Overview

overview

10

Static

static

8

8212515.doc

windows7_x64

10

8212515.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    message_2.zip

  • Size

    100KB

  • Sample

    210126-lmd2g58c1x

  • MD5

    e8d85839b8943b2ef369a50b9430ee28

  • SHA1

    2df6ce60f872383420dd75ba6573b58949db7df0

  • SHA256

    c11ac21bc7b7efda21d9fe5db76ddb64ea7f013ca7d2d3078dd4bb75ddc21f43

  • SHA512

    89d32e5c746edad15bc342ae1bc4ef3e8becd018d2053f5cdee7e33be563c1e5bf56a5383684059a4eb054d7ed12051c5ee6ff5a42317285f36cc15fd81b2ad8

Score
10/10
emotetepoch1bankermacroransomwaretrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://shannared.com/content/lhALeS/
exe.dropper

http://jeevanlic.com/wp-content/r8M/
exe.dropper

http://dashudance.com/thinkphp/dgs7Jm9/
exe.dropper

http://leopardcranes.com/zynq-linux-yaayf/w/
exe.dropper

http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
exe.dropper

http://3musketeersent.net/wp-includes/TUgD/
exe.dropper

https://skilmu.com/wp-admin/hQVlB8b/

Extracted

Family

emotet

Botnet

Epoch1

C2

84.232.229.24:80

51.255.203.164:8080

217.160.169.110:8080

185.183.16.47:80

190.45.24.210:80

187.162.248.237:80

93.146.143.191:80

185.94.252.27:443

143.0.85.206:7080

80.15.100.37:80

85.105.239.184:443

94.176.234.118:443

62.84.75.50:80

137.74.106.111:7080

172.104.169.32:8080

46.105.114.137:8080

94.126.8.1:80

78.206.229.130:80

93.149.120.214:80

192.175.111.212:7080
rsa_pubkey.plain

Targets

    • Target

      8212515.doc

    • Size

      171KB

    • MD5

      4aaa2599e6477717c623d0a7b0ee4b50

    • SHA1

      13bde25f7b554d7dea7c1d15ce4973514e100536

    • SHA256

      36df660c8e323435d2bc7a5516adcadfbd0b220279f634725e407da9f2b9d4f5

    • SHA512

      3f84e13aba8345f65b119df3de3aa61eb9a199f42439af3177f90225abbd191d90913bd3e9f82f2f75934b6b495dcd5820c6dd5e800caafbaf6f6a1543b97323

    Score
    10/10
    emotetepoch1bankerransomwaretrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks