emotet | e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592

General

Target

896596943605538321105519908.doc
Size

270KB
MD5

c8898ca0af2861682e1fb970ae4cdb7e
SHA1

d58c7c6a2a86b825ca042c6b1493ac60e1d85c89
SHA256

e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592
SHA512

471478f93a46c51693c6c81210f47b5d04508ee2028c812e6a258fb42d5c8dfc53b0754d64c33aa0e1c5481fdac4215439b3305240d53e7d910d023391e10edf
SSDEEP

3072:FKQlkhFVDQxhkDzo0qT5e/UDrpgIAww6MVikUiAageLXQcXhq7P3PfdyY:FK+k5DQPkPq5pRO6ezw7P9y

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1144	5080	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5080 WINWORD.EXE
5080 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

5080 WINWORD.EXE
5080 WINWORD.EXE
5080 WINWORD.EXE
5080 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
5080	WINWORD.EXE
5080	WINWORD.EXE

pid	process
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 5080 wrote to memory of 1144	5080	WINWORD.EXE	regsvr32.exe
PID 5080 wrote to memory of 1144	5080	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\896596943605538321105519908.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\161903.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:1144
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FSUlVAdEDiyE\uBfoQprr.dll"
    3⤵
    PID:60

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\161903.tmp

Filesize
426.8MB

MD5
f20495d26d0d6f7d8da407da8f91adbf

SHA1
8e3551c33e2068c7271cd6b2f74e65f571835119

SHA256
ff5a792323380e39cfca8007b73f68cc20ce5a4aa78951beda090179d3d27041

SHA512
3a39ef7903afe4116fd4ac4cf20530b1bcac2b71d546e2802b7801f246347b146fcee79b521675ec3383b8ed785033c9c649437a2981624aa79cb6b6bd913c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\161903.tmp

Filesize
498.9MB

MD5
c9500f056f867a79c8aa95bff60fbe2a

SHA1
aef59c05ba0a0338928ca1c521ab7ee5b3a9dd63

SHA256
57cf6ca9c5b2e8ed496ee4e4e8c68c676027539c8757832d06f73f011947178d

SHA512
a97e9ecbc307a746e14d361cdecb56a8a61841e1fc6c5e5bac794987f7a711e87e7660fd8fa480068ab32b772cbf32a8df8795da20278fbef395c1ea0f99a7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\161904.zip

Filesize
972KB

MD5
77cfabf26034b53f7c2471e9aa073847

SHA1
9fb5c65d8c5e7fd0df8ca28ec5fe4a6e5a30c5b8

SHA256
98ac85e40373cd16f6910cfd4bd092ab15a6eda3b513bd09da39b6a29fcb3504

SHA512
25e37745433af2aeb85fa4c9d197efcde802025832b28aa173c89ca417ee42fe1106616d565c51bdda4cec13e8508f7f23aeacc431a010c5f4c68ce5d21040fc

Download Submit
C:\Windows\System32\FSUlVAdEDiyE\uBfoQprr.dll

Filesize
411.4MB

MD5
d0ac0caa821e01a7f9375e9e93b09fce

SHA1
2a6522dd8268a47522d78cbe19a4fee8d099b5f6

SHA256
697488cc6440e6f5d2e1f11c31d9c77242a41db0df5448b3a5af40f2ceb96c53

SHA512
e0bd3c35fb2bcc7b48da7952975b6e7baa39b94bb5a3008f778329842e3f717f00abfb4b67675e47b670b538d200b049d58f8b15c87831645f51033b0e5af98e

Download Submit
memory/1144-179-0x00000000029B0000-0x0000000002A0A000-memory.dmp

Filesize
360KB

Download
memory/1144-183-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/5080-136-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-137-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-135-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-134-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-139-0x00007FFAB9070000-0x00007FFAB9080000-memory.dmp

Filesize
64KB

Download
memory/5080-138-0x00007FFAB9070000-0x00007FFAB9080000-memory.dmp

Filesize
64KB

Download
memory/5080-133-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-208-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-209-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-210-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download
memory/5080-211-0x00007FFABB730000-0x00007FFABB740000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads