Analysis

  • max time kernel
    38s
  • max time network
    133s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-03-2023 23:36

General

  • Target

    d7e61d7d1f31426d1c59eeab4e60fdd433b6889a548b94129e0ae34fb766a7cf.doc

  • Size

    316KB

  • MD5

    bbffa9ec65fa9d04f8642883dda0b382

  • SHA1

    ecb2635f063d3b9e6ce58f5f3b634a4c9133fb88

  • SHA256

    d7e61d7d1f31426d1c59eeab4e60fdd433b6889a548b94129e0ae34fb766a7cf

  • SHA512

    6d8ff967e88200b846fcbd17506a5c9df548cda33e8033bf0ac3a43de48341b58df52199b7ebe4e6b0b4140238342da9477a5ae64c77a8040e244a19095a37d7

  • SSDEEP

    6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d7e61d7d1f31426d1c59eeab4e60fdd433b6889a548b94129e0ae34fb766a7cf.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\003648.tmp"
      2⤵
      • Process spawned unexpected child process
      PID:3240
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OnpnwrvKX\VQetuoYKhixiBeB.dll"
        3⤵
          PID:1428

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\003648.tmp
      Filesize

      434.2MB

      MD5

      a844e51618ed9b36575ab2bd588600b2

      SHA1

      4065958ae199a727f8f7fd26a84567f3915eb4cd

      SHA256

      2d2d34f13893750c6ab7b9b2e983ef17af21c7e637663a025eac92da63acdbec

      SHA512

      f24c1b02904dc1ae8a89a24036468380500573655dfdca10497363961716c2ca86235fbbe47eed479841c5bf2190c783590cfc46312aa88d575e1484b927c215

    • C:\Users\Admin\AppData\Local\Temp\003713.zip
      Filesize

      820KB

      MD5

      a15b8684891df0bddf58efdcb27755fb

      SHA1

      32b09a7b69397829be27331d15777743a845551d

      SHA256

      fc21145c5742e1ab2299c1b74ae1251d49492330512312bf2b310be58ed674c3

      SHA512

      0c478a95e7152562d8b6cad14fae83329190f542b35d65b1c1dfb6a3cf71e66b1890fbb6a79e404c2dceeb87c149be3134d16ce69efbd795fe9006816ed17224

    • \Users\Admin\AppData\Local\Temp\003648.tmp
      Filesize

      430.1MB

      MD5

      62d329897b50ffb21fb202e73afd4bae

      SHA1

      c5d790c7cad1029397f9ae5cba89d091c289c232

      SHA256

      dc2b387f5500aa7b23dd1014128719b85533343417a671382aace75bb91ae3f5

      SHA512

      0f8725096e697336ec0ea05a12713ae903faf89be740251fbfa65069c688832076208029270cb34eda5f77c95c4767158373aed8d5d6d93e4cdf6bbf99686c11

    • memory/376-122-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/376-125-0x00007FFC56F40000-0x00007FFC56F50000-memory.dmp
      Filesize

      64KB

    • memory/376-126-0x00007FFC56F40000-0x00007FFC56F50000-memory.dmp
      Filesize

      64KB

    • memory/376-119-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/376-121-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/376-120-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/376-424-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/376-423-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/376-425-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/376-426-0x00007FFC5AAB0000-0x00007FFC5AAC0000-memory.dmp
      Filesize

      64KB

    • memory/3240-332-0x0000000180000000-0x000000018002D000-memory.dmp
      Filesize

      180KB

    • memory/3240-340-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
      Filesize

      4KB