emotet | 82bf467d5e1f222873695ad23ef1acc82326894eb166f5dd26842e3e12d867cc

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE00000096752 for Hanwha.one
Size

256KB
MD5

2344e967810c8b202d6bd998a9911083
SHA1

1bfd3ac34cf8723ebadedd95edadd2d13cbb4b29
SHA256

82bf467d5e1f222873695ad23ef1acc82326894eb166f5dd26842e3e12d867cc
SHA512

2925e66e14212b15df02da1104c309dabcdb53b77746081b14cc0defa2f6d5b35f9a6b6f5da15a752353fcb054c1a54f43fa92a2cfb0d16bf0f46d24a1d68b3d
SSDEEP

3072:/mUzUfxJ3mY2IsGllOb3HPWaBt5eHrBwsAzUfxJ3mY2IsGllOb3HPWaBtR:SXm5ZGa3v5eHrBwszXm5ZGa3vR

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WScript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process	4988	1484	WScript.exe	ONENOTE.EXE

Blocklisted process makes network request 4 IoCs

Processes:

wscript.exe

flow pid process

84 800 wscript.exe
86 800 wscript.exe
89 800 wscript.exe
91 800 wscript.exe

flow	pid	process
84	800	wscript.exe
86	800	wscript.exe
89	800	wscript.exe
91	800	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1928 regsvr32.exe
1532 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1928	regsvr32.exe
1532	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	89	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	91	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

1484 ONENOTE.EXE
1484 ONENOTE.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ONENOTE.EXEregsvr32.exeregsvr32.exe

pid process

1484 ONENOTE.EXE
1484 ONENOTE.EXE
1928 regsvr32.exe
1928 regsvr32.exe
1532 regsvr32.exe
1532 regsvr32.exe
1532 regsvr32.exe
1532 regsvr32.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

ONENOTE.EXE

pid	process
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE
1484	ONENOTE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ONENOTE.EXEWScript.exewscript.exeregsvr32.exe

description	pid	process	target process
PID 1484 wrote to memory of 4988	1484	ONENOTE.EXE	WScript.exe
PID 1484 wrote to memory of 4988	1484	ONENOTE.EXE	WScript.exe
PID 4988 wrote to memory of 800	4988	WScript.exe	wscript.exe
PID 4988 wrote to memory of 800	4988	WScript.exe	wscript.exe
PID 800 wrote to memory of 1928	800	wscript.exe	regsvr32.exe
PID 800 wrote to memory of 1928	800	wscript.exe	regsvr32.exe
PID 1928 wrote to memory of 1532	1928	regsvr32.exe	regsvr32.exe
PID 1928 wrote to memory of 1532	1928	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\INVOICE00000096752 for Hanwha.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{BB494AD2-0732-4630-B9CB-D0F60DB5EEBB}\NT\0\press to unblock document.vbs"
2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //E:vbscript C:\Users\Admin\AppData\Local\Temp\rad68BAF62DBdarrad86F0585C3dar.txt
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\rad481F8ECA9dar\jy56SDD2.dll"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CxPAOAxN\iYJTsg.dll"
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin
Filesize
89KB

MD5
7559f0ff4f7e58ed031fe0b4438f4c57

SHA1
e2225573a8877c057319e10029fd85b0a51375a8

SHA256
73527befbcc1ec6716003fc875d578c40e3dfe619349ff288008bab33c90e5d2

SHA512
252d0a52c3b7bca5ea56a14c7ad1e27967b03e3dccfc3b8d79b8e1c474ed625937719af314e74f62583c708b45b937091e8fae7f1e40e56bf261d0f839f94e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin
Filesize
75KB

MD5
f776dd0f1ae059fcf295ade6c5495080

SHA1
ed270bfe2edb7e571ba4acf4b4088aa2a111e57e

SHA256
2130a3bc8050310a7474be0b17a4ea8584e2105cb17316cb463d732665745749

SHA512
2558ab6465af8a782ad02295744cd2d554d03c1ee7aa1689f13e3507a0cec4e73b9f86d1ec9aef346b831ab58758285a8ceda63dc0f834e1378dfa0504490f65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin
Filesize
567B

