General
-
Target
Scan-08323-12504279.doc
-
Size
169KB
-
Sample
210106-hexqwm7cf6
-
MD5
b61247e36d9896c12b80a819aa95bcd0
-
SHA1
c050b55afedb58f8e9648221490abbc3a952f28f
-
SHA256
d26a67cb2da261214980513551391653427d04054da0ed910b49eac681553c5a
-
SHA512
556b448bf6029700ea16f53001dfb2e1a47f503b805260f86deecfd336b011752e67286949fd7e775320b32c711032332eae383466a4cab384b13e7c594d30be
Static task
static1
Behavioral task
behavioral1
Sample
Scan-08323-12504279.doc
Resource
win7v20201028
Malware Config
Extracted
http://petafilm.com/wp-admin/4m/
http://givingthanksdaily.com/qlE/VeF/
http://wap.zhonglisc.com/wp-includes/QryCB/
https://fnjbq.com/wp-includes/rlR/
https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
https://somanap.com/wp-admin/P/
Extracted
emotet
Epoch1
5.2.136.90:80
186.147.237.3:8080
138.197.99.250:8080
167.71.148.58:443
211.215.18.93:8080
187.162.248.237:80
1.226.84.243:8080
110.39.160.38:443
5.196.35.138:7080
59.148.253.194:8080
45.16.226.117:443
95.76.153.115:80
181.61.182.143:80
46.43.2.95:8080
188.135.15.49:80
81.215.230.173:443
45.4.32.50:80
81.214.253.80:443
94.176.234.118:443
212.71.237.140:8080
70.32.84.74:8080
68.183.190.199:8080
192.232.229.53:4143
213.52.74.198:80
12.163.208.58:80
172.245.248.239:8080
1.234.65.61:80
84.5.104.93:80
181.30.61.163:443
190.247.139.101:80
82.48.39.246:80
191.223.36.170:80
190.24.243.186:80
190.251.216.100:80
186.146.13.184:443
105.209.235.113:8080
197.232.36.108:80
192.232.229.54:7080
152.170.79.100:80
45.184.103.73:80
191.241.233.198:80
172.104.169.32:8080
152.169.22.67:80
12.162.84.2:8080
200.24.255.23:80
185.183.16.47:80
202.134.4.210:7080
209.236.123.42:8080
62.84.75.50:80
201.143.224.27:80
185.94.252.27:443
190.64.88.186:443
149.202.72.142:7080
122.201.23.45:443
51.15.7.145:80
170.81.48.2:80
178.250.54.208:8080
70.32.115.157:8080
51.255.165.160:8080
104.131.41.185:8080
155.186.9.160:80
87.106.46.107:8080
177.23.7.151:80
35.143.99.174:80
81.213.175.132:80
80.15.100.37:80
85.214.26.7:8080
201.75.62.86:80
181.124.51.88:80
217.13.106.14:8080
202.79.24.136:443
177.85.167.10:80
138.97.60.140:8080
186.177.174.163:80
201.241.127.190:80
82.208.146.142:7080
50.28.51.143:8080
137.74.106.111:7080
31.27.59.105:80
111.67.12.221:8080
190.114.254.163:8080
111.67.12.222:8080
93.149.120.214:80
190.210.246.253:80
168.121.4.238:80
68.183.170.114:8080
192.175.111.212:7080
46.101.58.37:8080
190.195.129.227:8090
60.93.23.51:80
83.169.21.32:7080
178.211.45.66:8080
181.136.190.86:80
190.162.232.138:80
188.225.32.231:7080
138.97.60.141:7080
187.162.250.23:443
110.39.162.2:443
191.182.6.118:80
184.66.18.83:80
190.136.176.89:80
190.45.24.210:80
46.105.114.137:8080
2.80.112.146:80
Targets
-
-
Target
Scan-08323-12504279.doc
-
Size
169KB
-
MD5
b61247e36d9896c12b80a819aa95bcd0
-
SHA1
c050b55afedb58f8e9648221490abbc3a952f28f
-
SHA256
d26a67cb2da261214980513551391653427d04054da0ed910b49eac681553c5a
-
SHA512
556b448bf6029700ea16f53001dfb2e1a47f503b805260f86deecfd336b011752e67286949fd7e775320b32c711032332eae383466a4cab384b13e7c594d30be
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-