emotet | 5a8b010e3f79dfe11479afc32c8fcea24763975d4a95eec36720d1f369e8255b

General

Target

I607556974763894155_202303091150.doc
Size

533.2MB
MD5

2cb667a03f558840691118c9437e2d56
SHA1

5042aba71555afa293f065bf79c419975cf3def2
SHA256

6bc339b7860ac85d99a79a5a06665408d6971d987e1e7391862ca071a862190a
SHA512

3ee17cf284c8537271dc4e0054ee601fa046a7cd8e34feb6fa592d77a4047ab2d31308711beffefd32df15f33a84696b1f5a25eb5f02c487db25bf82d24e016a
SSDEEP

3072:vpt3LDPYvrTr3jvZNWGBStinoLVMcXyHtt5YC7EGIuGEMYDDK6:H3AvrTPRUGpmpXqWCoGIuGEMY

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1036	976	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1036 regsvr32.exe
1792 regsvr32.exe

pid	process
1036	regsvr32.exe
1792	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

976 WINWORD.EXE
976 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1036 regsvr32.exe
1036 regsvr32.exe
1792 regsvr32.exe
1792 regsvr32.exe
1792 regsvr32.exe
1792 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

976 WINWORD.EXE
976 WINWORD.EXE
976 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

976 WINWORD.EXE
976 WINWORD.EXE
976 WINWORD.EXE
976 WINWORD.EXE
976 WINWORD.EXE
976 WINWORD.EXE
976 WINWORD.EXE
976 WINWORD.EXE

pid	process
976	WINWORD.EXE
976	WINWORD.EXE

pid	process
1036	regsvr32.exe
1036	regsvr32.exe
1792	regsvr32.exe
1792	regsvr32.exe
1792	regsvr32.exe
1792	regsvr32.exe

pid	process
976	WINWORD.EXE
976	WINWORD.EXE
976	WINWORD.EXE

pid	process
976	WINWORD.EXE
976	WINWORD.EXE
976	WINWORD.EXE
976	WINWORD.EXE
976	WINWORD.EXE
976	WINWORD.EXE
976	WINWORD.EXE
976	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 976 wrote to memory of 1036	976	WINWORD.EXE	regsvr32.exe
PID 976 wrote to memory of 1036	976	WINWORD.EXE	regsvr32.exe
PID 1036 wrote to memory of 1792	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1792	1036	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\I607556974763894155_202303091150.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\143643.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VEougIUNAC\NfMcan.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\143643.tmp
Filesize
507.5MB

MD5
2a5d001b7ee97ea58deffaf5eb4b87b0

SHA1
3572156efa1d3916e10f9116172042336c464a63

SHA256
b20b57361708b67495dede5e2f995367f7f0e5a565c6fd1545c17e15a5265169

SHA512
639f3b847977ba41b445ca51263624e00ca7dfdc037ace78a41238bdd3340c2c4507ff0c4c5ba4ae872029703de4e992fd9e8412555457a81f650b6a7366a012

Download Submit
C:\Users\Admin\AppData\Local\Temp\143643.tmp
Filesize
507.5MB

MD5
2a5d001b7ee97ea58deffaf5eb4b87b0

SHA1
3572156efa1d3916e10f9116172042336c464a63

SHA256
b20b57361708b67495dede5e2f995367f7f0e5a565c6fd1545c17e15a5265169

SHA512
639f3b847977ba41b445ca51263624e00ca7dfdc037ace78a41238bdd3340c2c4507ff0c4c5ba4ae872029703de4e992fd9e8412555457a81f650b6a7366a012

Download Submit
C:\Users\Admin\AppData\Local\Temp\143647.zip
Filesize
802KB

MD5
6d8112d253a2af0c68ec39f43949922b

SHA1
d3fc113c674a389251414a15569fa899735161ff

SHA256
f6a8942341ba34b8a32c0910504007fadeb4f73fd6c9dbecdee51b29982cc19a

SHA512
6bd41807660d5341ed83ae294d6196e87308524e683b2db007c0ca10a43111986946287d01629a1b3f88b25dabbd748a523a3df361f60337a27f76c66fa0e00b

Download Submit
C:\Windows\System32\VEougIUNAC\NfMcan.dll
Filesize
507.5MB

MD5
2a5d001b7ee97ea58deffaf5eb4b87b0

SHA1
3572156efa1d3916e10f9116172042336c464a63

SHA256
b20b57361708b67495dede5e2f995367f7f0e5a565c6fd1545c17e15a5265169

SHA512
639f3b847977ba41b445ca51263624e00ca7dfdc037ace78a41238bdd3340c2c4507ff0c4c5ba4ae872029703de4e992fd9e8412555457a81f650b6a7366a012

Download Submit
memory/976-136-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/976-138-0x00007FF9DEB10000-0x00007FF9DEB20000-memory.dmp

Filesize
64KB

Download
memory/976-139-0x00007FF9DEB10000-0x00007FF9DEB20000-memory.dmp

Filesize
64KB

Download
memory/976-137-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/976-133-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/976-134-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/976-135-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/1036-193-0x0000000180000000-0x000000018002D000-memory.dmp

Filesize
180KB

Download
memory/1036-198-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads