Analysis
-
max time kernel
16s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 14:05
Behavioral task
behavioral1
Sample
Details-1403.doc
Resource
win7-20230220-en
General
-
Target
Details-1403.doc
-
Size
543.4MB
-
MD5
fab228ccf98106058a380fa34a81785c
-
SHA1
4cdf518b8c83fdeda252e098a1c58a729413c4f6
-
SHA256
d49c3094888646282364efd6b28f66b99fbe8aa2f8dc2be86daddd3320ae04c9
-
SHA512
8c65c417e79dfc7995e46e2e53da52c15ab2d2c71233a51d7812df9ccee7c5e326ee227db83bd23f35816a0391bc5b081678b0d24037306a537302cb24701cd7
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Extracted
emotet
Epoch5
103.85.95.4:8080
103.224.241.74:8080
178.238.225.252:8080
37.59.103.148:8080
78.47.204.80:443
138.197.14.67:8080
128.199.242.164:8080
54.37.228.122:443
37.44.244.177:8080
139.59.80.108:8080
218.38.121.17:443
82.98.180.154:7080
114.79.130.68:443
159.65.135.222:7080
174.138.33.49:7080
195.77.239.39:8080
193.194.92.175:443
198.199.70.22:8080
85.214.67.203:8080
93.84.115.205:7080
186.250.48.5:443
46.101.98.60:8080
160.16.143.191:8080
64.227.55.231:8080
175.126.176.79:8080
85.25.120.45:8080
178.62.112.199:8080
185.148.169.10:8080
128.199.217.206:443
103.41.204.169:8080
209.239.112.82:8080
202.28.34.99:8080
139.196.72.155:8080
87.106.97.83:7080
93.104.209.107:8080
104.244.79.94:443
115.178.55.22:80
83.229.80.93:8080
103.254.12.236:7080
62.171.178.147:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2552 1220 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2552 regsvr32.exe 4400 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1220 WINWORD.EXE 1220 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2552 regsvr32.exe 2552 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 1220 wrote to memory of 2552 1220 WINWORD.EXE regsvr32.exe PID 1220 wrote to memory of 2552 1220 WINWORD.EXE regsvr32.exe PID 2552 wrote to memory of 4400 2552 regsvr32.exe regsvr32.exe PID 2552 wrote to memory of 4400 2552 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Details-1403.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\140603.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\OxgLPNDQvMOphnMG\vrepPEtbzalLwQl.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\140603.tmpFilesize
426.2MB
MD567fbc7ac8e0a0cf003ad30de924de3db
SHA1d841261ab7456f6dd8049616324262c4c03a1228
SHA256b5fb282528eb9c3807672f9ba7c15ece356713013bcb04dab7b4ebd970f18f0d
SHA5121a9cb27257bdbf7c3163e2572010bfbbd0267c810dfad7d68d3ca306e5d10d2578f0adec8bb1227b69c932ea96a299c1d213f79786fbcbdd765112bf3377becc
-
C:\Users\Admin\AppData\Local\Temp\140603.tmpFilesize
422.5MB
MD55f80c8e949c8754ca7ff9c23b38c2b28
SHA1360fcc91445b0e2254ff94a5d7c46bec6791b1ee
SHA25641dd9771eb31365064308f79b3c4cd10a261624cbc8f884f19cc44f51393701d
SHA51254ab6821d4382bec9520ab954720b708316348aa8758037d5675a28efc1316224bbbf5984e17c089726216d990c22c8ae696a2de10dcc3115463f829576dd288
-
C:\Users\Admin\AppData\Local\Temp\140603.zipFilesize
834KB
MD5470c7b86d24d4f0c70eb94d2ebfc35e1
SHA1c74cec8cf99371810c8a7b2bf53088dbf3df6404
SHA256498c4a7c1c1ad66267c35639ed643dfd17922febec4360fcaf5459c06359093f
SHA5123c62e2c9b56d0083fc8e188c5c57cb62c3167a842c99fc6ccf9e0ee2b4b723dbd7d475875086e10504fad538ace384e1d0600f9bc71e06b2839619d3562d1f14
-
C:\Windows\System32\OxgLPNDQvMOphnMG\vrepPEtbzalLwQl.dllFilesize
410.9MB
MD5c411e5cf4ca6d025d061878c6f2dba72
SHA144de5e37c00795013dd1b20ce0c35e58dfd66282
SHA25628784fa3ddeacae41eee7bda573c2b735ff98584600775c16367bf201fba6819
SHA51209665283341ca98f4eaa359b3f59a33d52b6fd57ca864852017aa4b9397712f70450285895107985a8679909a0d6336a721931d2659bd298fa9ba0127ae953b8
-
memory/1220-134-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-138-0x00007FFC051B0000-0x00007FFC051C0000-memory.dmpFilesize
64KB
-
memory/1220-139-0x00007FFC051B0000-0x00007FFC051C0000-memory.dmpFilesize
64KB
-
memory/1220-136-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-135-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-137-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-133-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-206-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-207-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-208-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/1220-209-0x00007FFC07B10000-0x00007FFC07B20000-memory.dmpFilesize
64KB
-
memory/2552-174-0x0000000002440000-0x000000000246C000-memory.dmpFilesize
176KB
-
memory/2552-180-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB