emotet | 091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd

General

Target

091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd.doc
Size

208KB
MD5

96ab4a29276cee6daaf4d99286d3402b
SHA1

56a1c1ca9a23b6ee7cdd4bbcc321b6a5263eaedd
SHA256

091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd
SHA512

dce4b4afda601436f92ce24271a7e13434dfdb64d6b7a3516197eed960d0137f967df4302b9afb2d18c7f664d22215dfd4488fef6404dffeb7bd00bca817a1a8
SSDEEP

3072:Xe054HEKTduag1iUJ8y9fDfl5a1QqzAwrUGtlz:1ycbEUJ8+bLaOqzAclz

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	664	1808	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1808 WINWORD.EXE
1808 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1808 WINWORD.EXE
1808 WINWORD.EXE
1808 WINWORD.EXE
1808 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1808	WINWORD.EXE
1808	WINWORD.EXE

pid	process
1808	WINWORD.EXE
1808	WINWORD.EXE
1808	WINWORD.EXE
1808	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\232936.tmp"
2⤵
- Process spawned unexpected child process
PID:664

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QVLcrPDVJNRw\ZzaX.dll"
3⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\232936.tmp
Filesize
313.6MB

MD5
d23ef8e1a0a6838fb234efa14ebd0547

SHA1
aa66869112f288309fe232c0bd5895e2b451b066

SHA256
dd92d2b94d16824dc87acd38dab1aaebc15c33ae641e0bc4a58595551a49bb05

SHA512
3899057abb869e4d291ec2d4f70a30369f3c1f2d12f6d381d82033e407304a215983e3ca0cfa9ca3289a6511608d27c3d07d5f00c7b96b8d314f11006b64fb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\232937.zip
Filesize
976KB

MD5
e5d7704a1e3441724618946d5d66c3a6

SHA1
732d026a2bf709ed43340fe9673eae3b44596763

SHA256
36f289efae6c6611039343a6c60187663cd8088028141ec52cf82ad845907d86

SHA512
20be21dad2f4530d2f5a30c53c1607e6eb5b1a010e47d4000c726f4beef18426ca97b72ec7b0969b9a84988b149054f6c2a6a3b05a8ff2497e5074c350c5d341

Download Submit
\Users\Admin\AppData\Local\Temp\232936.tmp
Filesize
320.1MB

MD5
8cad2e2ceb60e6dd63b038eb46e87194

SHA1
d926d161c988b207ab9ebd2a28c8b6bf828fc6b0

SHA256
01763bf0d410b05173ace57a57ee40e19ca675cf035250fc2a7e923b556cd674

SHA512
6ea66e47e5d249d19a331b30536274935e06fadba718e5858c53bc270d21658603993ee2913db3b8457abfc773500cf1245b1947e11c4a346f23ab2a89a9bf28

Download Submit
memory/664-352-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/664-349-0x0000000001F90000-0x0000000001FEA000-memory.dmp

Filesize
360KB

Download
memory/1808-127-0x00007FFE3FE40000-0x00007FFE3FE50000-memory.dmp

Filesize
64KB

Download
memory/1808-128-0x00007FFE3FE40000-0x00007FFE3FE50000-memory.dmp

Filesize
64KB

Download
memory/1808-121-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-124-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-123-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-122-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-388-0x00000255CBF80000-0x00000255CBFAF000-memory.dmp

Filesize
188KB

Download
memory/1808-477-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-476-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-478-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-479-0x00007FFE43660000-0x00007FFE43670000-memory.dmp

Filesize
64KB

Download
memory/1808-480-0x00000255CBF80000-0x00000255CBFAF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads