Overview

overview

10

Static

static

8

emotet_doc2

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c7bb8c2bd7a115517be5d5b370391154304ddb68b3d29a464c4cb93521e1bf6

  • Size

    172KB

  • Sample

    210122-wv3hp4p6dx

  • MD5

    46a451c9ce8ab25283dbb3c58a60c6ee

  • SHA1

    496430bbb013411df604514f3b9bd5a23f769d95

  • SHA256

    5c7bb8c2bd7a115517be5d5b370391154304ddb68b3d29a464c4cb93521e1bf6

  • SHA512

    dc75eb490595d3333e36b4402039c447e76dff39309426b46a511d65ebc16861045c473644d6dbab85421b7726e5c45692eaa573018f8cc93b5bae1c5c2840bc

Score
10/10
macroransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://coworkingplus.es/wp-admin/FxmME/
exe.dropper

http://silkonbusiness.matrixinfotechsolution.com/js/q26/
exe.dropper

https://bbjugueteria.com/s6kscx/Z/
exe.dropper

https://www.bimception.com/wp-admin/sHy5t/
exe.dropper

http://armakonarms.com/wp-includes/fz/
exe.dropper

http://alugrama.com.mx/t/2/
exe.dropper

http://homecass.com/wp-content/iF/

Targets

    • Target

      5c7bb8c2bd7a115517be5d5b370391154304ddb68b3d29a464c4cb93521e1bf6

    • Size

      172KB

    • MD5

      46a451c9ce8ab25283dbb3c58a60c6ee

    • SHA1

      496430bbb013411df604514f3b9bd5a23f769d95

    • SHA256

      5c7bb8c2bd7a115517be5d5b370391154304ddb68b3d29a464c4cb93521e1bf6

    • SHA512

      dc75eb490595d3333e36b4402039c447e76dff39309426b46a511d65ebc16861045c473644d6dbab85421b7726e5c45692eaa573018f8cc93b5bae1c5c2840bc

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks