Analysis
-
max time kernel
116s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
13/07/2020, 08:05
Static task
static1
Behavioral task
behavioral1
Sample
Emotet (1).rtf
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Emotet (1).rtf
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
Emotet (1).rtf
-
Size
1.7MB
-
MD5
7e461f6366681c5ae24920a31c3cfec6
-
SHA1
3513d238a659d27f1ff3acea55e84fafa093c676
-
SHA256
98af6635138045cae3f29995a587d0c8a7f14446a9d10564677dd4a41372c3f1
-
SHA512
2b34fd033faf6e68188ddc3fffd73b3a22bff0545e4464c5017573392adb2d46533249b4c20b21ef53dab9899429deb0fff70f65e859c47a33e702c6162b2743
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1644 rekeywiz.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1032 EQNEDT32.EXE -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\atlas2.0 = "C:\\ProgramData\\AtlasFiles2.0\\rekeywiz.exe" EQNEDT32.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 900 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 900 WINWORD.EXE 900 WINWORD.EXE -
Loads dropped DLL 1 IoCs
pid Process 1032 EQNEDT32.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE 25 PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE 25 PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE 25 PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE 25
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Emotet (1).rtf"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:900
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Adds Run entry to start application
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\ProgramData\AtlasFiles2.0\rekeywiz.exe"C:\ProgramData\AtlasFiles2.0\rekeywiz.exe"2⤵
- Executes dropped EXE
PID:1644
-