Analysis
-
max time kernel
295s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 12:35
General
-
Target
I607556974763894155_202303091150.doc
-
Size
533.2MB
-
MD5
2cb667a03f558840691118c9437e2d56
-
SHA1
5042aba71555afa293f065bf79c419975cf3def2
-
SHA256
6bc339b7860ac85d99a79a5a06665408d6971d987e1e7391862ca071a862190a
-
SHA512
3ee17cf284c8537271dc4e0054ee601fa046a7cd8e34feb6fa592d77a4047ab2d31308711beffefd32df15f33a84696b1f5a25eb5f02c487db25bf82d24e016a
-
SSDEEP
3072:vpt3LDPYvrTr3jvZNWGBStinoLVMcXyHtt5YC7EGIuGEMYDDK6:H3AvrTPRUGpmpXqWCoGIuGEMY
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1036 976 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1036 regsvr32.exe 1792 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 976 WINWORD.EXE 976 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1036 regsvr32.exe 1036 regsvr32.exe 1792 regsvr32.exe 1792 regsvr32.exe 1792 regsvr32.exe 1792 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 976 WINWORD.EXE 976 WINWORD.EXE 976 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 976 WINWORD.EXE 976 WINWORD.EXE 976 WINWORD.EXE 976 WINWORD.EXE 976 WINWORD.EXE 976 WINWORD.EXE 976 WINWORD.EXE 976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 976 wrote to memory of 1036 976 WINWORD.EXE regsvr32.exe PID 976 wrote to memory of 1036 976 WINWORD.EXE regsvr32.exe PID 1036 wrote to memory of 1792 1036 regsvr32.exe regsvr32.exe PID 1036 wrote to memory of 1792 1036 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I607556974763894155_202303091150.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\143643.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\VEougIUNAC\NfMcan.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\143643.tmpFilesize
507.5MB
MD52a5d001b7ee97ea58deffaf5eb4b87b0
SHA13572156efa1d3916e10f9116172042336c464a63
SHA256b20b57361708b67495dede5e2f995367f7f0e5a565c6fd1545c17e15a5265169
SHA512639f3b847977ba41b445ca51263624e00ca7dfdc037ace78a41238bdd3340c2c4507ff0c4c5ba4ae872029703de4e992fd9e8412555457a81f650b6a7366a012
-
C:\Users\Admin\AppData\Local\Temp\143643.tmpFilesize
507.5MB
MD52a5d001b7ee97ea58deffaf5eb4b87b0
SHA13572156efa1d3916e10f9116172042336c464a63
SHA256b20b57361708b67495dede5e2f995367f7f0e5a565c6fd1545c17e15a5265169
SHA512639f3b847977ba41b445ca51263624e00ca7dfdc037ace78a41238bdd3340c2c4507ff0c4c5ba4ae872029703de4e992fd9e8412555457a81f650b6a7366a012
-
C:\Users\Admin\AppData\Local\Temp\143647.zipFilesize
802KB
MD56d8112d253a2af0c68ec39f43949922b
SHA1d3fc113c674a389251414a15569fa899735161ff
SHA256f6a8942341ba34b8a32c0910504007fadeb4f73fd6c9dbecdee51b29982cc19a
SHA5126bd41807660d5341ed83ae294d6196e87308524e683b2db007c0ca10a43111986946287d01629a1b3f88b25dabbd748a523a3df361f60337a27f76c66fa0e00b
-
C:\Windows\System32\VEougIUNAC\NfMcan.dllFilesize
507.5MB
MD52a5d001b7ee97ea58deffaf5eb4b87b0
SHA13572156efa1d3916e10f9116172042336c464a63
SHA256b20b57361708b67495dede5e2f995367f7f0e5a565c6fd1545c17e15a5265169
SHA512639f3b847977ba41b445ca51263624e00ca7dfdc037ace78a41238bdd3340c2c4507ff0c4c5ba4ae872029703de4e992fd9e8412555457a81f650b6a7366a012
-
memory/976-136-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmpFilesize
64KB
-
memory/976-138-0x00007FF9DEB10000-0x00007FF9DEB20000-memory.dmpFilesize
64KB
-
memory/976-139-0x00007FF9DEB10000-0x00007FF9DEB20000-memory.dmpFilesize
64KB
-
memory/976-137-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmpFilesize
64KB
-
memory/976-133-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmpFilesize
64KB
-
memory/976-134-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmpFilesize
64KB
-
memory/976-135-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmpFilesize
64KB
-
memory/1036-193-0x0000000180000000-0x000000018002D000-memory.dmpFilesize
180KB
-
memory/1036-198-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB