emotet | e0f66132f138b6e15360fdc2478d46236c88048182128371b0d507b398937034

General

Target

e0f66132f138b6e15360fdc2478d46236c88048182128371b0d507b398937034.doc
Size

260KB
MD5

324af6b62d75ef88de29fe68c8ded492
SHA1

1825da5e81ff30ac9901d021d1b89032dfc96bcc
SHA256

e0f66132f138b6e15360fdc2478d46236c88048182128371b0d507b398937034
SHA512

fd6200b9ab5465e48f6125ffcb2559ae281cc782108947493a2e59436eb25fa559c0d3605c25bf01523ee47f9fcb71c04ce7c9d95229d59dcf98effe385ebecf
SSDEEP

3072:I7HvJK9MzDIQPf0+SUoUXkgQjaap0GnRcegvsjkzIDEp+XlRNBueyeJY:ITthS8kTjBRcjvsgzlYXlseyP

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4864	3956	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4864 regsvr32.exe

pid	process
4864	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3956 WINWORD.EXE
3956 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4864 regsvr32.exe
4864 regsvr32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3956	WINWORD.EXE
3956	WINWORD.EXE

pid	process
4864	regsvr32.exe
4864	regsvr32.exe

pid	process
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 3956 wrote to memory of 4864	3956	WINWORD.EXE	regsvr32.exe
PID 3956 wrote to memory of 4864	3956	WINWORD.EXE	regsvr32.exe
PID 4864 wrote to memory of 504	4864	regsvr32.exe	regsvr32.exe
PID 4864 wrote to memory of 504	4864	regsvr32.exe	regsvr32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e0f66132f138b6e15360fdc2478d46236c88048182128371b0d507b398937034.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\000159.tmp"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LemxTuRuCWsi\lptItzrVnq.dll"
    3⤵
    PID:504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\000159.tmp

Filesize
516.9MB

MD5
63ab0ab1ed4483ad09ce0c0402acb55e

SHA1
d7185996c898eedb205467e6b6f73030c2baf5ce

SHA256
f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c

SHA512
e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448

Download Submit
C:\Users\Admin\AppData\Local\Temp\000200.zip

Filesize
956KB

MD5
7a8514e64a4fc18c49e6b99a74809f53

SHA1
48eaaa9149d421dd357a4c9bbf010b7476955752

SHA256
810bbe720d6286bccae93e9cba11adbb55b1900ac18799ed0dc36508ba2353e3

SHA512
8225ba0d1d28e1e549bb47e24b1e1eb04b878f188c7e19331ac32db76f9736e377fcfa46d8ad993f0fbf88f5cbcd5674519a7556e86c12d9a13cd81d7deb53f4

Download Submit
\Users\Admin\AppData\Local\Temp\000159.tmp

Filesize
516.9MB

MD5
63ab0ab1ed4483ad09ce0c0402acb55e

SHA1
d7185996c898eedb205467e6b6f73030c2baf5ce

SHA256
f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c

SHA512
e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448

Download Submit
memory/3956-122-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/3956-125-0x00007FFD19500000-0x00007FFD19510000-memory.dmp

Filesize
64KB

Download
memory/3956-126-0x00007FFD19500000-0x00007FFD19510000-memory.dmp

Filesize
64KB

Download
memory/3956-119-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/3956-121-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/3956-120-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/3956-430-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/3956-431-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/3956-432-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/3956-433-0x00007FFD1CC50000-0x00007FFD1CC60000-memory.dmp

Filesize
64KB

Download
memory/4864-323-0x0000000002B00000-0x0000000002B5A000-memory.dmp

Filesize
360KB

Download
memory/4864-333-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads