98af6635138045cae3f29995a587d0c8a7f14446a9d10564677dd4a41372c3f1

Analysis

max time kernel
116s
max time network
122s
platform
windows7_x64
resource
win7
submitted
13/07/2020, 08:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Emotet (1).rtf
Size

1.7MB
MD5

7e461f6366681c5ae24920a31c3cfec6
SHA1

3513d238a659d27f1ff3acea55e84fafa093c676
SHA256

98af6635138045cae3f29995a587d0c8a7f14446a9d10564677dd4a41372c3f1
SHA512

2b34fd033faf6e68188ddc3fffd73b3a22bff0545e4464c5017573392adb2d46533249b4c20b21ef53dab9899429deb0fff70f65e859c47a33e702c6162b2743

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1644	rekeywiz.exe

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1032	EQNEDT32.EXE

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\atlas2.0 = "C:\\ProgramData\\AtlasFiles2.0\\rekeywiz.exe"	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
900	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
900	WINWORD.EXE
900	WINWORD.EXE

Loads dropped DLL 1 IoCs

pid	Process
1032	EQNEDT32.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	25
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	25
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	25
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	25

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Emotet (1).rtf"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:900

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Adds Run entry to start application
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\ProgramData\AtlasFiles2.0\rekeywiz.exe
  "C:\ProgramData\AtlasFiles2.0\rekeywiz.exe"
  2⤵
  - Executes dropped EXE
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads