Analysis
-
max time kernel
133s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 06:10
Behavioral task
behavioral1
Sample
Invoice # UK-303840525.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Invoice # UK-303840525.doc
Resource
win10v2004-20230220-en
General
-
Target
Invoice # UK-303840525.doc
-
Size
518.2MB
-
MD5
6ba2b050b62b541abf3bda19abcc29ba
-
SHA1
c60776c4b49d8cdf1bf821646570ee53e5704aed
-
SHA256
109cbf26b9b5a08892fa9e23cc5685b5ca7c3d21a433771b22b3d385d425dc88
-
SHA512
35c9750958858329dace223c0ab7cce33d6ac7cd9e592e926718e5c438193e177b53780d60def0ac180e0c9adb5512d6023e0f93abc809aa5149c9954485272b
-
SSDEEP
3072:brrCtKZF4eqZ627NHRxMvOwvzpl+vk6jZc:5F4eqYwHMvfvzpKk6Nc
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 372 4756 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 372 regsvr32.exe 3612 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmSdwepY.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\BmwvezDePHrNv\\bmSdwepY.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 40 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4756 WINWORD.EXE 4756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 372 regsvr32.exe 372 regsvr32.exe 3612 regsvr32.exe 3612 regsvr32.exe 3612 regsvr32.exe 3612 regsvr32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 4756 wrote to memory of 372 4756 WINWORD.EXE regsvr32.exe PID 4756 wrote to memory of 372 4756 WINWORD.EXE regsvr32.exe PID 372 wrote to memory of 3612 372 regsvr32.exe regsvr32.exe PID 372 wrote to memory of 3612 372 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice # UK-303840525.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\071134.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BmwvezDePHrNv\bmSdwepY.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\071134.tmpFilesize
542.9MB
MD5ab738aac06067918090d382e49ecbab5
SHA167314adab79bbce302b7322a11ff29cfc924ecfa
SHA256a60984c160ee6167c5b0594eb4833adf84ad3dc7e98e59abde95345107d6adc7
SHA512a7ee4ec9c28a055ee669a322b4ead46bacc380dc36f2d3be9ee9934ce2f06f78585ee00013b8b4ebe3c670c285a9cbface7f3517f1e4745ce75dd38a9edf0109
-
C:\Users\Admin\AppData\Local\Temp\071134.tmpFilesize
542.9MB
MD5ab738aac06067918090d382e49ecbab5
SHA167314adab79bbce302b7322a11ff29cfc924ecfa
SHA256a60984c160ee6167c5b0594eb4833adf84ad3dc7e98e59abde95345107d6adc7
SHA512a7ee4ec9c28a055ee669a322b4ead46bacc380dc36f2d3be9ee9934ce2f06f78585ee00013b8b4ebe3c670c285a9cbface7f3517f1e4745ce75dd38a9edf0109
-
C:\Users\Admin\AppData\Local\Temp\071138.zipFilesize
982KB
MD5f353537d0d4d8e3fc5c3aa17383821d9
SHA1841d74a4c9f253800c1526e9c1489995606430df
SHA2564ff5412bbce5981984baaf80a5e5f58da20f21b76733f6fce8f4a68703537e21
SHA512951b4b136fd71e6445aea338a2ff97add949c35796365344d8d156237b8b1745d245970b12915ac6598f199d7ba38d406ca3d02e01835e42b6b9d3db43173b62
-
C:\Windows\System32\BmwvezDePHrNv\bmSdwepY.dllFilesize
542.9MB
MD5ab738aac06067918090d382e49ecbab5
SHA167314adab79bbce302b7322a11ff29cfc924ecfa
SHA256a60984c160ee6167c5b0594eb4833adf84ad3dc7e98e59abde95345107d6adc7
SHA512a7ee4ec9c28a055ee669a322b4ead46bacc380dc36f2d3be9ee9934ce2f06f78585ee00013b8b4ebe3c670c285a9cbface7f3517f1e4745ce75dd38a9edf0109
-
memory/372-184-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/372-180-0x0000000002B10000-0x0000000002B6A000-memory.dmpFilesize
360KB
-
memory/4756-138-0x00007FFA98740000-0x00007FFA98750000-memory.dmpFilesize
64KB
-
memory/4756-185-0x000001A6898A0000-0x000001A6898BE000-memory.dmpFilesize
120KB
-
memory/4756-163-0x000001A6898A0000-0x000001A6898BE000-memory.dmpFilesize
120KB
-
memory/4756-133-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-137-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-136-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-135-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-139-0x00007FFA98740000-0x00007FFA98750000-memory.dmpFilesize
64KB
-
memory/4756-134-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-193-0x000001A6898A0000-0x000001A6898BE000-memory.dmpFilesize
120KB
-
memory/4756-199-0x000001A6898A0000-0x000001A6898BE000-memory.dmpFilesize
120KB
-
memory/4756-218-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-219-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-220-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB
-
memory/4756-221-0x00007FFA9A9F0000-0x00007FFA9AA00000-memory.dmpFilesize
64KB