Analysis
-
max time kernel
116s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 08:05
Static task
static1
Behavioral task
behavioral1
Sample
Emotet (1).rtf
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Emotet (1).rtf
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Emotet (1).rtf
-
Size
1.7MB
-
MD5
7e461f6366681c5ae24920a31c3cfec6
-
SHA1
3513d238a659d27f1ff3acea55e84fafa093c676
-
SHA256
98af6635138045cae3f29995a587d0c8a7f14446a9d10564677dd4a41372c3f1
-
SHA512
2b34fd033faf6e68188ddc3fffd73b3a22bff0545e4464c5017573392adb2d46533249b4c20b21ef53dab9899429deb0fff70f65e859c47a33e702c6162b2743
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rekeywiz.exepid process 1644 rekeywiz.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
EQNEDT32.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\atlas2.0 = "C:\\ProgramData\\AtlasFiles2.0\\rekeywiz.exe" EQNEDT32.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 900 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 900 WINWORD.EXE 900 WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1032 EQNEDT32.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EQNEDT32.EXEdescription pid process target process PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE rekeywiz.exe PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE rekeywiz.exe PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE rekeywiz.exe PID 1032 wrote to memory of 1644 1032 EQNEDT32.EXE rekeywiz.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Emotet (1).rtf"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Adds Run entry to start application
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\AtlasFiles2.0\rekeywiz.exe"C:\ProgramData\AtlasFiles2.0\rekeywiz.exe"2⤵
- Executes dropped EXE