MD5
d055ce625528e448c61315eaaef5bb71

SHA1
029df4c872b1c154f32e7fe94f434547c3ba6192

SHA256
85bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705

SHA512
705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{BB494AD2-0732-4630-B9CB-D0F60DB5EEBB}\NT\0\press to unblock document.vbs
Filesize
89KB

MD5
7559f0ff4f7e58ed031fe0b4438f4c57

SHA1
e2225573a8877c057319e10029fd85b0a51375a8

SHA256
73527befbcc1ec6716003fc875d578c40e3dfe619349ff288008bab33c90e5d2

SHA512
252d0a52c3b7bca5ea56a14c7ad1e27967b03e3dccfc3b8d79b8e1c474ed625937719af314e74f62583c708b45b937091e8fae7f1e40e56bf261d0f839f94e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad481F8ECA9dar\jy56SDD2.dll
Filesize
274.4MB

MD5
f26de64a360acf19c61a826ebb388e9d

SHA1
1c324e985cdb16ecf1e138891b80965a0bf7734a

SHA256
dafe58840942185f4e1038a84b5ba2caa0055e3f0519caaddfd81c5b4a09dec1

SHA512
b7e15a0b100e367951207b9fe19d4d9747e8eecac697ae298e07133e3dc17edd27bb462a51eab4f32ce82b75ea2a4d55bc8ae7a767fea8d189e4637e77e62030

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad481F8ECA9dar\jy56SDD2.dll
Filesize
337.7MB

MD5
4b10cbc0ac9c4c4339d3ad578bc2fbcc

SHA1
71aeace67d37e69436f194e77dee851523af471f

SHA256
ff78e2a1aa08842f9d07a1604427a74ec9ca30fcee3163981f909674cc2c75b8

SHA512
06af9ebc1895af98a4a8b3239f239d01ae89e0accbd2e4e5fee10ac5ec5accd17cc97cbfd80a53ced850c19ceb4d1da9508a3e46603754a9e0bef7dc1e39a097

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad68BAF62DBdarrad86F0585C3dar.txt
Filesize
61KB

MD5
958eb4fa0bfca295216cd6027977fcb8

SHA1
0bc88fb4229a73152b2c33750dd5b5be52fcf287

SHA256
9b32ca5d8a34ae2351bc68500fb6929468c42d0ddda53fba5676410beab6d498

SHA512
4e4e2d84ce82eaa222180e86a2feaa7fdb19108d227ca922c69d30e30ef1ed463c41d540c25f604edd04be86f8490ae8570d2b67a97e0f9f45d048954d32787f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad8EE2D.tmp.zip
Filesize
966KB

MD5
57168f6ddf67ddfe7b6cdc091d287822

SHA1
26332d19f263d39bfec79c71d49e544cf621b9c2

SHA256
060a8aa4f11d02a1f936b594b8a5af15cc93729119c5656ad14e42a846e7b629

SHA512
bf9ccd1a85596d1871f85886038a13839cd342d4a1bb3a6f2b1909f0365e2cd6e493d44973abd48bf07f8fc44ed13a4ea880ec9680ddd40642f05356cfd4d964

Download Submit
C:\Windows\System32\CxPAOAxN\iYJTsg.dll
Filesize
285.8MB

MD5
1578503907fb262910bd32c7a9b09ea5

SHA1
108364e01437f5142264781d90f4027244748faf

SHA256
cfa6cdfdec5b47a77c9d92c258989884086992348b5e7687b2de66f00ffc0f98

SHA512
520e560561b6bbe8e8ed2b6eb1997b110ebf193d0a64de98174942c83544a27d64c9eb77204fd13893b459f6b831caead6e015a73dd3cf73dae74dcb13ba30fb

Download Submit
memory/1484-139-0x00007FFF7B470000-0x00007FFF7B480000-memory.dmp

Filesize
64KB

Download
memory/1484-138-0x00007FFF7B470000-0x00007FFF7B480000-memory.dmp

Filesize
64KB

Download
memory/1484-137-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/1484-136-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/1484-133-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/1484-135-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/1484-134-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmp

Filesize
64KB

Download
memory/1928-234-0x0000000002A80000-0x0000000002ADA000-memory.dmp

Filesize
360KB

Download
memory/1928-238-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download