Analysis
-
max time kernel
129s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 08:56
Behavioral task
behavioral1
Sample
Electronic form.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Electronic form.doc
Resource
win10v2004-20230220-en
General
-
Target
Electronic form.doc
-
Size
517.3MB
-
MD5
40ac024d3b10c4496f47f9adfb80962b
-
SHA1
e000a44c935d53b2dc99ceef3cd4d28ffe90c1bb
-
SHA256
bc1694b34546b4fa07862b44651d11686f92ccfa9ef7069499c191794daef0db
-
SHA512
cb0d139b73833398a39caadb57b48379adf9300e6bbcf1b1bb6d5b8c18a53978f2ba89b786f8d1b0733b565d67e1e5f63da2c9cdf412bc283db05d27e350d3a3
-
SSDEEP
6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4780 4440 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4780 regsvr32.exe 3300 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gYfIspk.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JbmxXUhMBJBotKmpD\\gYfIspk.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 51 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 52 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4440 WINWORD.EXE 4440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4780 regsvr32.exe 4780 regsvr32.exe 3300 regsvr32.exe 3300 regsvr32.exe 3300 regsvr32.exe 3300 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 4440 wrote to memory of 4780 4440 WINWORD.EXE regsvr32.exe PID 4440 wrote to memory of 4780 4440 WINWORD.EXE regsvr32.exe PID 4780 wrote to memory of 3300 4780 regsvr32.exe regsvr32.exe PID 4780 wrote to memory of 3300 4780 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Electronic form.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\091432.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\JbmxXUhMBJBotKmpD\gYfIspk.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\091432.tmpFilesize
523.1MB
MD50e7ed7e9018495e126ebc8c384e57d22
SHA151a339c72e7e06568ac68db9018a792576bc4a62
SHA256ed5d05acc21aac70df129f18ab8444a1c48b8c2f98e2f5fa6b306803acbb9093
SHA512482dfd399a006967c0d0dc12fddc683d1daef706d4d2c7a6ed94bee95ec563c97fb43cfe3f12bd21d124f821861e80462eb8a5b527662b31e1469504627a1c6e
-
C:\Users\Admin\AppData\Local\Temp\091432.tmpFilesize
518.8MB
MD50e0b90fb0aff372ef3e965fd6336b97f
SHA155a47b1ad689f102f102627e373917cf16af3386
SHA256dca8008672a58b35f826bde680d8bb3407957f70c1516e6c1d62422a17a94e3d
SHA512c92aa49665abac933fd6437f9446371b46e26538f8bc1e0462def448a8fe669f479e51eeb9865f413af88aa1563c7cbed511bb45a90a12723cd3c690fd0f87ba
-
C:\Users\Admin\AppData\Local\Temp\091445.zipFilesize
848KB
MD56ca08498216e84fe3c72d921398f0795
SHA166d202b530cf08f7482d0a99c96b11528ec6fd44
SHA256c3d815983921d2913b0f92f45e75068044fd0652ad7983cb96470034cd13591d
SHA512145af7b6fef38976c8c5e83b0c9e3a365921b0907be171a9d6c16d6a72221ae293710c03453168761fd9e0b026212268dd58b78c36f46dc3bb3e71f080cccddb
-
C:\Windows\System32\JbmxXUhMBJBotKmpD\gYfIspk.dllFilesize
456.1MB
MD5be0d48ae3e1bf99a9954aba990a63fe2
SHA1afa5c37ef9f6cd615a6ec43cd3084b3f13712737
SHA256b61e21c49552f541eb6bd435d48125ac16843c6ea07c8d5106fb040304f3e9ee
SHA5128e7d97550dd52b8c5cdd646b11cf6831b763928bcc87916e7ddd2e7671b70047c94150633031a54277cb18b72e20d6481f7d34f78b0bfeb0786fd46d1b9693a8
-
memory/4440-134-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-138-0x00007FFC2A730000-0x00007FFC2A740000-memory.dmpFilesize
64KB
-
memory/4440-139-0x00007FFC2A730000-0x00007FFC2A740000-memory.dmpFilesize
64KB
-
memory/4440-136-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-135-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-137-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-133-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-208-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-207-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-206-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4440-209-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmpFilesize
64KB
-
memory/4780-179-0x0000000002710000-0x000000000273D000-memory.dmpFilesize
180KB
-
memory/4780-182-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB