Overview

overview

10

Static

static

8

emotet_doc2

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f61e88107c42c1af97e24dcfcb14abfbe34e5e9ed02b00866ed97bf7e138ecc8

  • Size

    164KB

  • Sample

    210121-x4z6lnbpnn

  • MD5

    f56c4babc2174f4557e379e4363ac9d5

  • SHA1

    9c84b2c45f054d6be8bf851b2ec0c8ab645e0ed7

  • SHA256

    f61e88107c42c1af97e24dcfcb14abfbe34e5e9ed02b00866ed97bf7e138ecc8

  • SHA512

    eba57a5df8cc10d48bc08f39e0f43498234641aac1264f063edeae1052f65b498f53a342ba31033661a6e1669e6433cac4119295632b48503e9bcefa5b1d640f

Score
10/10
macroransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://covisiononeness.org/new/F9v/
exe.dropper

https://www.oshiscafe.com/wp-admin/5Dm/
exe.dropper

https://lionrockbatteries.com/wp-snapshots/C/
exe.dropper

https://www.schmuckfeder.net/reference/ubpV/
exe.dropper

http://cirteklink.com/F0xAutoConfig/1Zb4/
exe.dropper

https://nimbledesign.miami/wp-admin/C/
exe.dropper

http://xunhong.net/sys-cache/D0/

Targets

    • Target

      f61e88107c42c1af97e24dcfcb14abfbe34e5e9ed02b00866ed97bf7e138ecc8

    • Size

      164KB

    • MD5

      f56c4babc2174f4557e379e4363ac9d5

    • SHA1

      9c84b2c45f054d6be8bf851b2ec0c8ab645e0ed7

    • SHA256

      f61e88107c42c1af97e24dcfcb14abfbe34e5e9ed02b00866ed97bf7e138ecc8

    • SHA512

      eba57a5df8cc10d48bc08f39e0f43498234641aac1264f063edeae1052f65b498f53a342ba31033661a6e1669e6433cac4119295632b48503e9bcefa5b1d640f

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks