Analysis
-
max time kernel
25s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 22:34
Behavioral task
behavioral1
Sample
Sansiri.doc
Resource
win7-20230220-en
General
-
Target
Sansiri.doc
-
Size
257KB
-
MD5
c97055c0b94727c7e5cfba1f1b93d222
-
SHA1
b4c08fd778a4a6737228ea4423d91152334ce03b
-
SHA256
f52ad46c5e2d06933ee15c41fa36cad03907bca87245c2fffade8d60d3f9e116
-
SHA512
f6891279bf77562241162640491ee02439c9b4b43c29f1570a1cfb6fa73b2f7cc0e0bd7c709562c223032593349b641bedd5fe32fb9c582fa760309a2516f781
-
SSDEEP
3072:O8oTyroqHD1Ut6WiuBGJnwAkhqX4v23b+thlCN7eyYz2zVQKBfsDl:OMrD1C/l8Ivke7CVRK3l
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4828 4840 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4828 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4840 WINWORD.EXE 4840 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pid process 4828 4828 -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4840 WINWORD.EXE 4840 WINWORD.EXE 4840 WINWORD.EXE 4840 WINWORD.EXE 4840 WINWORD.EXE 4840 WINWORD.EXE 4840 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4840 wrote to memory of 4828 4840 WINWORD.EXE regsvr32.exe PID 4840 wrote to memory of 4828 4840 WINWORD.EXE regsvr32.exe PID 4828 wrote to memory of 3904 4828 regsvr32.exe PID 4828 wrote to memory of 3904 4828 regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sansiri.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\233507.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NuVcqF\Bkcb.dll"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\233507.tmpFilesize
454.0MB
MD53dd97b46551dca91c13fa5ba728a4497
SHA166ba5ec1dbd124ef9731071c1749340748388e72
SHA25631c4ce547598110b3855c283ca0617b3901aff1724ee697555440eeba774ca4e
SHA512a367d5004065de054da6f94146ff623e41081490253ab40a280adb007fee55f88157bfd7da6295b423c1143e3bb1e98c3edd819923dfc0ff3934fbf7904c1ab6
-
C:\Users\Admin\AppData\Local\Temp\233507.tmpFilesize
453.5MB
MD5381821305ff0d1a3fbb04391d4bca466
SHA186d5dba9b3c8b54f522f2e07c43be99f25410f7f
SHA2566e9f4e6d1e70b8086f55656682f5e1586d672e94d3336075681e8f90144b75b2
SHA51245202d1d2978be98af03d2b080e1a63b7be147e6402007519cbf76b5e39edd763b0b06676c02c6523ef78bc174371c7438a0b61d10956e07aaba43264a4b1882
-
C:\Users\Admin\AppData\Local\Temp\233508.zipFilesize
953KB
MD5a0be50214dfd69fb2102fa6d33d0b308
SHA1311ef8772a19322e41ccbb380ba79ff2bc779de6
SHA25613cbf971d2c9e4cd0326a1164c4be0349b050a60fd067a4c162b7b7dead1d345
SHA5126a8098b558681b7a531b8024e78a657241bd1ada1a4a67809ec6cae2532af204ac8b82f11a050f03a2dcd6e75076d2f1b7a69e1b839355bcacbfaaa979836350
-
C:\Windows\System32\NuVcqF\Bkcb.dllFilesize
417.8MB
MD5d2565dd91b2f568e5323485521048f03
SHA1bd5b72ffa0f64fde6b3f8ca955ed6d1c717a256d
SHA256b1b802b595af48e175082df7b77c5f9a44929ff497f3079a3fa49fab8d8f6f5a
SHA512d9b080ed0652cf60e141613f68f879bbdaefef430b9554aa5e7866465c6514f67c721a1e6a64c8a5444d76ecef66b2b2eec82e4c8a52220800c37bd6c713f6d2
-
memory/4828-177-0x00000000028E0000-0x000000000293A000-memory.dmpFilesize
360KB
-
memory/4828-181-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/4840-136-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-137-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-135-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-134-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-140-0x00007FFF00390000-0x00007FFF003A0000-memory.dmpFilesize
64KB
-
memory/4840-138-0x00007FFF00390000-0x00007FFF003A0000-memory.dmpFilesize
64KB
-
memory/4840-133-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-208-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-210-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-211-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB
-
memory/4840-209-0x00007FFF02AF0000-0x00007FFF02B00000-memory.dmpFilesize
64KB