Overview

overview

10

Static

static

8

emotet_doc2

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    28c31a00bdaa62e11585da0208310e6dcd305ff79f6e305f9d26fce447cf97bd

  • Size

    165KB

  • Sample

    210121-1bwvvr5wx6

  • MD5

    f721929d877a4bc4fcb62b8d2a1f7376

  • SHA1

    9aa582e32256fd1c8a14035ee0bd409b6ac15565

  • SHA256

    28c31a00bdaa62e11585da0208310e6dcd305ff79f6e305f9d26fce447cf97bd

  • SHA512

    af5d84ed2bfcc764b23cccd33cdf92c1eaaee0eac887ee9081762c9edf8b0ce00a74691abc372cbc0c01bb6c6a45925caff4689a50fcaa7a736781a3c2bdcc82

Score
10/10
macroransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://covisiononeness.org/new/F9v/
exe.dropper

https://www.oshiscafe.com/wp-admin/5Dm/
exe.dropper

https://lionrockbatteries.com/wp-snapshots/C/
exe.dropper

https://www.schmuckfeder.net/reference/ubpV/
exe.dropper

http://cirteklink.com/F0xAutoConfig/1Zb4/
exe.dropper

https://nimbledesign.miami/wp-admin/C/
exe.dropper

http://xunhong.net/sys-cache/D0/

Targets

    • Target

      28c31a00bdaa62e11585da0208310e6dcd305ff79f6e305f9d26fce447cf97bd

    • Size

      165KB

    • MD5

      f721929d877a4bc4fcb62b8d2a1f7376

    • SHA1

      9aa582e32256fd1c8a14035ee0bd409b6ac15565

    • SHA256

      28c31a00bdaa62e11585da0208310e6dcd305ff79f6e305f9d26fce447cf97bd

    • SHA512

      af5d84ed2bfcc764b23cccd33cdf92c1eaaee0eac887ee9081762c9edf8b0ce00a74691abc372cbc0c01bb6c6a45925caff4689a50fcaa7a736781a3c2bdcc82

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks