Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 09:59
Behavioral task
behavioral1
Sample
Example.co.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Example.co.doc
Resource
win10v2004-20230220-en
General
-
Target
Example.co.doc
-
Size
226KB
-
MD5
22edd303f28f432bf8f89ec959819ae8
-
SHA1
3b25e29328339c5a2eef8d3140015ff47fe541c1
-
SHA256
56387ffecce60cba738357c8c265b02eeabf088449f7d2904fcadb84cba79450
-
SHA512
0cb8241ec4e9eb8476d082f9fd2a28dfc0b60e544b4cd5eab6f8696caa94a5060d97c1894bf228f7b21feaf5aa568513ee0fd46f2e1dd4914f4076384862c103
-
SSDEEP
3072:brrCtKZF4eqZ627NHRxMvOwvzpl+vk6jZc:5F4eqYwHMvfvzpKk6Nc
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4412 4116 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4412 regsvr32.exe 1484 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDsebe.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ZfLYBZGnsNZS\\NDsebe.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 40 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 49 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4116 WINWORD.EXE 4116 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4412 regsvr32.exe 4412 regsvr32.exe 1484 regsvr32.exe 1484 regsvr32.exe 1484 regsvr32.exe 1484 regsvr32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE 4116 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 4116 wrote to memory of 4412 4116 WINWORD.EXE regsvr32.exe PID 4116 wrote to memory of 4412 4116 WINWORD.EXE regsvr32.exe PID 4412 wrote to memory of 1484 4412 regsvr32.exe regsvr32.exe PID 4412 wrote to memory of 1484 4412 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Example.co.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\110001.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZfLYBZGnsNZS\NDsebe.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522.9MB
MD5f2628c5dce23002e36de9ef4868dd355
SHA168ed54d8f41846e4ae6aa307db273a78366b19b2
SHA256439ea1f948d9fe110f5d72c5adf2cd96843bfef8214351f733f8ed92afefc24e
SHA512760fddc7777cc34432ba43768483342d6954ae3e6b013b06fc2f6bbac508bafd3a6517a490f5a642514d559d496f77a98c84542851e17ad8e3b8e17c16f51083
-
Filesize
522.9MB
MD5f2628c5dce23002e36de9ef4868dd355
SHA168ed54d8f41846e4ae6aa307db273a78366b19b2
SHA256439ea1f948d9fe110f5d72c5adf2cd96843bfef8214351f733f8ed92afefc24e
SHA512760fddc7777cc34432ba43768483342d6954ae3e6b013b06fc2f6bbac508bafd3a6517a490f5a642514d559d496f77a98c84542851e17ad8e3b8e17c16f51083
-
Filesize
962KB
MD5facbee8335997018721773ddc6bc1e5d
SHA1e1016d9024c04f8cbb796df87b484dd05592e10b
SHA256b2e1b0128f1ed95eff9a9786a380976f2477cd3a916f1074f622840318d3654a
SHA512821c8f16567eba7578b519ed4ad55daf60c0702472cbe3db6b59fdf4cc77038a3121e7db8001efb7091d1701e4245d22306390440b58449dc7fa45472d0b4dba
-
Filesize
522.9MB
MD5f2628c5dce23002e36de9ef4868dd355
SHA168ed54d8f41846e4ae6aa307db273a78366b19b2
SHA256439ea1f948d9fe110f5d72c5adf2cd96843bfef8214351f733f8ed92afefc24e
SHA512760fddc7777cc34432ba43768483342d6954ae3e6b013b06fc2f6bbac508bafd3a6517a490f5a642514d559d496f77a98c84542851e17ad8e3b8e17c16f51083