Overview

overview

10

Static

static

8

ARCH-2020-...14.doc

windows7_x64

10

ARCH-2020-...14.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ARCH-2020-YNC_4114.doc

  • Size

    157KB

  • Sample

    210126-fcm39vsm1e

  • MD5

    feed38798d0bf20a70bd72c742b97ef9

  • SHA1

    08ea13bea6a2da4e3e83737c38cc68da749f8581

  • SHA256

    24e9aabdc3ffb872e3ada2131e7958e0e784eb7a51205ce15235ea171fe0314b

  • SHA512

    d88a972c5339fadb30b891a8f902a1d8df7f883908558571470d8daab9ca4eadb63c305dd5a51f2c475e02f47caf8264711b91db78fe91383449a8e7a2a9287e

Score
10/10
emotetepoch1bankermacroransomwaretrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://allcannabismeds.com/unraid-map/ZZm6/
exe.dropper

http://giannaspsychicstudio.com/cgi-bin/PP/
exe.dropper

http://ienglishabc.com/cow/JH/
exe.dropper

http://abrillofurniture.com/bph-nclex-wygq4/a7nBfhs/
exe.dropper

https://etkindedektiflik.com/pcie-speed/U/
exe.dropper

https://vstsample.com/wp-includes/7eXeI/
exe.dropper

http://ezi-pos.com/categoryl/x/

Extracted

Family

emotet

Botnet

Epoch1

C2

152.170.79.100:80

190.247.139.101:80

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

191.241.233.198:80

83.169.21.32:7080

113.163.216.135:80

70.32.84.74:8080

217.13.106.14:8080

177.23.7.151:80

172.104.169.32:8080

187.39.237.56:8080

80.15.100.37:80

177.144.130.105:443

168.121.4.238:80

1.234.65.61:80

191.182.6.118:80

170.81.48.2:80

45.184.103.73:80
rsa_pubkey.plain

Targets

    • Target

      ARCH-2020-YNC_4114.doc

    • Size

      157KB

    • MD5

      feed38798d0bf20a70bd72c742b97ef9

    • SHA1

      08ea13bea6a2da4e3e83737c38cc68da749f8581

    • SHA256

      24e9aabdc3ffb872e3ada2131e7958e0e784eb7a51205ce15235ea171fe0314b

    • SHA512

      d88a972c5339fadb30b891a8f902a1d8df7f883908558571470d8daab9ca4eadb63c305dd5a51f2c475e02f47caf8264711b91db78fe91383449a8e7a2a9287e

    Score
    10/10
    emotetepoch1bankerransomwaretrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks