Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    30s
  • resource
    win10v191014
  • submitted
    29/01/2020, 21:56

General

  • Target

    INVOICE JSM9193_1565826.doc

  • Sample

    200129-rvtk7t4t9j

  • SHA256

    5452b9448c3310adaa86f6020c32d6ae4727fce5049f613ad9242e2f35e94eff

Score
10/10

Malware Config

Extracted

Family

emotet

C2

186.10.98.177:80

154.70.158.97:80

95.66.182.136:80

68.183.18.169:8080

178.62.75.204:8080

178.33.167.120:8080

144.76.56.36:8080

61.204.119.188:443

163.172.107.70:8080

156.155.163.232:80

91.117.31.181:80

153.183.25.24:80

110.2.118.164:80

195.250.143.182:80

162.154.175.215:80

50.116.78.109:8080

72.176.87.136:80

184.162.115.11:443

37.70.131.107:80

181.39.96.86:443

rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE JSM9193_1565826.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:4812
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\0.1477167.jse"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe
        "C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe"
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        PID:3788
        • C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe
          --4aec14ef
          4⤵
          • Suspicious use of SetWindowsHookEx
          • Executes dropped EXE
          • Suspicious behavior: EmotetMutantsSpam
          PID:4512

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3788-8-0x0000000000AA0000-0x0000000000AB7000-memory.dmp

    Filesize

    92KB

  • memory/4512-10-0x0000000002060000-0x0000000002077000-memory.dmp

    Filesize

    92KB

  • memory/4512-11-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB