Analysis
-
max time kernel
100s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27-03-2023 14:06
Behavioral task
behavioral1
Sample
f5cd7d35fd05501cebed1ed5a6de2559f4285a865683113dd7911767f0d1aa3d.doc
Resource
win10-20230220-en
General
-
Target
f5cd7d35fd05501cebed1ed5a6de2559f4285a865683113dd7911767f0d1aa3d.doc
-
Size
233KB
-
MD5
9117c76bc262f3cdf53675f8cf3a5ab9
-
SHA1
f764356a46d8e585be1d8a364e06d282f7905ec3
-
SHA256
f5cd7d35fd05501cebed1ed5a6de2559f4285a865683113dd7911767f0d1aa3d
-
SHA512
b71f7b333d0418003036c36bda31af644fcc4a8d90f600385a45129a8f5a9d7361ac940d3314f9d91357b7701712773da43f399a4f59d8cedb9ebf9f921db78a
-
SSDEEP
3072:PojYfU2ZqlurLFfzAwHSxzAY1xKT70jQkeOtzMByf8gyp9MAK4dLVi:PSed8uXFfJyKY+TSQHSI28D9hTdc
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4416 2168 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4416 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2168 WINWORD.EXE 2168 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 4416 regsvr32.exe 4416 regsvr32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 2168 wrote to memory of 4416 2168 WINWORD.EXE regsvr32.exe PID 2168 wrote to memory of 4416 2168 WINWORD.EXE regsvr32.exe PID 4416 wrote to memory of 676 4416 regsvr32.exe regsvr32.exe PID 4416 wrote to memory of 676 4416 regsvr32.exe regsvr32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f5cd7d35fd05501cebed1ed5a6de2559f4285a865683113dd7911767f0d1aa3d.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\140655.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\VkFeQCJYw\vaWmXZTg.dll"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\140655.tmpFilesize
516.9MB
MD563ab0ab1ed4483ad09ce0c0402acb55e
SHA1d7185996c898eedb205467e6b6f73030c2baf5ce
SHA256f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c
SHA512e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448
-
C:\Users\Admin\AppData\Local\Temp\140655.zipFilesize
956KB
MD5766de46cd36b31b55a6afb0634775280
SHA1cfc32453b2b81fcd01399fde8ec74eed033222f4
SHA25672c6403f29d49ccc3fda21f6841923ceab131e81c9c9af5aab524b977b233301
SHA512f277168b290ae68faa0bf4241ddc039e06b85911eb3c4be832b24dc5d8501b1aa0594706551cddafb36e6077170565716c06906136e939338fb24f4ab5a4b4c9
-
\Users\Admin\AppData\Local\Temp\140655.tmpFilesize
516.9MB
MD563ab0ab1ed4483ad09ce0c0402acb55e
SHA1d7185996c898eedb205467e6b6f73030c2baf5ce
SHA256f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c
SHA512e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448
-
memory/2168-127-0x00007FF7E8F10000-0x00007FF7E8F20000-memory.dmpFilesize
64KB
-
memory/2168-121-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/2168-128-0x00007FF7E8F10000-0x00007FF7E8F20000-memory.dmpFilesize
64KB
-
memory/2168-124-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/2168-329-0x000001987FAF0000-0x000001987FCCF000-memory.dmpFilesize
1.9MB
-
memory/2168-123-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/2168-122-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/2168-460-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/2168-461-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/2168-462-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/2168-463-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmpFilesize
64KB
-
memory/4416-355-0x0000000002990000-0x00000000029EA000-memory.dmpFilesize
360KB
-
memory/4416-363-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB