Overview

overview

10

Static

static

8

Datos_2021...58.doc

windows7_x64

10

Datos_2021...58.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Datos_2021_D_81958.doc

  • Size

    165KB

  • Sample

    210127-ydmxkz1ryn

  • MD5

    81cdd55af265255b18a9b2700f475d76

  • SHA1

    c60563e15a43058a594c36c5ec54dd8ef74c6b6b

  • SHA256

    985fae09feedd61a2e56ed1ddbae8de0d34a19c65ab3eb12b057303258aff99c

  • SHA512

    03230f229410699bf36ca57948e722438c891bba187cfeaa96454f7259ec6d9e11d0d8a5597facbb777a04edc4c89659ea11e9b9f6997091077060bee488c431

Score
10/10
emotetepoch2bankermacroransomwaretrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://inhaustyle.com/wp-admin/7OtP5/
exe.dropper

https://elsadinc.com/wp-content/B/
exe.dropper

https://jolifm.com/new/5hkc3/
exe.dropper

https://technologydistilled.com/a-nurse-ss8d9/z/
exe.dropper

http://o7therapy.com/egyptian-comedy-hiiro/As0/
exe.dropper

http://signinsolution.com/wp-content/Vr0/
exe.dropper

http://cashstreamfinancial.com/wp-admin/23/

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443
rsa_pubkey.plain

Targets

    • Target

      Datos_2021_D_81958.doc

    • Size

      165KB

    • MD5

      81cdd55af265255b18a9b2700f475d76

    • SHA1

      c60563e15a43058a594c36c5ec54dd8ef74c6b6b

    • SHA256

      985fae09feedd61a2e56ed1ddbae8de0d34a19c65ab3eb12b057303258aff99c

    • SHA512

      03230f229410699bf36ca57948e722438c891bba187cfeaa96454f7259ec6d9e11d0d8a5597facbb777a04edc4c89659ea11e9b9f6997091077060bee488c431

    Score
    10/10
    emotetepoch2bankerransomwaretrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • JavaScript code in executable

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks