General
-
Target
docs.7z
-
Size
126KB
-
Sample
210125-nyfq4cdw4s
-
MD5
01a753e6508bb28a4ced146d6bfcfb01
-
SHA1
8ba94f53f8a39f79f98e2750f5281a02c0c51627
-
SHA256
4c27a34482b07a5b2544f0bcd6abc5218220ee3f3308ff29c775f413f8abd6b3
-
SHA512
7fc72302736d7979c0886d5bba139ba6b89ada41c547e4a8c7fadfb242dc6392722b5710b8aa6b213083e318a58829e39b5aec8f1de52e52d0cbfdffa76c10bc
Malware Config
Extracted
http://trainwithconviction.com/wp-admin/y/
http://trainwithconviction.webdmcsolutions.com/wp-admin/rEEEU/
https://perrasmoore.ca/wp-admin/rM6HK/
https://canadabrightway.com/wp-admin/n3/
https://upinsmokebatonrouge.com/var/Ux1V/
https://thelambertagency.com/staging/Vo/
https://stormhansen.com/2556460492/if/
Extracted
http://www.achutamanasa.com/media/Te/
http://opticaquilin.cl/wp-includes/FFueL/
https://www.infoquick.co.uk/assets/h/
http://vilajansen.com.br/loja_old_1/p/
http://oftalmovilaplana.com/wp-includes/wfKu/
https://cashyinvestment.org/wp-content/21dIZ/
http://merkadito.mx/upload/6/
Extracted
emotet
Epoch2
12.175.220.98:80
162.241.204.233:8080
50.116.111.59:8080
172.86.188.251:8080
139.99.158.11:443
66.57.108.14:443
75.177.207.146:80
194.190.67.75:80
50.245.107.73:443
173.70.61.180:80
85.105.205.77:8080
104.131.11.150:443
62.75.141.82:80
70.92.118.112:80
194.4.58.192:7080
120.150.60.189:80
24.231.88.85:80
78.24.219.147:8080
110.142.236.207:80
119.59.116.21:8080
Targets
-
-
Target
docs/2923 N 92ST.doc
-
Size
164KB
-
MD5
40d3757eef5a4d179278f8396f024d8d
-
SHA1
431432bf79afb24cf7abeb89525ae1cf3b27340b
-
SHA256
4f988ec89433c3babedf82dd156b3b1d5ec3116d3e3829533573f9b3f3570097
-
SHA512
0bf5b5022828118263ca9f8f1db4879e546c03d029a566756f9d886bfcd53916682e2ae99aff35befdbce3604824aad6f6d2774f2cd080e8f76311050ba29579
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/95800_700631990557_1430.doc
-
Size
165KB
-
MD5
9b23870fc03f772b9284764d6cebe66a
-
SHA1
fc66ccb0f37283b8a69d3cc0aaf9b9006439c7c7
-
SHA256
3a32e16f1f32e5b3ce2dd2710fb2ec9c767a85dee05418461ca8d0ff9a16da9f
-
SHA512
bc4c14702af4fa20d32ed169f2082b8e53b030e00781995033a8fdf6c81da270224dcfac7d95fa9708d1e68b48d4c723144e23e5d38cd958578e855e30c4e20d
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/9623_645595827462_5112.doc
-
Size
167KB
-
MD5
9b7b1d33e2ca7d93f242327ac0abc17b
-
SHA1
0700e44ad4c0eeb78d3a3029ab92ab09ebc4adc5
-
SHA256
f3b96a22b0a059493c48121986cbb5945dc6d6aa5b0d868b6f46907c88bcbb8c
-
SHA512
5a74ba3ec3cb86549585f84f9f0c240e6e9c449878d9e3232d357f3e841637ecafe64dbc13562a0b03fdc488e052abfc88dac65a973c472c234d5a247a983b79
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/Emailing - HN335PUITY 591.doc
-
Size
165KB
-
MD5
94974a099ee6dbf6426415bb5a865286
-
SHA1
752443b4bb9933d354358859db6590eff163394e
-
SHA256
faacec9886f74607cfd261fcb744452942cfc08b64b293445657dd0f73fb799e
-
SHA512
cfd6d60f9aa9e5198a4ab5db8656f735ac02e9cc1b109e897403a71dda0882be40b360ac933ce3dd2f49d9ab5aaee06edff3a4b53a9e9049102515b4ad261fbe
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/Emailing - KN853DFOJH 787.doc
-
Size
165KB
-
MD5
7a77273288972c4404e2efcce371d312
-
SHA1
b7b3e80ea486d1e3f1899e93b3f97938140eb4d3
-
SHA256
c07680130c970fffc7fab503d5d25e669ccccf8c880d122679a76a9ed1a4e026
-
SHA512
cae7c76e6c61afe54f45ae670728f378f5c8bad6f1457f9f8cfec712f3ed6690e65e4b7d2cb7324f510358cdeae65051387a9ce0c05085b8312e8b48fe7d4ca1
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/Form - Jan 20, 2021.doc
-
Size
164KB
-
MD5
5b7add89570a2acf073b4c4b10f917af
-
SHA1
3bcc2b59d715b5aaf80955940b8bf42027b71363
-
SHA256
b67768458ac837b01c2453d84fcddad7e044d4e6fbc70d6aa087ab2d3c449f95
-
SHA512
98e845cdc0a66cd6f6de461fd3052a3387669cfbc0d877583203cbf9507afa916bb87ff1823d6fc877089d8a8704fb7c62a1992072e21567159d4cfe3027559c
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/New Doc 2021-01-20 10.15.13_3.doc
-
Size
165KB
-
MD5
0697adbbf0e0a55b99563776c83fc192
-
SHA1
4598c9e8870d6a5ab81ac3cda77c52ac3241f259
-
SHA256
4005ac4847a7b5764556b2b964793048d3d156682d5e596771ef01a192eaec02
-
SHA512
756cb6bb6a90302b6252365bab29bf37a53ee44d05cc6ca5c8b0b71f558543dc088cc23d02d807b03c505d19586ae7dd1fc0d17dbdd5259a032d6b487fe72583
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/New Doc 2021-01-20 10.17.12_7.doc
-
Size
164KB
-
MD5
40d3757eef5a4d179278f8396f024d8d
-
SHA1
431432bf79afb24cf7abeb89525ae1cf3b27340b
-
SHA256
4f988ec89433c3babedf82dd156b3b1d5ec3116d3e3829533573f9b3f3570097
-
SHA512
0bf5b5022828118263ca9f8f1db4879e546c03d029a566756f9d886bfcd53916682e2ae99aff35befdbce3604824aad6f6d2774f2cd080e8f76311050ba29579
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/New Doc 2021-01-20 11.03.13_3.doc
-
Size
165KB
-
MD5
9b23870fc03f772b9284764d6cebe66a
-
SHA1
fc66ccb0f37283b8a69d3cc0aaf9b9006439c7c7
-
SHA256
3a32e16f1f32e5b3ce2dd2710fb2ec9c767a85dee05418461ca8d0ff9a16da9f
-
SHA512
bc4c14702af4fa20d32ed169f2082b8e53b030e00781995033a8fdf6c81da270224dcfac7d95fa9708d1e68b48d4c723144e23e5d38cd958578e855e30c4e20d
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/Nuovo documento 2021.01.20.doc
-
Size
165KB
-
MD5
112c42993037d8ef83d775da06a2c04e
-
SHA1
d782ff1696ce579afd7ef38180cd608be17b522c
-
SHA256
2ece87cf6c9c2becec71a241e94b9d0f1ffcc46a7655389df54e401d97167c4f
-
SHA512
1fb108dbb79194dd83dfdf2295b1e7545b0f599f97e9cb3190d8d719f751066c5c4ce100adf63a644183844cdb8ec48a6402a46bc6c439712735e79bc0e3af2c
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/WLE-010121 BJQ-012221.doc
-
Size
167KB
-
MD5
1a64182f24c7f2457624c7fcd795a355
-
SHA1
f9d16c0716105bd54c9c3c422cd3a08e14537afd
-
SHA256
5ef4f943153c5f77d484a1fc12a3e6771a586554a420b22242b35f6a5456e618
-
SHA512
b627a016ad8d108320ae6106e37ee381656b4924f331563f1570c3692baff0db8a33d898a1f06e3172c7b4f33bbae509b3e67ac772880d6545ecd2a67562c192
Score5/10-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
-
-
Target
docs/fattura gennaio.doc
-
Size
165KB
-
MD5
23fbeb7bfba5230a8027ee67f3e7339c
-
SHA1
4434ee975937da03227afb12e60696130df1f130
-
SHA256
4dbe87e0f678a4c124b54bfeff68a1bdf208b8fb42dadf6a7304517082cacc7e
-
SHA512
5e7371426dc30542efd055288e6b9171427e586d1808a235d40df4ec0e8c6cbf2eeadbf597b87c847937abb5af7f9f407dbe2160c35fc9d8477c912bca25c112
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-