emotet | f333982c6245780bb4542cde1e9c82a56d101a1a3d2307540f63faa1085b3e23

General

Target

commenti_14032023.doc
Size

504.4MB
MD5

a60c5f8e3e97ac22ed1484ade4dc235f
SHA1

fa53b5c04ace548962a1bb7b052672121b195440
SHA256

990a8caa38d771d929f285f7c8594e9ef90163dadc9489b1f43f165e45e05f5e
SHA512

64bb398b405941de8f63adec045ffdb01ca6f0ca555f0fbed4aaf88c0585ac6f0b49ca0eec7594255da9c4576278fcfb1f9847f7bfc7788d8ee196e8e1e9e8dc
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

103.85.95.4:8080

103.224.241.74:8080

178.238.225.252:8080

37.59.103.148:8080

78.47.204.80:443

138.197.14.67:8080

128.199.242.164:8080

54.37.228.122:443

37.44.244.177:8080

139.59.80.108:8080

218.38.121.17:443

82.98.180.154:7080

114.79.130.68:443

159.65.135.222:7080

174.138.33.49:7080

195.77.239.39:8080

193.194.92.175:443

198.199.70.22:8080

85.214.67.203:8080

93.84.115.205:7080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2748	1156	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2748 regsvr32.exe

pid	process
2748	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1156 WINWORD.EXE
1156 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

1156 WINWORD.EXE
1156 WINWORD.EXE
1156 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1156 WINWORD.EXE
1156 WINWORD.EXE
1156 WINWORD.EXE
1156 WINWORD.EXE
1156 WINWORD.EXE
1156 WINWORD.EXE
1156 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1156	WINWORD.EXE
1156	WINWORD.EXE

pid	process
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE

pid	process
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1156 wrote to memory of 2748	1156	WINWORD.EXE	regsvr32.exe
PID 1156 wrote to memory of 2748	1156	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commenti_14032023.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\142529.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:2748

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VfoPanqICYCNHgImb\QszjpgbwtFzN.dll"
3⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\142529.tmp
Filesize
486.6MB

MD5
1f43e4a7f46a1cda81fe095526165e55

SHA1
5db8083bb3d95ee00187461636f80a2addb6c63e

SHA256
c9a6f443c724c565ff822547fbc1223cf62cebf9d757ae49bac0d0c034d04af1

SHA512
2145d4cac78a7c0d4f80794be20abec03153af4cefeba4b6fb422d7089dcfa005530cb66e0bf45353161e78ae37fa7019ef9ab923eaa72e292fe2d0b4c914a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\142529.tmp
Filesize
526.6MB

MD5
c0611096b082297be117139ceba11105

SHA1
0aa005fb26f8b70287dfb558727ae0e222489baa

SHA256
fcff97955bccca60169ba958d6199dac2e7b5bbbeedcea16033273ee3cc07fe0

SHA512
8e1d6338fc5ab1301c52e461dc7dd5556e91b530656c5160514604a1a61316a4e1b755f58012ca8d54470ede14933f632141ba9ef3ada4d0bbc31b17a4f96a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\142530.zip
Filesize
834KB

MD5
470c7b86d24d4f0c70eb94d2ebfc35e1

SHA1
c74cec8cf99371810c8a7b2bf53088dbf3df6404

SHA256
498c4a7c1c1ad66267c35639ed643dfd17922febec4360fcaf5459c06359093f

SHA512
3c62e2c9b56d0083fc8e188c5c57cb62c3167a842c99fc6ccf9e0ee2b4b723dbd7d475875086e10504fad538ace384e1d0600f9bc71e06b2839619d3562d1f14

Download Submit
C:\Windows\System32\VfoPanqICYCNHgImb\QszjpgbwtFzN.dll
Filesize
437.9MB

MD5
b482234d03360a2510d644b8b69637c9

SHA1
90d3b3ae42ef8d082337d93bfb557d924b56a718

SHA256
1a05efcccb8862b2c8b167aaa9a6b348235cbec6d411dc7355c2d0dde2b359d5

SHA512
6e2cd14ca6c4d48ce8da9d328d21c9b748a0079363b77993b31870bbe815616935714abc347d613536a313c5df8408573dc1ab2b96eae9ca558dc7dc4e01edf1

Download Submit
memory/1156-208-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-138-0x00007FFD53D30000-0x00007FFD53D40000-memory.dmp

Filesize
64KB

Download
memory/1156-139-0x00007FFD53D30000-0x00007FFD53D40000-memory.dmp

Filesize
64KB

Download
memory/1156-136-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-135-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-134-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-133-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-137-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-207-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-209-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/1156-206-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/2748-174-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/2748-177-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads