Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21-03-2023 22:19
Behavioral task
behavioral1
Sample
a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9.doc
Resource
win10-20230220-en
General
-
Target
a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9.doc
-
Size
201KB
-
MD5
f0c64ca95b183fe9dd9a69631029ac13
-
SHA1
34547a5c6d7e9eb675b8e3fb810b36a0ed62213b
-
SHA256
a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9
-
SHA512
19b6419e698a19fd626ba24b7086467b7d262314ea410a99656aa45c7355311507f9625498b736db11100a4e898d723a8c27244987099e75a8c931510eea4355
-
SSDEEP
3072:tYAYyVlI23Etx/4DeJxD0QU+5c/18dJ95R3s14Mzgpq:qAXatZxh0QHg8dJ9r3dMzgQ
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4844 3488 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4844 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3488 WINWORD.EXE 3488 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 4844 regsvr32.exe 4844 regsvr32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 3488 wrote to memory of 4844 3488 WINWORD.EXE regsvr32.exe PID 3488 wrote to memory of 4844 3488 WINWORD.EXE regsvr32.exe PID 4844 wrote to memory of 864 4844 regsvr32.exe regsvr32.exe PID 4844 wrote to memory of 864 4844 regsvr32.exe regsvr32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\231939.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\VcpBfTzyJSemIFCeV\OEtib.dll"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\231939.tmpFilesize
502.9MB
MD5cc88ce41078b46742ad40dd7202c7883
SHA1c71b8c1d5c04bca5d86f939e64c07684fbcecbd1
SHA256ca234f091e83b88838a3cfad9f78a19bbfd3f8fd4d5def8b3a9dceae32af1fac
SHA5124da5fce54a60a25e1f7612dc8cd1bfb2219016fbfbe9e362e862df0bda6c66ccff959c0f9b0534bee51be7cc3a63f9cab2d64ef68a98cd4f2e84e7f6295d2355
-
C:\Users\Admin\AppData\Local\Temp\231940.zipFilesize
942KB
MD5dbf843132b82f48e86f59a4d7ab5be5d
SHA1e10381c2a67b651fd2d9d2611fc9216e703dbff9
SHA256529faf9820271ee8ed3a71f666287a33189ab8c998777fbe3498c52ad349938f
SHA512a86e405567f8fc00030e5c18bf4437abf2e243c7d21f3a6936510400656ff1bcd7b3794db7cbc1950d6fea3fd2125fc0aef628e2f51a6563ed859737fc7245d9
-
\Users\Admin\AppData\Local\Temp\231939.tmpFilesize
502.9MB
MD5cc88ce41078b46742ad40dd7202c7883
SHA1c71b8c1d5c04bca5d86f939e64c07684fbcecbd1
SHA256ca234f091e83b88838a3cfad9f78a19bbfd3f8fd4d5def8b3a9dceae32af1fac
SHA5124da5fce54a60a25e1f7612dc8cd1bfb2219016fbfbe9e362e862df0bda6c66ccff959c0f9b0534bee51be7cc3a63f9cab2d64ef68a98cd4f2e84e7f6295d2355
-
memory/3488-122-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/3488-125-0x00007FFB08760000-0x00007FFB08770000-memory.dmpFilesize
64KB
-
memory/3488-126-0x00007FFB08760000-0x00007FFB08770000-memory.dmpFilesize
64KB
-
memory/3488-119-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/3488-121-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/3488-120-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/3488-423-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/3488-424-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/3488-425-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/3488-426-0x00007FFB0BF50000-0x00007FFB0BF60000-memory.dmpFilesize
64KB
-
memory/4844-328-0x0000000002000000-0x000000000205A000-memory.dmpFilesize
360KB
-
memory/4844-334-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB