Overview

overview

10

Static

static

8

NoNet

windows10_x64

10

NoNet

windows10_x64

10

NoNet

windows10_x64

10

NoNet

windows10_x64

10

NoNet

windows10_x64

10

NoNet

windows10_x64

10

NoNet

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet-doc-20210112.zip

  • Size

    569KB

  • Sample

    210113-q4qq97yaf2

  • MD5

    1caa075042dda587facf9e0e8c3ccae9

  • SHA1

    012bf56776d547842805bca1c828f86f975af039

  • SHA256

    c37a74c72063867bc55b49cf86d2456f171d43cd01c3f8ea0fcd47eeffe5c505

  • SHA512

    e2fa49144449b216066bfab08c2e63857c8b1dcda7ea145ceed9244f808e1e161ec7eb28c70e6c384e5ffc859486b156d3731f618d0961bfa7b4b6752cb513b5

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.mitraship.com/wp-content/ZKeB/
exe.dropper

http://djsrecord.com/wp-includes/abop/
exe.dropper

https://lastfrontierstrekking.com/new/2OaabFU/
exe.dropper

https://watchnshirt.com/y/L7z9YcA/
exe.dropper

https://www.impipower.com/wp-content/U/
exe.dropper

https://www.inkayniperutours.com/druver/LtcG/
exe.dropper

https://vysimopoulos.com/d/NF/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://baselinealameda.com/j/uoB/
exe.dropper

http://abdindash.xyz/b/Yonhx/
exe.dropper

https://cavallarigutters.com/samsung-chromebook-etswp/Wdeiub/
exe.dropper

https://craku.tech/h/iXbreOs/
exe.dropper

https://nicoblogroms.com/c/V9w0b5/
exe.dropper

https://www.taradhuay.com/d/oT5uG/
exe.dropper

https://altcomconstruction.com/wp-includes/or7/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://shulovbaazar.com/c/bcL6/
exe.dropper

https://mybusinessevent.com/tiki-install/e/
exe.dropper

http://uhk.cncranes.com/ErrorPages/3/
exe.dropper

https://capturetheaction.com.au/wp-includes/Yjp/
exe.dropper

https://thenetworker.ca/comment/8N4/
exe.dropper

https://trayonlinegh.com/cgi-bin/HBPR/
exe.dropper

http://mmo.martinpollock.co.uk/a/SQSGg/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://remediis.com/t/gm2X/
exe.dropper

http://avadnansahin.com/wp-includes/w/
exe.dropper

http://solicon.us/allam-cycle-1c4gn/f5z/
exe.dropper

http://www.riparazioni-radiotv.com/softaculous/DZz/
exe.dropper

http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
exe.dropper

https://www.starlingtechs.com/GNM/
exe.dropper

http://hellas-darmstadt.de/cgi-bin/ZSoo/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://altrashift.com/wp-includes/I/
exe.dropper

https://ojodetigremezcal.com/wp/i62s/
exe.dropper

https://snowremoval-services.com/wp-content/P3Z/
exe.dropper

http://kitsunecomplements.com/too-much-phppq/n65U/
exe.dropper

https://imperioone.com/content/WOBq/
exe.dropper

http://www.autoeck-baden.at/wp-content/w0Vb/
exe.dropper

https://shop.animewho.com/content/Tj/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://angel2gether.de/BlutEngel/SpeechEngines/
exe.dropper

http://holonchile.cl/cgi-bin/System32/
exe.dropper

http://members.nlbformula.com/cgi-bin/Microsoft.NET/
exe.dropper

http://akybron.hu/wordpress/Triedit/
exe.dropper

https://norailya.com/drupal/4zKMm/
exe.dropper

http://giannaspsychicstudio.com/cgi-bin/Systems/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://adsavy.com/files/pJ/
exe.dropper

http://bestpopping.com/electric-auger-n0ao3/Emwmeyje76/
exe.dropper

http://replanliving.co.uk/wp-content/microsoft/
exe.dropper

https://rashmimaheshwari.com/content/SIGNUP/
exe.dropper

https://www.infoquick.co.uk/myfriends/Help/
exe.dropper

http://calledtochange.org/CalledtoChange/Systems/

Targets

    • Target

      E1-20210112_1516

    • Size

      163KB

    • MD5

      9ed9f16374eb1f66d249a41372cb0510

    • SHA1

      dc000c5dcdee520e12986c7a513e82ee688e921f

    • SHA256

      7ed0a557528449df39ab80764f7109979753c2aa14715c091c63c9221080513a

    • SHA512

      39629669ceacf587f223922e71cefd6fec4e9c8ec0cde7153001e5959faa2575e5efeeca47d8b68dbc2fcb9e3c3ac6a1e2f910effcf298b78a8b6f9ab0603652

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1

    • Target

      E1-20210112_1959

    • Size

      157KB

    • MD5

      512c3b7b2e569cec221339670f9444c6

    • SHA1

      413a3f2403985880e8ad0e4d3880c00eeea93c36

    • SHA256

      32e85191ad3dfdbc3981cb5cdb0bb35c19721be3604702e8fff800b91b55f854

    • SHA512

      e7452bd68bf8c5eeaf58a8f16468ea84bcc0047351dea9525549faffa13112dff97f345296456af544f892f8c3c3a2e753e16830fb6c9d02e83d3241d7500c3c

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral2

    • Target

      E2-20210112_1456

    • Size

      158KB

    • MD5

      67142f46102f95424482ca30e216df99

    • SHA1

      1cfe364fb4abb49d9e232e7eba550d5dbbcc7e6b

    • SHA256

      fa3ee68080df60cda7f4ba7733dad99b309f0d2ebc6da64d97963d9a3d91dc2b

    • SHA512

      415fca3a400d9713ba65858e5310444b62633b0659e353d25f17b86e46da8eda3de8dd08e8a0b1861fbb116f7a4d260d1a2383e86d1bcf955fdcdc4f6bb65c6d

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral3

    • Target

      E2-20210112_1756

    • Size

      156KB

    • MD5

      eeed817626663915a8e2ab9818578fb7

    • SHA1

      11ec1efc97216c8b2f783338464a12cd217c0756

    • SHA256

      7fed81b2005afe17f17e6ac15591680f799252529e47781730bd5925974cfb42

    • SHA512

      7b0622cb963f78696e082dc81d81190bb4a59c077210ad2081ff04486e27f2867dcbefdcf44ebed8226c23f4503ed0868b2dafe28ff692331ae9d520d981ba25

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral4

    • Target

      E2-20210112_2219

    • Size

      157KB

    • MD5

      23ee31fbdbbc1204dac980c7131def4a

    • SHA1

      5db3f93b4180b81379eff14f107a4f39e0440a07

    • SHA256

      b75406d6fe0aa668a576c191ab39489f0384ceeed853597d9f951bbf8b11326f

    • SHA512

      c1d98f523a794bca356a2392ec8193dd0a310d4643eb3033d5e728c5bd5fea2c13be7166bf85c0b2b9019869c8f42dc75d2b479d7df12b583cb29a4f18cfa3b1

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral5

    • Target

      E3-20210112_1618

    • Size

      104KB

    • MD5

      f620ae53cd35a1ed01fbf474fc871b2f

    • SHA1

      1605f33d78f1126f42eebf3a31a90526382055d8

    • SHA256

      d1f314a20f4f905a77bf7722b4eb260df544e76ab62767d950005dd0f5925f2b

    • SHA512

      1791225ea0dcad25b1620b71cc89a6aa09be8a4d382bb3b57fbac9dc1312193119f1bf38edbf5a4868b12ee0726cabf25d2df99deea381ea9013022257ff4cef

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral6

    • Target

      E3-20210112_2343

    • Size

      157KB

    • MD5

      df66ce237d60ca77253674acb51f9420

    • SHA1

      38e3feb8cf7b573eaaac69213809ea8300199ed8

    • SHA256

      d165beb4c7b032b989d7681e8d08557ed1f8c937a874fc43701aa61efa9e1992

    • SHA512

      f1a337cdc4c73d16176d9c6c6389c2dd78b14e680e028b2199d629938bb826df4182e54a5be72fe05d4f4ae9630cbbe6ff8c9e9590ed1a168344e6e7e3743e3b

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral7

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

14
T1012

System Information Discovery

14
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks