Analysis
-
max time kernel
143s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 01:39
Behavioral task
behavioral1
Sample
Invoice No 174 March 23.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Invoice No 174 March 23.doc
Resource
win10v2004-20230220-en
General
-
Target
Invoice No 174 March 23.doc
-
Size
543.3MB
-
MD5
7eb84a7a3fb18a7551c1e1388842a397
-
SHA1
5ff9cde3b87283178b9936ee89340c7737b90cbc
-
SHA256
55a0bb97b9a14e5e0f32765f475aa5288731689ceef380ead22de9efde9dece4
-
SHA512
5811397517d7783c35709f89eb30a82ade4e1ef305f8fad8ec9829bb11f64e9565ebc50f6ef183b2b41882e2a1ef4518901a5e1097025461907dfa3d56a601c4
-
SSDEEP
6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4488 2568 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4488 regsvr32.exe 3888 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aJxEinoTqf.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\UQoNjZRQkku\\aJxEinoTqf.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 32 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2568 WINWORD.EXE 2568 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4488 regsvr32.exe 4488 regsvr32.exe 3888 regsvr32.exe 3888 regsvr32.exe 3888 regsvr32.exe 3888 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 2568 WINWORD.EXE 2568 WINWORD.EXE 2568 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2568 WINWORD.EXE 2568 WINWORD.EXE 2568 WINWORD.EXE 2568 WINWORD.EXE 2568 WINWORD.EXE 2568 WINWORD.EXE 2568 WINWORD.EXE 2568 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 2568 wrote to memory of 4488 2568 WINWORD.EXE regsvr32.exe PID 2568 wrote to memory of 4488 2568 WINWORD.EXE regsvr32.exe PID 4488 wrote to memory of 3888 4488 regsvr32.exe regsvr32.exe PID 4488 wrote to memory of 3888 4488 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice No 174 March 23.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\014155.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\UQoNjZRQkku\aJxEinoTqf.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\014155.tmpFilesize
501.5MB
MD5302f08a45be2b11a9b8c89cb1cda8d0e
SHA1cb7870c9b5af1f19cdf0a05339596722213d3fb5
SHA2567fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5
SHA5125b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2
-
C:\Users\Admin\AppData\Local\Temp\014155.tmpFilesize
501.5MB
MD5302f08a45be2b11a9b8c89cb1cda8d0e
SHA1cb7870c9b5af1f19cdf0a05339596722213d3fb5
SHA2567fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5
SHA5125b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2
-
C:\Users\Admin\AppData\Local\Temp\014159.zipFilesize
807KB
MD5365b3f1d2e92c948fda23df4eddf448b
SHA19527a7a63ba70dc33a107bb727a2616d12587051
SHA256e3f98ceadd3a6524daaa951f1fd09994f350f640f69b470679492ae42af8730b
SHA512ff1da8cb3e263b9c283ab81735ec6fc960206bcc08f8944c6e79fcb22231e2d457958da76869e82bf444a95557555f7ef772d805fe99766265a423758dba2882
-
C:\Windows\System32\UQoNjZRQkku\aJxEinoTqf.dllFilesize
501.5MB
MD5302f08a45be2b11a9b8c89cb1cda8d0e
SHA1cb7870c9b5af1f19cdf0a05339596722213d3fb5
SHA2567fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5
SHA5125b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2
-
memory/2568-134-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-138-0x00007FF7C0C10000-0x00007FF7C0C20000-memory.dmpFilesize
64KB
-
memory/2568-139-0x00007FF7C0C10000-0x00007FF7C0C20000-memory.dmpFilesize
64KB
-
memory/2568-136-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-135-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-137-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-133-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-206-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-207-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-209-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/2568-208-0x00007FF7C30F0000-0x00007FF7C3100000-memory.dmpFilesize
64KB
-
memory/4488-179-0x0000000002150000-0x000000000217D000-memory.dmpFilesize
180KB
-
memory/4488-182-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB