Analysis
-
max time kernel
102s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
22-03-2023 16:22
Behavioral task
behavioral1
Sample
e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc
Resource
win10-20230220-en
General
-
Target
e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc
-
Size
270KB
-
MD5
c8898ca0af2861682e1fb970ae4cdb7e
-
SHA1
d58c7c6a2a86b825ca042c6b1493ac60e1d85c89
-
SHA256
e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592
-
SHA512
471478f93a46c51693c6c81210f47b5d04508ee2028c812e6a258fb42d5c8dfc53b0754d64c33aa0e1c5481fdac4215439b3305240d53e7d910d023391e10edf
-
SSDEEP
3072:FKQlkhFVDQxhkDzo0qT5e/UDrpgIAww6MVikUiAageLXQcXhq7P3PfdyY:FK+k5DQPkPq5pRO6ezw7P9y
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 5056 2476 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 5056 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2476 WINWORD.EXE 2476 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 5056 regsvr32.exe 5056 regsvr32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 2476 wrote to memory of 5056 2476 WINWORD.EXE regsvr32.exe PID 2476 wrote to memory of 5056 2476 WINWORD.EXE regsvr32.exe PID 5056 wrote to memory of 3316 5056 regsvr32.exe regsvr32.exe PID 5056 wrote to memory of 3316 5056 regsvr32.exe regsvr32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\162214.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\KWWwWBWmtSiSYzD\LKsjRivyOH.dll"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\162214.tmpFilesize
532.9MB
MD57291fb9bc7cccec7e9688247e80bf297
SHA163ebf96550a6e38539de9e9cbbe976a5855675a4
SHA256bbaa295c4c2882f357aca0f1f9b6032523431c1e4dd98c998e5e06484f594694
SHA5126dcf445f45e1571f15900d93523d220b9dc6c502ed712a65d173dde7b46c869cf0899c7b21d8de5bf5f7f8e173b5cc7a1af2d41566b8b683c9d5661de6e0c9e9
-
C:\Users\Admin\AppData\Local\Temp\162216.zipFilesize
972KB
MD577cfabf26034b53f7c2471e9aa073847
SHA19fb5c65d8c5e7fd0df8ca28ec5fe4a6e5a30c5b8
SHA25698ac85e40373cd16f6910cfd4bd092ab15a6eda3b513bd09da39b6a29fcb3504
SHA51225e37745433af2aeb85fa4c9d197efcde802025832b28aa173c89ca417ee42fe1106616d565c51bdda4cec13e8508f7f23aeacc431a010c5f4c68ce5d21040fc
-
\Users\Admin\AppData\Local\Temp\162214.tmpFilesize
532.9MB
MD57291fb9bc7cccec7e9688247e80bf297
SHA163ebf96550a6e38539de9e9cbbe976a5855675a4
SHA256bbaa295c4c2882f357aca0f1f9b6032523431c1e4dd98c998e5e06484f594694
SHA5126dcf445f45e1571f15900d93523d220b9dc6c502ed712a65d173dde7b46c869cf0899c7b21d8de5bf5f7f8e173b5cc7a1af2d41566b8b683c9d5661de6e0c9e9
-
memory/2476-124-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/2476-127-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmpFilesize
64KB
-
memory/2476-128-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmpFilesize
64KB
-
memory/2476-123-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/2476-122-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/2476-121-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/2476-446-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/2476-447-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/2476-448-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/2476-449-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmpFilesize
64KB
-
memory/5056-335-0x0000000002AA0000-0x0000000002AFA000-memory.dmpFilesize
360KB
-
memory/5056-337-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB