General
-
Target
ARCH-2020-YNC_4114.doc
-
Size
157KB
-
Sample
210126-fcm39vsm1e
-
MD5
feed38798d0bf20a70bd72c742b97ef9
-
SHA1
08ea13bea6a2da4e3e83737c38cc68da749f8581
-
SHA256
24e9aabdc3ffb872e3ada2131e7958e0e784eb7a51205ce15235ea171fe0314b
-
SHA512
d88a972c5339fadb30b891a8f902a1d8df7f883908558571470d8daab9ca4eadb63c305dd5a51f2c475e02f47caf8264711b91db78fe91383449a8e7a2a9287e
Behavioral task
behavioral1
Sample
ARCH-2020-YNC_4114.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ARCH-2020-YNC_4114.doc
Resource
win10v20201028
Malware Config
Extracted
http://allcannabismeds.com/unraid-map/ZZm6/
http://giannaspsychicstudio.com/cgi-bin/PP/
http://ienglishabc.com/cow/JH/
http://abrillofurniture.com/bph-nclex-wygq4/a7nBfhs/
https://etkindedektiflik.com/pcie-speed/U/
https://vstsample.com/wp-includes/7eXeI/
http://ezi-pos.com/categoryl/x/
Extracted
emotet
Epoch1
152.170.79.100:80
190.247.139.101:80
138.197.99.250:8080
167.71.148.58:443
211.215.18.93:8080
191.241.233.198:80
83.169.21.32:7080
113.163.216.135:80
70.32.84.74:8080
217.13.106.14:8080
177.23.7.151:80
172.104.169.32:8080
187.39.237.56:8080
80.15.100.37:80
177.144.130.105:443
168.121.4.238:80
1.234.65.61:80
191.182.6.118:80
170.81.48.2:80
45.184.103.73:80
190.64.88.186:443
201.75.62.86:80
138.97.60.140:8080
45.16.226.117:443
186.177.174.163:80
202.79.24.136:443
181.61.182.143:80
137.74.106.111:7080
12.163.208.58:80
190.162.232.138:80
81.214.253.80:443
188.135.15.49:80
46.43.2.95:8080
84.5.104.93:80
209.236.123.42:8080
105.209.235.113:8080
51.15.7.145:80
94.176.234.118:443
110.39.162.2:443
46.105.114.137:8080
197.232.36.108:80
186.146.13.184:443
185.183.16.47:80
190.195.129.227:8090
155.186.9.160:80
12.162.84.2:8080
190.24.243.186:80
178.211.45.66:8080
138.97.60.141:7080
172.245.248.239:8080
51.255.165.160:8080
77.78.196.173:443
190.210.246.253:80
190.114.254.163:8080
82.48.39.246:80
192.175.111.212:7080
187.162.248.237:80
81.215.230.173:443
62.84.75.50:80
184.66.18.83:80
192.232.229.53:4143
104.131.41.185:8080
35.143.99.174:80
46.101.58.37:8080
190.136.176.89:80
60.93.23.51:80
190.45.24.210:80
152.169.22.67:80
68.183.170.114:8080
2.80.112.146:80
31.27.59.105:80
177.85.167.10:80
111.67.12.222:8080
5.196.35.138:7080
178.250.54.208:8080
81.213.175.132:80
181.120.29.49:80
1.226.84.243:8080
191.53.80.88:80
122.201.23.45:443
82.208.146.142:7080
185.94.252.27:443
95.76.153.115:80
59.148.253.194:8080
45.4.32.50:80
213.52.74.198:80
188.225.32.231:7080
68.183.190.199:8080
181.136.190.86:80
82.76.111.249:443
110.39.160.38:443
181.30.61.163:443
85.214.26.7:8080
192.232.229.54:7080
149.202.72.142:7080
187.162.250.23:443
202.134.4.210:7080
212.71.237.140:8080
70.32.115.157:8080
111.67.12.221:8080
50.28.51.143:8080
87.106.46.107:8080
108.4.209.15:80
190.251.216.100:80
200.24.255.23:80
191.223.36.170:80
177.144.130.105:8080
93.149.120.214:80
Targets
-
-
Target
ARCH-2020-YNC_4114.doc
-
Size
157KB
-
MD5
feed38798d0bf20a70bd72c742b97ef9
-
SHA1
08ea13bea6a2da4e3e83737c38cc68da749f8581
-
SHA256
24e9aabdc3ffb872e3ada2131e7958e0e784eb7a51205ce15235ea171fe0314b
-
SHA512
d88a972c5339fadb30b891a8f902a1d8df7f883908558571470d8daab9ca4eadb63c305dd5a51f2c475e02f47caf8264711b91db78fe91383449a8e7a2a9287e
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-