Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 15:01
Behavioral task
behavioral1
Sample
dettagli_14032023.doc
Resource
win7-20230220-en
General
-
Target
dettagli_14032023.doc
-
Size
527.4MB
-
MD5
c1299106b5977d3aced43828efd4dae3
-
SHA1
6c740be7700b0de2419e1c9edcfb06dedfc5cd0a
-
SHA256
c41b2b229d37b2581c52e9c87d17838a01e5b2cc038ad4c38c6a8b9bd0e3dc19
-
SHA512
5a6eb6af326b60ab6327581127fcd0d3815a64765b7ed8e1b0bcfb0e990bc85eb8e93c67e7e7bcd8155364ba4aa035548facec1005e9f094ef32e0566bccb6a6
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Extracted
emotet
Epoch5
103.85.95.4:8080
103.224.241.74:8080
178.238.225.252:8080
37.59.103.148:8080
78.47.204.80:443
138.197.14.67:8080
128.199.242.164:8080
54.37.228.122:443
37.44.244.177:8080
139.59.80.108:8080
218.38.121.17:443
82.98.180.154:7080
114.79.130.68:443
159.65.135.222:7080
174.138.33.49:7080
195.77.239.39:8080
193.194.92.175:443
198.199.70.22:8080
85.214.67.203:8080
93.84.115.205:7080
186.250.48.5:443
46.101.98.60:8080
160.16.143.191:8080
64.227.55.231:8080
175.126.176.79:8080
85.25.120.45:8080
178.62.112.199:8080
185.148.169.10:8080
128.199.217.206:443
103.41.204.169:8080
209.239.112.82:8080
202.28.34.99:8080
139.196.72.155:8080
87.106.97.83:7080
93.104.209.107:8080
104.244.79.94:443
115.178.55.22:80
83.229.80.93:8080
103.254.12.236:7080
62.171.178.147:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2384 4648 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2384 regsvr32.exe 4456 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4648 WINWORD.EXE 4648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2384 regsvr32.exe 2384 regsvr32.exe 4456 regsvr32.exe 4456 regsvr32.exe 4456 regsvr32.exe 4456 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 4648 wrote to memory of 2384 4648 WINWORD.EXE regsvr32.exe PID 4648 wrote to memory of 2384 4648 WINWORD.EXE regsvr32.exe PID 2384 wrote to memory of 4456 2384 regsvr32.exe regsvr32.exe PID 2384 wrote to memory of 4456 2384 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dettagli_14032023.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\160232.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\MMZPvlMkrAafURcp\rezfumBaqN.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\160232.tmpFilesize
537.5MB
MD51a84373183026cb9a39e4deb6d6fc7b0
SHA1adb13bb2d67f9702d28c837b509b72f52d0e6c99
SHA256e51164fc134d52f3cd0834fc5d5f8249f589d4831edc7ee11e8cb056356e50f3
SHA51225746cb250beaba4fe4bb3c2bc755ed4cdccd5b375d84b5f7da5cd0dbbaa49e506f00b4a6e4ada33679b962138835c68595e6f4678e3a920675814b1d7880f8d
-
C:\Users\Admin\AppData\Local\Temp\160232.tmpFilesize
537.5MB
MD51a84373183026cb9a39e4deb6d6fc7b0
SHA1adb13bb2d67f9702d28c837b509b72f52d0e6c99
SHA256e51164fc134d52f3cd0834fc5d5f8249f589d4831edc7ee11e8cb056356e50f3
SHA51225746cb250beaba4fe4bb3c2bc755ed4cdccd5b375d84b5f7da5cd0dbbaa49e506f00b4a6e4ada33679b962138835c68595e6f4678e3a920675814b1d7880f8d
-
C:\Users\Admin\AppData\Local\Temp\160233.zipFilesize
844KB
MD52c313d166c8cc4e7bbf6d74ad0fd02c8
SHA12f55b80f1e94cc907b9a6f0c88b8c8fccc223a30
SHA25680d67f527c386f073c678f0b5131292b03467f6fc51b31d25c868add97db2454
SHA5120cc7e25c8c406b7598f0225cbdb4a7d3c1567dcd6b03a308030515fe2b004ce9e3aaa54a0d530380708a29484b30cf34cfe26a078526e8baa7572c19aca81113
-
C:\Windows\System32\MMZPvlMkrAafURcp\rezfumBaqN.dllFilesize
537.5MB
MD51a84373183026cb9a39e4deb6d6fc7b0
SHA1adb13bb2d67f9702d28c837b509b72f52d0e6c99
SHA256e51164fc134d52f3cd0834fc5d5f8249f589d4831edc7ee11e8cb056356e50f3
SHA51225746cb250beaba4fe4bb3c2bc755ed4cdccd5b375d84b5f7da5cd0dbbaa49e506f00b4a6e4ada33679b962138835c68595e6f4678e3a920675814b1d7880f8d
-
memory/2384-179-0x0000000002D50000-0x0000000002D7C000-memory.dmpFilesize
176KB
-
memory/2384-182-0x0000000002CF0000-0x0000000002CF1000-memory.dmpFilesize
4KB
-
memory/4648-135-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-136-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-134-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-139-0x00007FF7F7FA0000-0x00007FF7F7FB0000-memory.dmpFilesize
64KB
-
memory/4648-137-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-138-0x00007FF7F7FA0000-0x00007FF7F7FB0000-memory.dmpFilesize
64KB
-
memory/4648-133-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-208-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-209-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-210-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4648-211-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB