General
-
Target
625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c
-
Size
145KB
-
Sample
210211-3v8wefsyje
-
MD5
9291595e34c9041583fc3f39237bed69
-
SHA1
969da17d764592dd8a037a0e50f797ed2c38445d
-
SHA256
625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c
-
SHA512
227d707be6d1ef1870f4069d54ce14fbadc48785cd21cd38f86c552e508fed0774e05366fd80faa304ac5b2f23c6924f0c68d1af9cd5b8c09522295e93c16438
Behavioral task
behavioral1
Sample
625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c.doc
Resource
win10v20201028
Malware Config
Extracted
http://buarf.com/vcds-throttle-w4z41/pqqn/
http://vataas.com/3325390551/5W/
https://blog.tqdesign.vn/banner/uW/
https://www.abyssos.eu/wp-content/p/
http://gieoduyen.vn/css/PxmtB/
http://bambathamobileloans.co.za/cgi-bin/X/
Extracted
emotet
Epoch3
132.248.38.158:80
203.157.152.9:7080
157.245.145.87:443
110.37.224.243:80
70.32.89.105:8080
185.142.236.163:443
192.241.220.183:8080
91.83.93.103:443
54.38.143.245:8080
192.210.217.94:8080
37.205.9.252:7080
78.90.78.210:80
182.73.7.59:8080
163.53.204.180:443
91.75.75.46:80
172.104.46.84:8080
161.49.84.2:80
27.78.27.110:443
203.160.167.243:80
109.99.146.210:8080
120.51.34.254:80
203.56.191.129:8080
183.91.3.63:80
37.46.129.215:8080
188.226.165.170:8080
116.202.10.123:8080
223.17.215.76:80
198.20.228.9:8080
185.208.226.142:8080
68.133.75.203:8080
192.163.221.191:8080
46.105.131.68:8080
8.4.9.137:8080
2.82.75.215:80
178.62.254.156:8080
110.172.180.180:8080
175.103.38.146:80
201.212.61.66:80
190.19.169.69:443
143.95.101.72:8080
91.93.3.85:8080
139.59.12.63:8080
46.32.229.152:8080
195.159.28.244:8080
58.27.215.3:8080
202.29.237.113:8080
5.79.70.250:8080
103.93.220.182:80
75.127.14.170:8080
201.193.160.196:80
139.5.101.203:80
186.96.170.61:80
49.206.16.156:80
178.254.36.182:8080
157.7.164.178:8081
172.96.190.154:8080
172.193.14.201:80
203.153.216.178:7080
2.58.16.86:8080
186.146.229.172:80
117.2.139.117:443
113.161.176.235:80
190.85.46.52:7080
180.148.4.130:8080
50.116.78.109:8080
152.32.75.74:443
162.144.145.58:8080
74.208.173.91:8080
122.116.104.238:8443
178.33.167.120:8080
103.80.51.61:8080
65.32.168.171:80
190.18.184.113:80
24.230.124.78:80
103.229.73.17:8080
179.233.3.89:80
88.58.209.2:80
82.78.179.117:443
115.79.195.246:80
190.107.118.125:80
188.166.220.180:7080
79.133.6.236:8080
139.59.61.215:443
195.201.56.70:8080
201.163.74.204:80
Extracted
emotet
LEA
80.158.3.161:443
80.158.51.209:8080
80.158.35.51:80
80.158.63.78:443
80.158.53.167:80
80.158.62.194:443
80.158.59.174:8080
80.158.43.136:80
Targets
-
-
Target
625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c
-
Size
145KB
-
MD5
9291595e34c9041583fc3f39237bed69
-
SHA1
969da17d764592dd8a037a0e50f797ed2c38445d
-
SHA256
625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c
-
SHA512
227d707be6d1ef1870f4069d54ce14fbadc48785cd21cd38f86c552e508fed0774e05366fd80faa304ac5b2f23c6924f0c68d1af9cd5b8c09522295e93c16438
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation