Overview

overview

10

Static

static

8

INVOICE N ...23.doc

windows7-x64

10

INVOICE N ...23.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-04-2023 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE N IJ952634 March 2023.doc

  • Size

    514.2MB

  • MD5

    569dd57886777d0e9aa72151ae32cf7d

  • SHA1

    8be53083637a60ee102d8e5fbb8fb0d7df33bab7

  • SHA256

    b63617eda3505c9ab6deb672f33ca196f508b6cd5eb1cc00ec5c2500a35c18a6

  • SHA512

    13c5f79efa16d93c4b0a8c5f7ff31aae5f4087d10254167e1b1359b7b8ed4f32e116e00fc97d31124345bbb5726371079b9216fd95c5768722daf0a8299ccbc6

  • SSDEEP

    3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Script User-Agent 5 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE N IJ952634 March 2023.doc"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1620
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\140541.tmp"
      2⤵
      • Process spawned unexpected child process
      PID:1676
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\140541.tmp"
        3⤵
          PID:1532
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SQqTmQtpm\BLnHaOgFe.dll"
            4⤵
              PID:1168
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          2⤵
            PID:960

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          e71c8443ae0bc2e282c73faead0a6dd3

          SHA1

          0c110c1b01e68edfacaeae64781a37b1995fa94b

          SHA256

          95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

          SHA512

          b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          e48dc7b781b3ad1685c31ffac1a556a9

          SHA1

          efc32f73f372217cb71f5fe42bb266fb1e06f43c

          SHA256

          12b981f2197c04386d706df0d1b347d048e9f680ed1578dc211d5ab9598e27d6

          SHA512

          46a861cbdbee5fdcb459c3fbbdcb9c05c8ab2384559a541a29d6e23da3bdea14f2bf0c002405ccba3f2706312ebc101017f5113a01e3d9832c061f21052c4ac5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\140541.tmp
          Filesize

          501.9MB

          MD5

          9b24a1a6467ebecbcb1d5e3f644219e3

          SHA1

          d5000902db828dd79779d2476aa0a72b9b6c664f

          SHA256

          4505f89629e11de04ddceb4d41ff9721f8b6864a30b73f5034648a45028be9bb

          SHA512

          950d11c6f603dd91bd73bad605b047ec772bdf8f067539ed4d0ab2e0393ed09adbe974829b003386a93b91d337d5a3c3768f5c16e16a543c0edd7aa886e372af

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\140555.zip
          Filesize

          815KB

          MD5

          ed4fcdbf38c45e8b61f0364b90416651

          SHA1

          02640c01c30f89e3dc1ece2c001c0121cd648057

          SHA256

          1f78d5f7eb645523205b4a42b84060253f2c3c19e7f4ef5b776391fff23b87d4

          SHA512

          505767be56fa466804657cf659bace3868af56b121c7feaa542a8ae5b0f243bde179b5828a28d775d3d5fef06935b3edbfea752bc1c330252f7e2215ef17e31c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Cab9DAA.tmp
          Filesize

          61KB

          MD5

          fc4666cbca561e864e7fdf883a9e6661

          SHA1

          2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

          SHA256

          10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

          SHA512

          c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Tar9F66.tmp
          Filesize

          161KB

          MD5

          be2bec6e8c5653136d3e72fe53c98aa3

          SHA1

          a8182d6db17c14671c3d5766c72e58d87c0810de

          SHA256

          1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

          SHA512

          0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

          Download Submit
        • \Users\Admin\AppData\Local\Temp\140541.tmp
          Filesize

          472.4MB

          MD5

          1b29597fe39fa9c793dd6384f6b04e62

          SHA1

          11e6bb326b055b8e64e88159d515b2ba27f06fc2

          SHA256

          184c576bb06901cc8471aa0e41ad6168da77bdfb5e0466d6333e8b8ce49d5c2b

          SHA512

          091570ac3287f1188dcd25feb82352b3f96bbb5be6ea31c41075ab63ab5cfa2c78c6a23a2100ba00abc46ed14c70f90e695b63c571a2e1b81f41ff0b860a216e

          Download Submit
        • \Users\Admin\AppData\Local\Temp\140541.tmp
          Filesize

          520.5MB

          MD5

          063b1fd8989ea3cd1bcdab3c2764db18

          SHA1

          ea3705b15d3db7429a393b950c96880b5f9d343a

          SHA256

          82cafa6eeb31c84e41e156f98116fcd82a4eb8f13114779cd1998b66ba3aee78

          SHA512

          8a1ef6eb4ba5543639b89d5eae4b59cba476f1ec8c31c25d951ad0e96adb401d175b5aa7fda577bc5efdf24bec333c30da781129f00475f5bb9d16ba1411b8b9

          Download Submit
        • memory/1168-932-0x00000000002C0000-0x00000000002C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1532-924-0x0000000180000000-0x000000018002D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1532-931-0x00000000002A0000-0x00000000002A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1620-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download