalLwQl.dll
Filesize
410.9MB

MD5
c411e5cf4ca6d025d061878c6f2dba72

SHA1
44de5e37c00795013dd1b20ce0c35e58dfd66282

SHA256
28784fa3ddeacae41eee7bda573c2b735ff98584600775c16367bf201fba6819

SHA512
09665283341ca98f4eaa359b3f59a33d52b6fd57ca864852017aa4b9397712f70450285895107985a8679909a0d6336a721931d2659bd298fa9ba0127ae953b8

Download Submit
memory/1220-134-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-138-0x00007FFC051B0000-0x00007FFC051C0000-memory.dmp

Filesize
64KB

Download
memory/1220-139-0x00007FFC051B0000-0x00007FFC051C0000-memory.dmp

Filesize
64KB

Download
memory/1220-136-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-135-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-137-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-133-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-206-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-207-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-208-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/1220-209-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmp

Filesize
64KB

Download
memory/2552-174-0x0000000002440000-0x000000000246C000-memory.dmp

Filesize
176KB

Download
memory/2552-180-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads