emotet | 55a0bb97b9a14e5e0f32765f475aa5288731689ceef380ead22de9efde9dece4

General

Target

Invoice No 174 March 23.doc
Size

543.3MB
MD5

7eb84a7a3fb18a7551c1e1388842a397
SHA1

5ff9cde3b87283178b9936ee89340c7737b90cbc
SHA256

55a0bb97b9a14e5e0f32765f475aa5288731689ceef380ead22de9efde9dece4
SHA512

5811397517d7783c35709f89eb30a82ade4e1ef305f8fad8ec9829bb11f64e9565ebc50f6ef183b2b41882e2a1ef4518901a5e1097025461907dfa3d56a601c4
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4488	2568	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4488 regsvr32.exe
3888 regsvr32.exe

pid	process
4488	regsvr32.exe
3888	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aJxEinoTqf.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\UQoNjZRQkku\\aJxEinoTqf.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2568 WINWORD.EXE
2568 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4488 regsvr32.exe
4488 regsvr32.exe
3888 regsvr32.exe
3888 regsvr32.exe
3888 regsvr32.exe
3888 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

2568 WINWORD.EXE
2568 WINWORD.EXE
2568 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

2568 WINWORD.EXE
2568 WINWORD.EXE
2568 WINWORD.EXE
2568 WINWORD.EXE
2568 WINWORD.EXE
2568 WINWORD.EXE
2568 WINWORD.EXE
2568 WINWORD.EXE

pid	process
2568	WINWORD.EXE
2568	WINWORD.EXE

pid	process
4488	regsvr32.exe
4488	regsvr32.exe
3888	regsvr32.exe
3888	regsvr32.exe
3888	regsvr32.exe
3888	regsvr32.exe

pid	process
2568	WINWORD.EXE
2568	WINWORD.EXE
2568	WINWORD.EXE

pid	process
2568	WINWORD.EXE
2568	WINWORD.EXE
2568	WINWORD.EXE
2568	WINWORD.EXE
2568	WINWORD.EXE
2568	WINWORD.EXE
2568	WINWORD.EXE
2568	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 2568 wrote to memory of 4488	2568	WINWORD.EXE	regsvr32.exe
PID 2568 wrote to memory of 4488	2568	WINWORD.EXE	regsvr32.exe
PID 4488 wrote to memory of 3888	4488	regsvr32.exe	regsvr32.exe
PID 4488 wrote to memory of 3888	4488	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice No 174 March 23.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\014155.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UQoNjZRQkku\aJxEinoTqf.dll"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\014155.tmp
Filesize
501.5MB

MD5
302f08a45be2b11a9b8c89cb1cda8d0e

SHA1
cb7870c9b5af1f19cdf0a05339596722213d3fb5

SHA256
7fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5

SHA512
5b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\014155.tmp
Filesize
501.5MB

MD5
302f08a45be2b11a9b8c89cb1cda8d0e

SHA1
cb7870c9b5af1f19cdf0a05339596722213d3fb5

SHA256
7fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5

SHA512
5b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\014159.zip
Filesize
807KB

MD5
365b3f1d2e92c948fda23df4eddf448b

SHA1
9527a7a63ba70dc33a107bb727a2616d12587051

SHA256
e3f98ceadd3a6524daaa951f1fd09994f350f640f69b470679492ae42af8730b

SHA512
ff1da8cb3e263b9c283ab81735ec6fc960206bcc08f8944c6e79fcb22231e2d457958da76869e82bf444a95557555f7ef772d805fe99766265a423758dba2882

Download Submit
C:\Windows\System32\UQoNjZRQkku\aJxEinoTqf.dll
Filesize
501.5MB

MD5
302f08a45be2b11a9b8c89cb1cda8d0e

SHA1
cb7870c9b5af1f19cdf0a05339596722213d3fb5

SHA256
7fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5

SHA512
5b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2

Download Submit
memory/2568-134-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-138-0x00007FF7C0C10000-0x00007FF7C0C20000-memory.dmp

Filesize
64KB

Download
memory/2568-139-0x00007FF7C0C10000-0x00007FF7C0C20000-memory.dmp

Filesize
64KB

Download
memory/2568-136-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-135-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-137-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-133-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-206-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-207-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-209-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/2568-208-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmp

Filesize
64KB

Download
memory/4488-179-0x0000000002150000-0x000000000217D000-memory.dmp

Filesize
180KB

Download
memory/4488-182-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads