Play interactive tourEdit tour
Windows Analysis Report 1711.doc
Overview
General Information
Detection
Emotet
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Powershell drops PE file
Tries to detect virtualization through RDTSC time measurements
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document contains an embedded VBA macro which may execute processes
Sigma detected: Microsoft Office Product Spawning Windows Shell
Changes security center settings (notifications, updates, antivirus, firewall)
Suspicious powershell command line found
Obfuscated command line found
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Document has an unknown application name
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Document contains an embedded VBA macro which executes code when the document is opened / closed
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Document contains no OLE stream with summary information
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Potential document exploit detected (performs HTTP gets)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Emotet |
---|
{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_VBA_FileSystem_Access | Detects suspicious VBA that writes to disk and is activated on document open | Florian Roth |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Emotet RunDLL32 Process Creation | Show sources |
Source: | Author: FPT.EagleEye: |
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |