emotet | 091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd

General

Target

091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd.doc
Size

208KB
MD5

96ab4a29276cee6daaf4d99286d3402b
SHA1

56a1c1ca9a23b6ee7cdd4bbcc321b6a5263eaedd
SHA256

091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd
SHA512

dce4b4afda601436f92ce24271a7e13434dfdb64d6b7a3516197eed960d0137f967df4302b9afb2d18c7f664d22215dfd4488fef6404dffeb7bd00bca817a1a8
SSDEEP

3072:Xe054HEKTduag1iUJ8y9fDfl5a1QqzAwrUGtlz:1ycbEUJ8+bLaOqzAclz

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4888	2380	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2380 WINWORD.EXE
2380 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

2380 WINWORD.EXE
2380 WINWORD.EXE
2380 WINWORD.EXE
2380 WINWORD.EXE
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2380	WINWORD.EXE
2380	WINWORD.EXE

pid	process
2380	WINWORD.EXE
2380	WINWORD.EXE
2380	WINWORD.EXE
2380	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2380
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\233726.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:4888
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DYtutUvsx\qUWRjPecYgxZXik.dll"
    3⤵
    PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\233726.tmp

Filesize
292.7MB

MD5
5e7284c4edc602b1ed95ec15be6c5242

SHA1
b81983bf1b1e83103c1bc5ba84717ce0e8e4e315

SHA256
6518cb943493d4e17ad567c636278010e144ff670b0cca7c6c0cfeb9aab036bf

SHA512
d2ad8365317f91a9212bfe3bdff57d600c5840bc69f25021db80a3dce2453d7756fdf89adae35a3cf60ca005151cd2caba604b49d1ac676566a731926829b606

Download Submit
C:\Users\Admin\AppData\Local\Temp\233727.zip

Filesize
976KB

MD5
e5d7704a1e3441724618946d5d66c3a6

SHA1
732d026a2bf709ed43340fe9673eae3b44596763

SHA256
36f289efae6c6611039343a6c60187663cd8088028141ec52cf82ad845907d86

SHA512
20be21dad2f4530d2f5a30c53c1607e6eb5b1a010e47d4000c726f4beef18426ca97b72ec7b0969b9a84988b149054f6c2a6a3b05a8ff2497e5074c350c5d341

Download Submit
\Users\Admin\AppData\Local\Temp\233726.tmp

Filesize
267.5MB

MD5
c344ae61d5f020e4404d0cc3808f0454

SHA1
4ac242cfd8a402711e83e1ab682f4a6cd22e2020

SHA256
4010ac7e0b29e08819bbb7e641dfd94a2bd4bd090a4fb391b71a8026ac2b9290

SHA512
faa642bcd5d044f2a902cfd40aa03c561fd59eb8446e2dd4c8dd4981b328511d0ec8db3be49081d794cdb2be1ffadd13673c6677ef4fd9784c71807f44c03ac2

Download Submit
memory/2380-124-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/2380-127-0x00007FFE8C760000-0x00007FFE8C770000-memory.dmp

Filesize
64KB

Download
memory/2380-128-0x00007FFE8C760000-0x00007FFE8C770000-memory.dmp

Filesize
64KB

Download
memory/2380-121-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/2380-123-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/2380-122-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/2380-468-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/2380-470-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/2380-471-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/2380-469-0x00007FFE8FF60000-0x00007FFE8FF70000-memory.dmp

Filesize
64KB

Download
memory/4888-359-0x0000000001EB0000-0x0000000001F0A000-memory.dmp

Filesize
360KB

Download
memory/4888-367-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads