Analysis
-
max time kernel
14s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 14:24
Behavioral task
behavioral1
Sample
commenti_14032023.doc
Resource
win7-20230220-en
General
-
Target
commenti_14032023.doc
-
Size
504.4MB
-
MD5
a60c5f8e3e97ac22ed1484ade4dc235f
-
SHA1
fa53b5c04ace548962a1bb7b052672121b195440
-
SHA256
990a8caa38d771d929f285f7c8594e9ef90163dadc9489b1f43f165e45e05f5e
-
SHA512
64bb398b405941de8f63adec045ffdb01ca6f0ca555f0fbed4aaf88c0585ac6f0b49ca0eec7594255da9c4576278fcfb1f9847f7bfc7788d8ee196e8e1e9e8dc
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Extracted
emotet
Epoch5
103.85.95.4:8080
103.224.241.74:8080
178.238.225.252:8080
37.59.103.148:8080
78.47.204.80:443
138.197.14.67:8080
128.199.242.164:8080
54.37.228.122:443
37.44.244.177:8080
139.59.80.108:8080
218.38.121.17:443
82.98.180.154:7080
114.79.130.68:443
159.65.135.222:7080
174.138.33.49:7080
195.77.239.39:8080
193.194.92.175:443
198.199.70.22:8080
85.214.67.203:8080
93.84.115.205:7080
186.250.48.5:443
46.101.98.60:8080
160.16.143.191:8080
64.227.55.231:8080
175.126.176.79:8080
85.25.120.45:8080
178.62.112.199:8080
185.148.169.10:8080
128.199.217.206:443
103.41.204.169:8080
209.239.112.82:8080
202.28.34.99:8080
139.196.72.155:8080
87.106.97.83:7080
93.104.209.107:8080
104.244.79.94:443
115.178.55.22:80
83.229.80.93:8080
103.254.12.236:7080
62.171.178.147:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2748 1156 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2748 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1156 WINWORD.EXE 1156 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1156 wrote to memory of 2748 1156 WINWORD.EXE regsvr32.exe PID 1156 wrote to memory of 2748 1156 WINWORD.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commenti_14032023.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\142529.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\VfoPanqICYCNHgImb\QszjpgbwtFzN.dll"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\142529.tmpFilesize
486.6MB
MD51f43e4a7f46a1cda81fe095526165e55
SHA15db8083bb3d95ee00187461636f80a2addb6c63e
SHA256c9a6f443c724c565ff822547fbc1223cf62cebf9d757ae49bac0d0c034d04af1
SHA5122145d4cac78a7c0d4f80794be20abec03153af4cefeba4b6fb422d7089dcfa005530cb66e0bf45353161e78ae37fa7019ef9ab923eaa72e292fe2d0b4c914a50
-
C:\Users\Admin\AppData\Local\Temp\142529.tmpFilesize
526.6MB
MD5c0611096b082297be117139ceba11105
SHA10aa005fb26f8b70287dfb558727ae0e222489baa
SHA256fcff97955bccca60169ba958d6199dac2e7b5bbbeedcea16033273ee3cc07fe0
SHA5128e1d6338fc5ab1301c52e461dc7dd5556e91b530656c5160514604a1a61316a4e1b755f58012ca8d54470ede14933f632141ba9ef3ada4d0bbc31b17a4f96a93
-
C:\Users\Admin\AppData\Local\Temp\142530.zipFilesize
834KB
MD5470c7b86d24d4f0c70eb94d2ebfc35e1
SHA1c74cec8cf99371810c8a7b2bf53088dbf3df6404
SHA256498c4a7c1c1ad66267c35639ed643dfd17922febec4360fcaf5459c06359093f
SHA5123c62e2c9b56d0083fc8e188c5c57cb62c3167a842c99fc6ccf9e0ee2b4b723dbd7d475875086e10504fad538ace384e1d0600f9bc71e06b2839619d3562d1f14
-
C:\Windows\System32\VfoPanqICYCNHgImb\QszjpgbwtFzN.dllFilesize
437.9MB
MD5b482234d03360a2510d644b8b69637c9
SHA190d3b3ae42ef8d082337d93bfb557d924b56a718
SHA2561a05efcccb8862b2c8b167aaa9a6b348235cbec6d411dc7355c2d0dde2b359d5
SHA5126e2cd14ca6c4d48ce8da9d328d21c9b748a0079363b77993b31870bbe815616935714abc347d613536a313c5df8408573dc1ab2b96eae9ca558dc7dc4e01edf1
-
memory/1156-208-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-138-0x00007FFD53D30000-0x00007FFD53D40000-memory.dmpFilesize
64KB
-
memory/1156-139-0x00007FFD53D30000-0x00007FFD53D40000-memory.dmpFilesize
64KB
-
memory/1156-136-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-135-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-134-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-133-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-137-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-207-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-209-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/1156-206-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmpFilesize
64KB
-
memory/2748-174-0x0000000000540000-0x000000000056C000-memory.dmpFilesize
176KB
-
memory/2748-177-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB