Overview

overview

10

Static

static

8

emotet_doc2

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Personal.doc.zip

  • Size

    44KB

  • Sample

    210125-znnxtmt3a2

  • MD5

    7ca055053111cc44d72ce49b60bd183e

  • SHA1

    9a3689eabc2473823ca2b4fbd27aae18f4759e5e

  • SHA256

    28301e8e6ae901ff54259a0d0ad1561762bd3cb286af49fc8456433c64c05d3d

  • SHA512

    d19bc3e0fb5ef71b414c918b87af6e4f46e3bf0919a42826205ca64f197489cea42dfdd4397c6a37ce9106340902a6d2dd57e3156d85a095f7424f0075edc846

Score
10/10
macromacro_on_actionransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://samaotoyikama.com/t
exe.dropper

http://dellyetkiliservis.com/eK7
exe.dropper

http://musicalchorus.com.br/6Ez
exe.dropper

http://reserch.ir/FJS
exe.dropper

http://derinsunakliyat.com/I

Targets

    • Target

      Personal.doc

    • Size

      87KB

    • MD5

      f8a5c6272646fc0729544688c6f0b0fe

    • SHA1

      1b8a9743f694d2ae9c1368a2894e23dc39b3a7aa

    • SHA256

      4015f8b86ebef994d6aabc520b4773de60cd768b00b7c0123e14c7affa7ee0fe

    • SHA512

      b30ef2e8ea6bb7f856bdd7490a49b0043c1a114ee7269e8e607ea07e29ba723a05df82bf506b899238e73fb9cd5f1f2be2f51ed1fd527298edc8fd38a0ecfc39

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks