Analysis

  • max time kernel
    17s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 07:15

General

  • Target

    Invoice# 5140312 23-03-2023_0714.doc

  • Size

    522.2MB

  • MD5

    9fa322450e0bcdc40fa080cf8b49afea

  • SHA1

    9278643d2fce17e9fd8b3ea61ef4ec15830bf2f1

  • SHA256

    a0318b404ba8ae1eacbf350dd72c7fc708c184c78170bd715deb1f95356a3c65

  • SHA512

    fc56db89c8bbae9c754bf9f7b505dbca774edef95ead849ff5aed76a5f76c1dbc65fca3a6e1ce248b3ad5da78fc765abd7908e2d443f4bece4b53d03c6f82c5a

  • SSDEEP

    3072:brrCtKZF4eqZ627NHRxMvOwvzpl+vk6jZc:5F4eqYwHMvfvzpKk6Nc

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice# 5140312 23-03-2023_0714.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\071602.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:4472
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Ymrkct\aRBzceYxk.dll"
        3⤵
          PID:1532

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\071602.tmp

      Filesize

      484.9MB

      MD5

      8beba1dc3a43d34db16ee2dbc659b3a3

      SHA1

      8f0dbc93c0afa1fdff5959642aee504117598167

      SHA256

      e550da19f95c7e7a36af8deafd58713b452196840f99fe1515e0ac66daa58d6d

      SHA512

      8ae6c03d40f83e93ea53c6361210b797f034345c5f9d257686c84b390004367c45d4e9ce2d0dd36cd02068abb18d2b798a6e2552498cfbd5860e165202293b78

    • C:\Users\Admin\AppData\Local\Temp\071602.tmp

      Filesize

      536.9MB

      MD5

      3734e7ac83e3013b2eedd095a38b2992

      SHA1

      a9fd2e6cb607e3c977f0fc7222e9b190bfc75327

      SHA256

      55a64669009e01b0b719a092a520b5973ce16bab7b1a02985e833d500bc9bfd7

      SHA512

      98d36cc466b4c6ae2dde69145a438bfc7a69379bfd1e76980f4c3bae822b3897de4a24180ef556f053471e815146c4dc29a8991be8bb6dbbbb45dc4e6a921ede

    • C:\Users\Admin\AppData\Local\Temp\071605.zip

      Filesize

      976KB

      MD5

      bc9e932d478972c90af6690741aae444

      SHA1

      9220821e851b9f5f1f42a031610d56629e91c4c9

      SHA256

      241d6a4757b73c2cc6c64646157b613fcf0eceb0a91b26d1c5e82f8d32588f0c

      SHA512

      3b300ba550b33a435e388e1857d70b6e7c2a938d6047e23b77763e72a51a286a612da7fae51dce3bd7db8b531e4d35e33f32887717ec94ef1ca2e9c5b528c6c2

    • C:\Windows\System32\Ymrkct\aRBzceYxk.dll

      Filesize

      529.3MB

      MD5

      eb25c3f15c5a1b7dae3f6cdcaf799a51

      SHA1

      68904bb5cd82bfb19a909e8b426f4e9800f00a27

      SHA256

      68f6e234e785bacc4dbc7ea948f60c86265941a4cc8e74d96cdd5e7df8882ce7

      SHA512

      fc232ee55ae7a31104662049e3b668ad2b0a43ebde08b06dfdb03106d4daa54f09b340c23fdc1f2f754466b19b3de132d0f02df3aecbc701954a83dc2f28c601

    • memory/2344-134-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-138-0x00007FFC24320000-0x00007FFC24330000-memory.dmp

      Filesize

      64KB

    • memory/2344-139-0x00007FFC24320000-0x00007FFC24330000-memory.dmp

      Filesize

      64KB

    • memory/2344-136-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-135-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-137-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-133-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-208-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-209-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-210-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/2344-211-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

      Filesize

      64KB

    • memory/4472-177-0x0000000002250000-0x00000000022AA000-memory.dmp

      Filesize

      360KB

    • memory/4472-181-0x0000000000890000-0x0000000000891000-memory.dmp

      Filesize

      4KB