emotet | e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592

General

Target

e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc
Size

270KB
MD5

c8898ca0af2861682e1fb970ae4cdb7e
SHA1

d58c7c6a2a86b825ca042c6b1493ac60e1d85c89
SHA256

e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592
SHA512

471478f93a46c51693c6c81210f47b5d04508ee2028c812e6a258fb42d5c8dfc53b0754d64c33aa0e1c5481fdac4215439b3305240d53e7d910d023391e10edf
SSDEEP

3072:FKQlkhFVDQxhkDzo0qT5e/UDrpgIAww6MVikUiAageLXQcXhq7P3PfdyY:FK+k5DQPkPq5pRO6ezw7P9y

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	5056	2476	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

5056 regsvr32.exe

pid	process
5056	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2476 WINWORD.EXE
2476 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

5056 regsvr32.exe
5056 regsvr32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

2476 WINWORD.EXE
2476 WINWORD.EXE
2476 WINWORD.EXE
2476 WINWORD.EXE
2476 WINWORD.EXE
2476 WINWORD.EXE
2476 WINWORD.EXE
2476 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2476	WINWORD.EXE
2476	WINWORD.EXE

pid	process
5056	regsvr32.exe
5056	regsvr32.exe

pid	process
2476	WINWORD.EXE
2476	WINWORD.EXE
2476	WINWORD.EXE
2476	WINWORD.EXE
2476	WINWORD.EXE
2476	WINWORD.EXE
2476	WINWORD.EXE
2476	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 2476 wrote to memory of 5056	2476	WINWORD.EXE	regsvr32.exe
PID 2476 wrote to memory of 5056	2476	WINWORD.EXE	regsvr32.exe
PID 5056 wrote to memory of 3316	5056	regsvr32.exe	regsvr32.exe
PID 5056 wrote to memory of 3316	5056	regsvr32.exe	regsvr32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\162214.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KWWwWBWmtSiSYzD\LKsjRivyOH.dll"
3⤵
PID:3316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\162214.tmp
Filesize
532.9MB

MD5
7291fb9bc7cccec7e9688247e80bf297

SHA1
63ebf96550a6e38539de9e9cbbe976a5855675a4

SHA256
bbaa295c4c2882f357aca0f1f9b6032523431c1e4dd98c998e5e06484f594694

SHA512
6dcf445f45e1571f15900d93523d220b9dc6c502ed712a65d173dde7b46c869cf0899c7b21d8de5bf5f7f8e173b5cc7a1af2d41566b8b683c9d5661de6e0c9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\162216.zip
Filesize
972KB

MD5
77cfabf26034b53f7c2471e9aa073847

SHA1
9fb5c65d8c5e7fd0df8ca28ec5fe4a6e5a30c5b8

SHA256
98ac85e40373cd16f6910cfd4bd092ab15a6eda3b513bd09da39b6a29fcb3504

SHA512
25e37745433af2aeb85fa4c9d197efcde802025832b28aa173c89ca417ee42fe1106616d565c51bdda4cec13e8508f7f23aeacc431a010c5f4c68ce5d21040fc

Download Submit
\Users\Admin\AppData\Local\Temp\162214.tmp
Filesize
532.9MB

MD5
7291fb9bc7cccec7e9688247e80bf297

SHA1
63ebf96550a6e38539de9e9cbbe976a5855675a4

SHA256
bbaa295c4c2882f357aca0f1f9b6032523431c1e4dd98c998e5e06484f594694

SHA512
6dcf445f45e1571f15900d93523d220b9dc6c502ed712a65d173dde7b46c869cf0899c7b21d8de5bf5f7f8e173b5cc7a1af2d41566b8b683c9d5661de6e0c9e9

Download Submit
memory/2476-124-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/2476-127-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmp

Filesize
64KB

Download
memory/2476-128-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmp

Filesize
64KB

Download
memory/2476-123-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/2476-122-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/2476-121-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/2476-446-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/2476-447-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/2476-448-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/2476-449-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

Filesize
64KB

Download
memory/5056-335-0x0000000002AA0000-0x0000000002AFA000-memory.dmp

Filesize
360KB

Download
memory/5056-337-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads