Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
29/01/2020, 21:56
General
Malware Config
Extracted
emotet
186.10.98.177:80
154.70.158.97:80
95.66.182.136:80
68.183.18.169:8080
178.62.75.204:8080
178.33.167.120:8080
144.76.56.36:8080
61.204.119.188:443
163.172.107.70:8080
156.155.163.232:80
91.117.31.181:80
153.183.25.24:80
110.2.118.164:80
195.250.143.182:80
162.154.175.215:80
50.116.78.109:8080
72.176.87.136:80
184.162.115.11:443
37.70.131.107:80
181.39.96.86:443
41.185.29.128:8080
122.176.116.57:443
177.144.130.105:443
88.248.140.80:80
187.72.47.161:443
192.241.220.183:8080
182.176.116.139:995
192.241.241.221:443
109.236.109.159:8080
85.100.122.211:80
98.192.74.164:80
61.221.152.140:80
175.181.7.188:80
175.127.140.68:80
88.247.26.78:80
216.75.37.196:8080
179.5.118.12:8080
220.247.70.174:80
105.209.235.113:8080
211.20.154.102:80
182.74.249.74:80
37.46.129.215:8080
186.147.245.204:80
78.210.132.35:80
81.82.247.216:80
95.130.37.244:443
160.119.153.20:80
180.33.71.88:80
58.92.179.55:443
185.192.75.240:443
46.17.6.116:8080
78.46.87.133:8080
183.87.40.21:8080
183.82.123.60:443
190.171.153.139:80
181.196.27.123:80
185.244.167.25:443
200.82.88.254:80
82.145.43.153:8080
42.51.192.231:8080
154.73.137.131:80
112.186.195.176:80
41.77.74.214:443
78.189.165.52:8080
187.177.155.123:990
80.211.32.88:8080
1.217.126.11:443
162.144.46.90:8080
210.213.85.43:8080
75.86.6.174:80
190.93.210.113:80
23.253.207.142:8080
149.202.153.251:8080
72.27.212.209:8080
158.69.167.246:8080
188.251.213.180:443
212.112.113.235:80
182.187.137.199:8080
125.209.114.180:443
150.246.246.238:80
217.12.70.226:80
190.17.94.108:443
160.226.171.255:443
139.59.12.63:8080
196.6.119.137:80
51.77.113.97:8080
37.211.67.229:80
24.141.12.228:80
60.152.212.149:80
186.84.173.136:8080
5.196.200.208:8080
203.124.57.50:80
91.117.131.122:80
78.186.102.195:80
78.188.170.128:80
60.151.66.216:443
58.185.224.18:80
70.60.238.62:80
192.210.217.94:8080
85.96.49.152:80
85.109.190.235:443
89.215.225.15:80
203.153.216.178:7080
58.93.151.148:80
51.38.134.203:8080
88.225.230.33:80
81.214.142.115:80
157.7.164.178:8081
98.178.241.106:80
95.216.207.86:7080
59.135.126.129:443
1.221.254.82:80
172.104.70.207:8080
190.5.162.204:80
75.127.14.170:8080
91.83.93.103:443
82.146.55.23:7080
78.189.60.109:443
153.137.36.142:80
176.58.93.123:80
195.201.56.70:8080
186.10.92.114:80
144.139.91.187:80
201.183.251.100:80
77.74.78.80:443
69.30.205.162:7080
82.79.244.92:80
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4812 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4812 WINWORD.EXE 3788 v9zw0kimj.exe 4512 v9zw0kimj.exe -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4036 4812 WScript.exe 71 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4036 4812 WINWORD.EXE 78 PID 4036 wrote to memory of 3788 4036 WScript.exe 79 PID 3788 wrote to memory of 4512 3788 v9zw0kimj.exe 80 -
Executes dropped EXE 2 IoCs
pid Process 3788 v9zw0kimj.exe 4512 v9zw0kimj.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4512 v9zw0kimj.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE JSM9193_1565826.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:4812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\0.1477167.jse"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe"C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\v9zw0kimj.exe--4aec14ef4⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:4512
-
-
-