Analysis
-
max time kernel
143s -
resource
win10v191014 -
submitted
29-01-2020 22:14
General
Malware Config
Extracted
emotet
186.10.98.177:80
154.70.158.97:80
95.66.182.136:80
68.183.18.169:8080
178.62.75.204:8080
178.33.167.120:8080
144.76.56.36:8080
61.204.119.188:443
163.172.107.70:8080
156.155.163.232:80
91.117.31.181:80
153.183.25.24:80
110.2.118.164:80
195.250.143.182:80
162.154.175.215:80
50.116.78.109:8080
72.176.87.136:80
184.162.115.11:443
37.70.131.107:80
181.39.96.86:443
41.185.29.128:8080
122.176.116.57:443
177.144.130.105:443
88.248.140.80:80
187.72.47.161:443
192.241.220.183:8080
182.176.116.139:995
192.241.241.221:443
109.236.109.159:8080
85.100.122.211:80
98.192.74.164:80
61.221.152.140:80
175.181.7.188:80
175.127.140.68:80
88.247.26.78:80
216.75.37.196:8080
179.5.118.12:8080
220.247.70.174:80
105.209.235.113:8080
211.20.154.102:80
182.74.249.74:80
37.46.129.215:8080
186.147.245.204:80
78.210.132.35:80
81.82.247.216:80
95.130.37.244:443
160.119.153.20:80
180.33.71.88:80
58.92.179.55:443
185.192.75.240:443
46.17.6.116:8080
78.46.87.133:8080
183.87.40.21:8080
183.82.123.60:443
190.171.153.139:80
181.196.27.123:80
185.244.167.25:443
200.82.88.254:80
82.145.43.153:8080
42.51.192.231:8080
154.73.137.131:80
112.186.195.176:80
41.77.74.214:443
78.189.165.52:8080
187.177.155.123:990
80.211.32.88:8080
1.217.126.11:443
162.144.46.90:8080
210.213.85.43:8080
75.86.6.174:80
190.93.210.113:80
23.253.207.142:8080
149.202.153.251:8080
72.27.212.209:8080
158.69.167.246:8080
188.251.213.180:443
212.112.113.235:80
182.187.137.199:8080
125.209.114.180:443
150.246.246.238:80
217.12.70.226:80
190.17.94.108:443
160.226.171.255:443
139.59.12.63:8080
196.6.119.137:80
51.77.113.97:8080
37.211.67.229:80
24.141.12.228:80
60.152.212.149:80
186.84.173.136:8080
5.196.200.208:8080
203.124.57.50:80
91.117.131.122:80
78.186.102.195:80
78.188.170.128:80
60.151.66.216:443
58.185.224.18:80
70.60.238.62:80
192.210.217.94:8080
85.96.49.152:80
85.109.190.235:443
89.215.225.15:80
203.153.216.178:7080
58.93.151.148:80
51.38.134.203:8080
88.225.230.33:80
81.214.142.115:80
157.7.164.178:8081
98.178.241.106:80
95.216.207.86:7080
59.135.126.129:443
1.221.254.82:80
172.104.70.207:8080
190.5.162.204:80
75.127.14.170:8080
91.83.93.103:443
82.146.55.23:7080
78.189.60.109:443
153.137.36.142:80
176.58.93.123:80
195.201.56.70:8080
186.10.92.114:80
144.139.91.187:80
201.183.251.100:80
77.74.78.80:443
69.30.205.162:7080
82.79.244.92:80
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4808 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE3hnosi568.exe3hnosi568.exeptrchannel.exeptrchannel.exepid process 4808 WINWORD.EXE 3124 3hnosi568.exe 3764 3hnosi568.exe 4480 ptrchannel.exe 4516 ptrchannel.exe -
Process spawned unexpected child process 1 IoCs
Processes:
WScript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4404 4808 WScript.exe WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ptrchannel.exepid process 4516 ptrchannel.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEWScript.exe3hnosi568.exeptrchannel.exedescription pid process target process PID 4808 wrote to memory of 4404 4808 WINWORD.EXE WScript.exe PID 4404 wrote to memory of 3124 4404 WScript.exe 3hnosi568.exe PID 3124 wrote to memory of 3764 3124 3hnosi568.exe 3hnosi568.exe PID 4480 wrote to memory of 4516 4480 ptrchannel.exe ptrchannel.exe -
Executes dropped EXE 4 IoCs
Processes:
3hnosi568.exe3hnosi568.exeptrchannel.exeptrchannel.exepid process 3124 3hnosi568.exe 3764 3hnosi568.exe 4480 ptrchannel.exe 4516 ptrchannel.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
3hnosi568.exeptrchannel.exepid process 3764 3hnosi568.exe 4516 ptrchannel.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Drops file in System32 directory 6 IoCs
Processes:
ptrchannel.exe3hnosi568.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ptrchannel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ptrchannel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ptrchannel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ptrchannel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ptrchannel.exe File renamed C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe => C:\Windows\SysWOW64\ptrchannel.exe 3hnosi568.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE JSM9193_1565826.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\0.2304651.jse"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe"C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe--42aa2c8f4⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ptrchannel.exe"C:\Windows\SysWOW64\ptrchannel.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\ptrchannel.exe--942e52c72⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe
-
C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe
-
C:\Users\Admin\AppData\Local\Temp\3hnosi568.exe
-
C:\Users\Admin\AppData\Roaming\0.2304651.jse
-
C:\Windows\SysWOW64\ptrchannel.exe
-
C:\Windows\SysWOW64\ptrchannel.exe
-
memory/3124-9-0x0000000002280000-0x0000000002297000-memory.dmpFilesize
92KB
-
memory/3764-11-0x00000000007B0000-0x00000000007C7000-memory.dmpFilesize
92KB
-
memory/3764-12-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4480-14-0x0000000000E10000-0x0000000000E27000-memory.dmpFilesize
92KB
-
memory/4516-16-0x0000000000610000-0x0000000000627000-memory.dmpFilesize
92KB
-
memory/4516-17-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB