Overview

overview

10

Static

static

8

Informacion_25.doc

windows7_x64

10

Informacion_25.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Informacion_25 (1).zip

  • Size

    82KB

  • Sample

    210127-fb2z2y4qnn

  • MD5

    8ec3cf0cc0efc243d04682b85033853c

  • SHA1

    91a02fc32cf07bfc7b29ed1562a2cfce97214fbc

  • SHA256

    d340c0d22edd519394e28101ca49fbeab1e1956a0dda317db2e71ee5e50ab23c

  • SHA512

    17dbde2d2387c71263f6450e91cf04d29e0daf1db2fbe3ae8f9df38dc1960215ebe8410b43a1f661f660a82b22c14c29ddcd3a04b73304a1c992aa16b8e60456

Score
10/10
emotetepoch2bankermacroransomwaretrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.escalierconsulting.com/wp-includes/I/
exe.dropper

http://aecotimes.com/wp-admin/44Z/
exe.dropper

http://rakikuma.com/cgi-bin/K/
exe.dropper

http://de.letscompareonline.com/cgi-bin/ztEE/
exe.dropper

http://haumaguerraevoceoalvo.com.br/wp-includes/0Hm/
exe.dropper

http://paulomarciotrp.com/z/y/
exe.dropper

https://njyp.com/wp-content/Nz/1/

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

181.165.68.127:80

49.205.182.134:80

190.251.200.206:80

139.59.60.244:8080

119.59.116.21:8080

89.216.122.92:80

185.94.252.104:443

70.92.118.112:80

78.24.219.147:8080

173.70.61.180:80

87.106.139.101:8080

66.57.108.14:443

24.179.13.119:80

121.124.124.40:7080

61.19.246.238:443

200.116.145.225:443

93.146.48.84:80
rsa_pubkey.plain

Targets

    • Target

      Informacion_25.doc

    • Size

      172KB

    • MD5

      0ccb4f75ef19e618d216816a5282bd09

    • SHA1

      7028d7080ce78804176cd1a14b3ceed1c9c374cc

    • SHA256

      47b5048b9811c07120b3d72a7c46281cd98f12d807cbc75b70bf1d18925c6cc2

    • SHA512

      c5a8d46a5cdc956309882075cdd292a7388ee08520e62fb0633a17a9a0d62f67782f0dd4218bd941920e00873014de2f635b0ed9df97db913edb54d4f29aba95

    Score
    10/10
    emotetepoch2bankerransomwaretrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks