August 21st quite a few people across organizations got this document in what looks like a large Phishing campaign. I wanted to understand what this malware does as this had very low detection on VirusTotal. Here is my effort to understand the malware and to record indicators for further hunting and investigation.
Identifying the malicious document
Looks like some kind of dropper. It was interesting that VT first saw this file in 2010 and the first submission in August 21st. Where was it hiding for 7 years?
Detonating the malware
I run a couple of custom (Windows 7 & Windows 10) sandboxes with Sysmon from Sysinternals. All web traffic is intercepted with an intercepting web proxy. The network traffic is analyzed and all metadata is extracted and stored.
What did I learn? (End users are the weakest link)
The first thing the document does is it tricks the user into thinking that the document is actually locked / protected.
Enabling Macro executes Powershell
Once this executes, it sets up persistence and moves itself from %TEMP% to %USERPROFILE%\AppData\Local\Microsoft\Windows\shedulesystem.exe
C2 IP: 220.127.116.11 (Digital Ocean)
Now that I know this is Emotet I didnt want to waste too much time on this but I wanted to ensure I get all the IOCs out. Decoding the Base64 encoded PowerShell command gives me this:
Slightly modifying the code and printing the "URL" instead of Invoking it gave me all 5 domains:
Back to basics
Take all the IOCs and make a use case for SIEM / SOC. #DFIR FTW! I hope you enjoy reading this as much as I enjoyed doing this.