emotet | c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841

General

Target

c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841.doc
Size

245KB
MD5

742bd4ba74940549338dc1715192d99c
SHA1

793e2a75e17c37ab42ac46fb1683a01b23b60315
SHA256

c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841
SHA512

a2235e0c6679076ab2be7bc834fa6ed8c7b0f22db1e821f14fe7cc4e4731848371d9e6b8e27dae1b204b762e97059bda3fcc1c63c6af647953604bfffdc8957d
SSDEEP

3072:zORzi7NJxZv/H11khtBO8E1CcQZKwKUHblp+akplFapqZU5OVbjnow:SRG7LL3HutFaCcy7XblEagFakZU5O

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3308	2264	regsvr32.exe	65

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2264	WINWORD.EXE
2264	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2264	WINWORD.EXE
2264	WINWORD.EXE
2264	WINWORD.EXE
2264	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 3308	2264	WINWORD.EXE	69
PID 2264 wrote to memory of 3308	2264	WINWORD.EXE	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\002953.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:3308
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VONkDoiQUMPIDeQG\FHrxmpqtV.dll"
    3⤵
    PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\002953.tmp

Filesize
455.1MB

MD5
f6cb1cfe0d32ef30d459017eb25fe2dd

SHA1
f70dc1cf95f6b47885a786359c9c28bb9bad7da7

SHA256
5b98fdf4d3a535141bc645a892fa6f13b9c80fadea74d596dd8254cbf53ea373

SHA512
706bdf22ea700f131fed29bcc4c5e2dacaf7262d51a6ea0c2a6a9748bef121da27ec9cc6f7b2e47ea30fcbc9f666eef14b26f4dc6b4f09d36d87711a175adaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\003015.zip

Filesize
984KB

MD5
ffec2c48d1641a54d5e6d4d34566b304

SHA1
492f6885bcd96b54caec9d4f700ab6d4674fc989

SHA256
71e5b8bcc439d7c28ce77eedbb8416f8934ad7565c1631ec8208a0b2bfc174ea

SHA512
22d1640dce811e4fe937cf74d808bd3f0a9d4b1f2061c4ee17e726dd78d1c8203645e6958e6f9ac0386010c2ecc716eed77535547ad601cca7f482e1cda36243

Download Submit
\Users\Admin\AppData\Local\Temp\002953.tmp

Filesize
454.8MB

MD5
175f28b0dfe6389bf511f1acecbf25f9

SHA1
62c04d11280fd2471d81ae03e83649bbada5592c

SHA256
3c5d0a0e330c24ccac99cd6d119696f3abebeca74f38cddcc065f926026414d6

SHA512
48c2c5b207e075b0e52f763182e2c93bee1fe4a20e7ab5618b245495ede7f34c7c9e4648ed2583b520e3ab7673f9b37b6333491d04bcef5db7abdf87345a885a

Download Submit
memory/2264-124-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/2264-127-0x00007FFD46520000-0x00007FFD46530000-memory.dmp

Filesize
64KB

Download
memory/2264-129-0x00007FFD46520000-0x00007FFD46530000-memory.dmp

Filesize
64KB

Download
memory/2264-121-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/2264-123-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/2264-122-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/2264-438-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/2264-439-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/2264-441-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/2264-440-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

Filesize
64KB

Download
memory/3308-329-0x0000000002960000-0x00000000029BA000-memory.dmp

Filesize
360KB

Download
memory/3308-344-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads