General

  • Target

    Z8363664.doc

  • Size

    83KB

  • Sample

    210108-xg9jc1dknx

  • MD5

    922ff468b599a99bcba635e749c9eca1

  • SHA1

    cf75c8b005d2d1f861b4fcd29d55886c606d407a

  • SHA256

    d345c5f013afe61b46427200ec5290efdb7f264dcd94cf2ac02763caf145ffc1

  • SHA512

    e0cd0084a511704ad2c3535866ee8c44afe0de6ba5dd5ddb8d9a1235d9d8fea8ace88b365f0fabbeef4718c3c7e8f8c292b392b36c2a06dbc2640b70a5b96fe8

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://norailya.com/drupal/n0uJoiR/

exe.dropper

https://etkindedektiflik.com/pcie-speed/Engines/

exe.dropper

https://praticideas.net/wp-content/en-US/

exe.dropper

https://ummahstars.com/app_old_may_2018/assets/Help/

exe.dropper

http://indemnity360.com/nsw-highways-yqgdk/Sys/

exe.dropper

http://holonchile.cl/cgi-bin/font/

Extracted

Family

emotet

Botnet

Epoch3

C2

125.0.215.60:80

163.53.204.180:443

89.163.210.141:8080

203.157.152.9:7080

157.245.145.87:443

82.78.179.117:443

85.247.144.202:80

37.46.129.215:8080

110.37.224.243:80

192.210.217.94:8080

2.82.75.215:80

69.159.11.38:443

188.166.220.180:7080

103.93.220.182:80

198.20.228.9:8080

91.75.75.46:80

88.247.30.64:80

189.211.214.19:443

203.160.167.243:80

178.33.167.120:8080

rsa_pubkey.plain

Targets

    • Target

      Z8363664.doc

    • Size

      83KB

    • MD5

      922ff468b599a99bcba635e749c9eca1

    • SHA1

      cf75c8b005d2d1f861b4fcd29d55886c606d407a

    • SHA256

      d345c5f013afe61b46427200ec5290efdb7f264dcd94cf2ac02763caf145ffc1

    • SHA512

      e0cd0084a511704ad2c3535866ee8c44afe0de6ba5dd5ddb8d9a1235d9d8fea8ace88b365f0fabbeef4718c3c7e8f8c292b392b36c2a06dbc2640b70a5b96fe8

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks