Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-it -
resource tags
arch:x64arch:x86image:win10v2004-20230220-itlocale:it-itos:windows10-2004-x64systemwindows -
submitted
17-03-2023 13:09
General
-
Target
invio.doc
-
Size
512.3MB
-
MD5
b8f2e6550dcb9fc6e361a4c3b524d105
-
SHA1
ba73d91eca761ec01ed8e836f853221cc2321e79
-
SHA256
30eba819cc525b6dd03264c1bcbd79c7de436ecb39fcfcca7ef4802437c6158d
-
SHA512
a2a89b1c79b08547c27f0bbc27994da6fbec2a455c69b112057e1106fe8e594fcb96cab5353b9a3eac77a8221409bf8c24748ab2b315c367e1af8228186038c5
-
SSDEEP
6144:jkmCUX1RauEA55axdWFyDDIqqmbwbLUW:omC7uz552AFZqXbwbA
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4020 3492 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4020 regsvr32.exe 1504 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3492 WINWORD.EXE 3492 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4020 regsvr32.exe 4020 regsvr32.exe 1504 regsvr32.exe 1504 regsvr32.exe 1504 regsvr32.exe 1504 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE 3492 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 3492 wrote to memory of 4020 3492 WINWORD.EXE regsvr32.exe PID 3492 wrote to memory of 4020 3492 WINWORD.EXE regsvr32.exe PID 4020 wrote to memory of 1504 4020 regsvr32.exe regsvr32.exe PID 4020 wrote to memory of 1504 4020 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\invio.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\141036.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\MtgkqaNWboNTjcP\AqSr.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\141036.tmpFilesize
514.5MB
MD57ac680c04fe36ba51d7ef663aa11b38e
SHA1032bfaa90439cc877cee474c9595aa5d592cb6a2
SHA256bb098f66438c8762e5015baaeac49f9ac81545c10bbe899803db56e9c2ada98a
SHA5126a6c8e1d969153735ff7381607b649e2d4d431c3ee08e0291de8f25a794f62725a51df1edc44df76db355972e943506904726d2f23d842a06adbc230e140be72
-
C:\Users\Admin\AppData\Local\Temp\141036.tmpFilesize
514.5MB
MD57ac680c04fe36ba51d7ef663aa11b38e
SHA1032bfaa90439cc877cee474c9595aa5d592cb6a2
SHA256bb098f66438c8762e5015baaeac49f9ac81545c10bbe899803db56e9c2ada98a
SHA5126a6c8e1d969153735ff7381607b649e2d4d431c3ee08e0291de8f25a794f62725a51df1edc44df76db355972e943506904726d2f23d842a06adbc230e140be72
-
C:\Users\Admin\AppData\Local\Temp\141037.zipFilesize
809KB
MD5f780db732dafe3aea7bec6e5b1915dc5
SHA1a388e7954f76557d5edf4b8315d669fd2e4e7e8c
SHA25614ee7bb38b78d00530df973d039d0c0586c4fd83e890e0cb63761f4b5baed11d
SHA5126cc273cf52d6cc767dfa05b6408053ffa695abdaa42684d1fd196e3e43aca9b1395b5954266a8601f34cd52c5d7e559f0bad65dea2b5ac4ea17adf6ce1793f4c
-
C:\Windows\System32\MtgkqaNWboNTjcP\AqSr.dllFilesize
514.5MB
MD57ac680c04fe36ba51d7ef663aa11b38e
SHA1032bfaa90439cc877cee474c9595aa5d592cb6a2
SHA256bb098f66438c8762e5015baaeac49f9ac81545c10bbe899803db56e9c2ada98a
SHA5126a6c8e1d969153735ff7381607b649e2d4d431c3ee08e0291de8f25a794f62725a51df1edc44df76db355972e943506904726d2f23d842a06adbc230e140be72
-
memory/3492-136-0x00007FFF48130000-0x00007FFF48140000-memory.dmpFilesize
64KB
-
memory/3492-138-0x00007FFF458E0000-0x00007FFF458F0000-memory.dmpFilesize
64KB
-
memory/3492-139-0x00007FFF458E0000-0x00007FFF458F0000-memory.dmpFilesize
64KB
-
memory/3492-137-0x00007FFF48130000-0x00007FFF48140000-memory.dmpFilesize
64KB
-
memory/3492-133-0x00007FFF48130000-0x00007FFF48140000-memory.dmpFilesize
64KB
-
memory/3492-135-0x00007FFF48130000-0x00007FFF48140000-memory.dmpFilesize
64KB
-
memory/3492-134-0x00007FFF48130000-0x00007FFF48140000-memory.dmpFilesize
64KB
-
memory/4020-179-0x0000000180000000-0x000000018002D000-memory.dmpFilesize
180KB
-
memory/4020-182-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB