Analysis
-
max time kernel
17s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 07:15
Behavioral task
behavioral1
Sample
Invoice# 5140312 23-03-2023_0714.doc
Resource
win7-20230220-en
General
-
Target
Invoice# 5140312 23-03-2023_0714.doc
-
Size
522.2MB
-
MD5
9fa322450e0bcdc40fa080cf8b49afea
-
SHA1
9278643d2fce17e9fd8b3ea61ef4ec15830bf2f1
-
SHA256
a0318b404ba8ae1eacbf350dd72c7fc708c184c78170bd715deb1f95356a3c65
-
SHA512
fc56db89c8bbae9c754bf9f7b505dbca774edef95ead849ff5aed76a5f76c1dbc65fca3a6e1ce248b3ad5da78fc765abd7908e2d443f4bece4b53d03c6f82c5a
-
SSDEEP
3072:brrCtKZF4eqZ627NHRxMvOwvzpl+vk6jZc:5F4eqYwHMvfvzpKk6Nc
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4472 2344 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4472 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 45 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2344 WINWORD.EXE 2344 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 4472 regsvr32.exe 4472 regsvr32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2344 WINWORD.EXE 2344 WINWORD.EXE 2344 WINWORD.EXE 2344 WINWORD.EXE 2344 WINWORD.EXE 2344 WINWORD.EXE 2344 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2344 wrote to memory of 4472 2344 WINWORD.EXE regsvr32.exe PID 2344 wrote to memory of 4472 2344 WINWORD.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice# 5140312 23-03-2023_0714.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\071602.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4472 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\Ymrkct\aRBzceYxk.dll"3⤵PID:1532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484.9MB
MD58beba1dc3a43d34db16ee2dbc659b3a3
SHA18f0dbc93c0afa1fdff5959642aee504117598167
SHA256e550da19f95c7e7a36af8deafd58713b452196840f99fe1515e0ac66daa58d6d
SHA5128ae6c03d40f83e93ea53c6361210b797f034345c5f9d257686c84b390004367c45d4e9ce2d0dd36cd02068abb18d2b798a6e2552498cfbd5860e165202293b78
-
Filesize
536.9MB
MD53734e7ac83e3013b2eedd095a38b2992
SHA1a9fd2e6cb607e3c977f0fc7222e9b190bfc75327
SHA25655a64669009e01b0b719a092a520b5973ce16bab7b1a02985e833d500bc9bfd7
SHA51298d36cc466b4c6ae2dde69145a438bfc7a69379bfd1e76980f4c3bae822b3897de4a24180ef556f053471e815146c4dc29a8991be8bb6dbbbb45dc4e6a921ede
-
Filesize
976KB
MD5bc9e932d478972c90af6690741aae444
SHA19220821e851b9f5f1f42a031610d56629e91c4c9
SHA256241d6a4757b73c2cc6c64646157b613fcf0eceb0a91b26d1c5e82f8d32588f0c
SHA5123b300ba550b33a435e388e1857d70b6e7c2a938d6047e23b77763e72a51a286a612da7fae51dce3bd7db8b531e4d35e33f32887717ec94ef1ca2e9c5b528c6c2
-
Filesize
529.3MB
MD5eb25c3f15c5a1b7dae3f6cdcaf799a51
SHA168904bb5cd82bfb19a909e8b426f4e9800f00a27
SHA25668f6e234e785bacc4dbc7ea948f60c86265941a4cc8e74d96cdd5e7df8882ce7
SHA512fc232ee55ae7a31104662049e3b668ad2b0a43ebde08b06dfdb03106d4daa54f09b340c23fdc1f2f754466b19b3de132d0f02df3aecbc701954a83dc2f28c601