Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:29
Behavioral task
behavioral1
Sample
Kuh.kumamoto-u.ac.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Kuh.kumamoto-u.ac.doc
Resource
win10v2004-20230221-en
General
-
Target
Kuh.kumamoto-u.ac.doc
-
Size
231KB
-
MD5
88a6a16bad4db86859538845078f132c
-
SHA1
7d1ee1b7cc321257aeae09676fa27111c90eee2c
-
SHA256
7770b38eb5e7a7ceba40f2ae8767f4e5714e814e4d338fc20062929c068d149f
-
SHA512
1a397dc2ac81d704603ea7ceda392ed060db8e37d44dde0d8a46ed95760cda84190136572774db8dd27bcb82f104f71640a7ebbc52ab2afc58e1dff79e7b4761
-
SSDEEP
3072:ZA+PsTZ4y349tHRZ8N0AV62fEKJ3GApcRrsUvjUwKZXOl:ZPkTmm4PH8N9VVEi3GRrRyK
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4828 4512 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4828 regsvr32.exe 1556 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sIPCda.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\QHPzkxxSTg\\sIPCda.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4512 WINWORD.EXE 4512 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4828 regsvr32.exe 4828 regsvr32.exe 1556 regsvr32.exe 1556 regsvr32.exe 1556 regsvr32.exe 1556 regsvr32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4512 WINWORD.EXE 4512 WINWORD.EXE 4512 WINWORD.EXE 4512 WINWORD.EXE 4512 WINWORD.EXE 4512 WINWORD.EXE 4512 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 4512 wrote to memory of 4828 4512 WINWORD.EXE regsvr32.exe PID 4512 wrote to memory of 4828 4512 WINWORD.EXE regsvr32.exe PID 4828 wrote to memory of 1556 4828 regsvr32.exe regsvr32.exe PID 4828 wrote to memory of 1556 4828 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Kuh.kumamoto-u.ac.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\002947.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\QHPzkxxSTg\sIPCda.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\002947.tmpFilesize
534.9MB
MD5c1207422044546c531c6272122d8ca86
SHA1d9706680f9797aab1407658d906fb38035e41d0b
SHA2567510c2f3b2095b817fffcaab8c048c17afe5e8ec75906638e9c709e7e49ea13a
SHA5120d02bd03dab054abc08a9ab0c17e2518a9edb95de814c996c14bbef8bdb595d2a1c772d04b43402a4dce9a88c22ae4f08788189e3f481b2d58618bcfe4009f28
-
C:\Users\Admin\AppData\Local\Temp\002947.tmpFilesize
534.9MB
MD5c1207422044546c531c6272122d8ca86
SHA1d9706680f9797aab1407658d906fb38035e41d0b
SHA2567510c2f3b2095b817fffcaab8c048c17afe5e8ec75906638e9c709e7e49ea13a
SHA5120d02bd03dab054abc08a9ab0c17e2518a9edb95de814c996c14bbef8bdb595d2a1c772d04b43402a4dce9a88c22ae4f08788189e3f481b2d58618bcfe4009f28
-
C:\Users\Admin\AppData\Local\Temp\002952.zipFilesize
974KB
MD5b6e41fb09958d9c062ea82d492db0b8b
SHA1a21e6959264bb30d0f6ed3066bbae55f03fd7902
SHA2567c92a1613c16ae9c2d401d18e1b13a58a7c96e85ee48ff3a68250ca2e35f00d1
SHA5124d06f870693850d3c0c3fee74331ec50a634a4c904b403644dc332147a44e248d89c2d72c64632b514b7beb7f0a410916277bed9a26ab65b4568da92b71d0ad7
-
C:\Windows\System32\QHPzkxxSTg\sIPCda.dllFilesize
534.9MB
MD5c1207422044546c531c6272122d8ca86
SHA1d9706680f9797aab1407658d906fb38035e41d0b
SHA2567510c2f3b2095b817fffcaab8c048c17afe5e8ec75906638e9c709e7e49ea13a
SHA5120d02bd03dab054abc08a9ab0c17e2518a9edb95de814c996c14bbef8bdb595d2a1c772d04b43402a4dce9a88c22ae4f08788189e3f481b2d58618bcfe4009f28
-
memory/4512-139-0x00007FF7F7FA0000-0x00007FF7F7FB0000-memory.dmpFilesize
64KB
-
memory/4512-138-0x00007FF7F7FA0000-0x00007FF7F7FB0000-memory.dmpFilesize
64KB
-
memory/4512-133-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4512-137-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4512-136-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4512-135-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4512-134-0x00007FF7FA810000-0x00007FF7FA820000-memory.dmpFilesize
64KB
-
memory/4828-179-0x0000000002090000-0x00000000020EA000-memory.dmpFilesize
360KB
-
memory/4828-183-0x0000000002020000-0x0000000002021000-memory.dmpFilesize
4KB