98af6635138045cae3f29995a587d0c8a7f14446a9d10564677dd4a41372c3f1

Analysis

max time kernel
116s
max time network
122s
platform
windows7_x64
resource
win7
submitted
13-07-2020 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Emotet (1).rtf
Size

1.7MB
MD5

7e461f6366681c5ae24920a31c3cfec6
SHA1

3513d238a659d27f1ff3acea55e84fafa093c676
SHA256

98af6635138045cae3f29995a587d0c8a7f14446a9d10564677dd4a41372c3f1
SHA512

2b34fd033faf6e68188ddc3fffd73b3a22bff0545e4464c5017573392adb2d46533249b4c20b21ef53dab9899429deb0fff70f65e859c47a33e702c6162b2743

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rekeywiz.exe

pid process

1644 rekeywiz.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1032 EQNEDT32.EXE

pid	process
1644	rekeywiz.exe

pid	process
1032	EQNEDT32.EXE

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EQNEDT32.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\atlas2.0 = "C:\\ProgramData\\AtlasFiles2.0\\rekeywiz.exe"	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

900 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

900 WINWORD.EXE
900 WINWORD.EXE
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1032 EQNEDT32.EXE

pid	process
900	WINWORD.EXE

pid	process
900	WINWORD.EXE
900	WINWORD.EXE

pid	process
1032	EQNEDT32.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EQNEDT32.EXE

description	pid	process	target process
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	rekeywiz.exe
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	rekeywiz.exe
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	rekeywiz.exe
PID 1032 wrote to memory of 1644	1032	EQNEDT32.EXE	rekeywiz.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Emotet (1).rtf"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:900

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Adds Run entry to start application
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032

C:\ProgramData\AtlasFiles2.0\rekeywiz.exe
"C:\ProgramData\AtlasFiles2.0\rekeywiz.exe"
2⤵
- Executes dropped EXE
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AtlasFiles2.0\rekeywiz.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.a

Download Submit
\ProgramData\AtlasFiles2.0\rekeywiz.exe

Download Submit
memory/1644-2-0x0000000000000000-mapping.dmp

Download