emotet | d7e61d7d1f31426d1c59eeab4e60fdd433b6889a548b94129e0ae34fb766a7cf

General

Target

d7e61d7d1f31426d1c59eeab4e60fdd433b6889a548b94129e0ae34fb766a7cf.doc
Size

316KB
MD5

bbffa9ec65fa9d04f8642883dda0b382
SHA1

ecb2635f063d3b9e6ce58f5f3b634a4c9133fb88
SHA256

d7e61d7d1f31426d1c59eeab4e60fdd433b6889a548b94129e0ae34fb766a7cf
SHA512

6d8ff967e88200b846fcbd17506a5c9df548cda33e8033bf0ac3a43de48341b58df52199b7ebe4e6b0b4140238342da9477a5ae64c77a8040e244a19095a37d7
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3240	376	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

376 WINWORD.EXE
376 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

376 WINWORD.EXE
376 WINWORD.EXE
376 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

376 WINWORD.EXE
376 WINWORD.EXE
376 WINWORD.EXE
376 WINWORD.EXE

pid	process
376	WINWORD.EXE
376	WINWORD.EXE

pid	process
376	WINWORD.EXE
376	WINWORD.EXE
376	WINWORD.EXE

pid	process
376	WINWORD.EXE
376	WINWORD.EXE
376	WINWORD.EXE
376	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 376 wrote to memory of 3240	376	WINWORD.EXE	regsvr32.exe
PID 376 wrote to memory of 3240	376	WINWORD.EXE	regsvr32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d7e61d7d1f31426d1c59eeab4e60fdd433b6889a548b94129e0ae34fb766a7cf.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\003648.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:3240
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OnpnwrvKX\VQetuoYKhixiBeB.dll"
    3⤵
    PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\003648.tmp

Filesize
434.2MB

MD5
a844e51618ed9b36575ab2bd588600b2

SHA1
4065958ae199a727f8f7fd26a84567f3915eb4cd

SHA256
2d2d34f13893750c6ab7b9b2e983ef17af21c7e637663a025eac92da63acdbec

SHA512
f24c1b02904dc1ae8a89a24036468380500573655dfdca10497363961716c2ca86235fbbe47eed479841c5bf2190c783590cfc46312aa88d575e1484b927c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\003713.zip

Filesize
820KB

MD5
a15b8684891df0bddf58efdcb27755fb

SHA1
32b09a7b69397829be27331d15777743a845551d

SHA256
fc21145c5742e1ab2299c1b74ae1251d49492330512312bf2b310be58ed674c3

SHA512
0c478a95e7152562d8b6cad14fae83329190f542b35d65b1c1dfb6a3cf71e66b1890fbb6a79e404c2dceeb87c149be3134d16ce69efbd795fe9006816ed17224

Download Submit
\Users\Admin\AppData\Local\Temp\003648.tmp

Filesize
430.1MB

MD5
62d329897b50ffb21fb202e73afd4bae

SHA1
c5d790c7cad1029397f9ae5cba89d091c289c232

SHA256
dc2b387f5500aa7b23dd1014128719b85533343417a671382aace75bb91ae3f5

SHA512
0f8725096e697336ec0ea05a12713ae903faf89be740251fbfa65069c688832076208029270cb34eda5f77c95c4767158373aed8d5d6d93e4cdf6bbf99686c11

Download Submit
memory/376-122-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/376-125-0x00007FFC56F40000-0x00007FFC56F50000-memory.dmp

Filesize
64KB

Download
memory/376-126-0x00007FFC56F40000-0x00007FFC56F50000-memory.dmp

Filesize
64KB

Download
memory/376-119-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/376-121-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/376-120-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/376-424-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/376-423-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/376-425-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/376-426-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp

Filesize
64KB

Download
memory/3240-332-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/3240-340-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads