Overview

overview

10

Static

static

8

PO# 01222021.doc

windows7_x64

10

PO# 01222021.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO# 01222021.doc

  • Size

    167KB

  • Sample

    210126-ra8xc2ljss

  • MD5

    556b98b4cdae000de8f496d6d896743c

  • SHA1

    b7ca4118eab252bc4758fa18265b04a2afbbf9c2

  • SHA256

    dcfb145c4f46a072e988cdeafc065f8116dc3b27d6bed447024677f3ea2f252a

  • SHA512

    8a5ef76599043a63d29bbfffb19b90154c803dfa1096250287d6adc618b6a2a30c33c72e8ce5c7c37e52f5a13392a934eedcf98a753eb19ec9ac17137cf1e9d2

Score
10/10
emotetepoch2bankermacroransomwaretrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://cab.mykfn.com/admin/X/
exe.dropper

http://bhaktivrind.com/cgi-bin/JBbb8/
exe.dropper

http://vanddnabhargave.com/asset/W9o/
exe.dropper

http://ie-best.net/online-timer-kvhxz/ilXL/
exe.dropper

http://gocphongthe.com/wp-content/lMMC/
exe.dropper

http://www.letscompareonline.com/de.letscompareonline.com/wYd/
exe.dropper

http://cambiasuhistoria.growlab.es/wp-content/hGhY2/

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443
rsa_pubkey.plain

Targets

    • Target

      PO# 01222021.doc

    • Size

      167KB

    • MD5

      556b98b4cdae000de8f496d6d896743c

    • SHA1

      b7ca4118eab252bc4758fa18265b04a2afbbf9c2

    • SHA256

      dcfb145c4f46a072e988cdeafc065f8116dc3b27d6bed447024677f3ea2f252a

    • SHA512

      8a5ef76599043a63d29bbfffb19b90154c803dfa1096250287d6adc618b6a2a30c33c72e8ce5c7c37e52f5a13392a934eedcf98a753eb19ec9ac17137cf1e9d2

    Score
    10/10
    emotetepoch2bankerransomwaretrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks