emotet | 3ebccded14f510e67decdf3eac7fa864ad87e8054ad88da862c7c926e95ca887

General

Target

Electronic form.doc
Size

517.3MB
MD5

40ac024d3b10c4496f47f9adfb80962b
SHA1

e000a44c935d53b2dc99ceef3cd4d28ffe90c1bb
SHA256

bc1694b34546b4fa07862b44651d11686f92ccfa9ef7069499c191794daef0db
SHA512

cb0d139b73833398a39caadb57b48379adf9300e6bbcf1b1bb6d5b8c18a53978f2ba89b786f8d1b0733b565d67e1e5f63da2c9cdf412bc283db05d27e350d3a3
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4780	4440	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4780 regsvr32.exe
3300 regsvr32.exe

pid	process
4780	regsvr32.exe
3300	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gYfIspk.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JbmxXUhMBJBotKmpD\\gYfIspk.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4440 WINWORD.EXE
4440 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4780 regsvr32.exe
4780 regsvr32.exe
3300 regsvr32.exe
3300 regsvr32.exe
3300 regsvr32.exe
3300 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE

pid	process
4440	WINWORD.EXE
4440	WINWORD.EXE

pid	process
4780	regsvr32.exe
4780	regsvr32.exe
3300	regsvr32.exe
3300	regsvr32.exe
3300	regsvr32.exe
3300	regsvr32.exe

pid	process
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE

pid	process
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 4440 wrote to memory of 4780	4440	WINWORD.EXE	regsvr32.exe
PID 4440 wrote to memory of 4780	4440	WINWORD.EXE	regsvr32.exe
PID 4780 wrote to memory of 3300	4780	regsvr32.exe	regsvr32.exe
PID 4780 wrote to memory of 3300	4780	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Electronic form.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\091432.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JbmxXUhMBJBotKmpD\gYfIspk.dll"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\091432.tmp
Filesize
523.1MB

MD5
0e7ed7e9018495e126ebc8c384e57d22

SHA1
51a339c72e7e06568ac68db9018a792576bc4a62

SHA256
ed5d05acc21aac70df129f18ab8444a1c48b8c2f98e2f5fa6b306803acbb9093

SHA512
482dfd399a006967c0d0dc12fddc683d1daef706d4d2c7a6ed94bee95ec563c97fb43cfe3f12bd21d124f821861e80462eb8a5b527662b31e1469504627a1c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\091432.tmp
Filesize
518.8MB

MD5
0e0b90fb0aff372ef3e965fd6336b97f

SHA1
55a47b1ad689f102f102627e373917cf16af3386

SHA256
dca8008672a58b35f826bde680d8bb3407957f70c1516e6c1d62422a17a94e3d

SHA512
c92aa49665abac933fd6437f9446371b46e26538f8bc1e0462def448a8fe669f479e51eeb9865f413af88aa1563c7cbed511bb45a90a12723cd3c690fd0f87ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\091445.zip
Filesize
848KB

MD5
6ca08498216e84fe3c72d921398f0795

SHA1
66d202b530cf08f7482d0a99c96b11528ec6fd44

SHA256
c3d815983921d2913b0f92f45e75068044fd0652ad7983cb96470034cd13591d

SHA512
145af7b6fef38976c8c5e83b0c9e3a365921b0907be171a9d6c16d6a72221ae293710c03453168761fd9e0b026212268dd58b78c36f46dc3bb3e71f080cccddb

Download Submit
C:\Windows\System32\JbmxXUhMBJBotKmpD\gYfIspk.dll
Filesize
456.1MB

MD5
be0d48ae3e1bf99a9954aba990a63fe2

SHA1
afa5c37ef9f6cd615a6ec43cd3084b3f13712737

SHA256
b61e21c49552f541eb6bd435d48125ac16843c6ea07c8d5106fb040304f3e9ee

SHA512
8e7d97550dd52b8c5cdd646b11cf6831b763928bcc87916e7ddd2e7671b70047c94150633031a54277cb18b72e20d6481f7d34f78b0bfeb0786fd46d1b9693a8

Download Submit
memory/4440-134-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-138-0x00007FFC2A730000-0x00007FFC2A740000-memory.dmp

Filesize
64KB

Download
memory/4440-139-0x00007FFC2A730000-0x00007FFC2A740000-memory.dmp

Filesize
64KB

Download
memory/4440-136-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-135-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-137-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-133-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-208-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-207-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-206-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4440-209-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/4780-179-0x0000000002710000-0x000000000273D000-memory.dmp

Filesize
180KB

Download
memory/4780-182-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads