General
-
Target
715082.zip
-
Size
85KB
-
Sample
210212-dsqw2m2ed6
-
MD5
f2450c9a34e4ce97a9f2ed3a69c112e3
-
SHA1
b7acbd4c500c7dbb197dc153039ef4d4aee87d4d
-
SHA256
e655f6d38b4fe6444a4ff777df30d395bae250cbf5dce0f9dd9267a344c01c47
-
SHA512
768091f5566bca81c19dd495a6597dfd5faf54c7571d5d26af2a525d1a6c53ef15e32367b529a0bab400babc4d5a13564e26fc3de6224b91cd6c14dc5317e2fd
Behavioral task
behavioral1
Sample
715082.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
715082.doc
Resource
win10v20201028
Malware Config
Extracted
http://zhongsijiacheng.com/wp-content/jn5/
http://artistascitizen.com/wp-content/Bx3cr6/
http://ombchardin.com/archive/V/
https://apsolution.work/magneti-marelli-zkkmb/toq7Eiy/
https://happycheftv.com/wp-admin/z6uGcbY/
https://careercoachconnection.com/tenderometer/4K/
https://tacademicos.com/content/JbF68i/
Extracted
emotet
Epoch1
181.10.46.92:80
2.58.16.88:8080
206.189.232.2:8080
178.250.54.208:8080
167.71.148.58:443
202.134.4.210:7080
187.162.248.237:80
78.206.229.130:80
85.214.26.7:8080
5.196.35.138:7080
1.226.84.243:8080
110.39.162.2:443
185.183.16.47:80
152.231.89.226:80
138.97.60.141:7080
94.176.234.118:443
46.101.58.37:8080
93.146.143.191:80
70.32.84.74:8080
137.74.106.111:7080
80.15.100.37:80
68.183.190.199:8080
154.127.113.242:80
70.32.115.157:8080
12.163.208.58:80
31.27.59.105:80
110.39.160.38:443
68.183.170.114:8080
87.106.46.107:8080
105.209.235.113:8080
185.94.252.27:443
209.236.123.42:8080
60.93.23.51:80
186.177.174.163:80
177.85.167.10:80
111.67.12.221:8080
191.241.233.198:80
149.202.72.142:7080
12.162.84.2:8080
217.13.106.14:8080
197.232.36.108:80
192.232.229.53:4143
143.0.85.206:7080
177.23.7.151:80
213.52.74.198:80
51.255.165.160:8080
181.30.61.163:443
93.149.120.214:80
212.71.237.140:8080
51.15.7.145:80
190.247.139.101:80
188.135.15.49:80
155.186.9.160:80
91.233.197.70:80
95.76.153.115:80
46.43.2.95:8080
152.169.22.67:80
138.197.99.250:8080
104.131.41.185:8080
211.215.18.93:8080
81.215.230.173:443
152.170.79.100:80
190.114.254.163:8080
190.251.216.100:80
201.241.127.190:80
82.208.146.142:7080
172.245.248.239:8080
190.64.88.186:443
192.175.111.212:7080
50.28.51.143:8080
81.17.93.134:80
202.79.24.136:443
190.24.243.186:80
190.162.232.138:80
62.84.75.50:80
190.210.246.253:80
190.45.24.210:80
172.104.169.32:8080
82.48.39.246:80
188.225.32.231:7080
45.16.226.117:443
178.211.45.66:8080
138.97.60.140:8080
122.201.23.45:443
170.81.48.2:80
81.214.253.80:443
80.249.176.206:80
83.169.21.32:7080
46.105.114.137:8080
83.144.109.70:80
191.223.36.170:80
200.75.39.254:80
201.185.69.28:443
Targets
-
-
Target
715082.doc
-
Size
159KB
-
MD5
439c9779f4eb98afacdc55bb14e0f1f1
-
SHA1
e2710777a7b7a97233b181f1080aa46cba8bcd27
-
SHA256
be5a6da37fac071766412acb88d25ffd84dc8423a1e9c74c5cce310e12456b10
-
SHA512
b59e497db0d4282940fc67194c95d9ce6ebbaf6b3666090bbc6843fd120f1d0775cf534d98b2b80e14a88a7522a1fef1b6628e8206206d03ad2b40a98cb84dc3
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-