Overview

overview

10

Static

static

8

INV895212 200121.doc

windows7_x64

10

INV895212 200121.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INV895212 200121.doc

  • Size

    158KB

  • Sample

    210215-fklkz78fse

  • MD5

    67c9e5cb7f3d94b57b015f898e47f7ae

  • SHA1

    6b15c55ddc7bd8fd48847f99469e60cb8b376f63

  • SHA256

    7b8c40801574e57e1e8ec63d7ef48d8072a41b95e548f7b140744017b2b3c0f3

  • SHA512

    5bf584e06564664ea022cf992e6c54ee58ba91d1bf7e4dc31b9604ace0f99b9f6d441021fa6c9709b14762743806daae668d7eb4297be74890a7f8d3795d0f57

Score
10/10
emotetepoch1bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zhongsijiacheng.com/wp-content/jn5/
exe.dropper

http://artistascitizen.com/wp-content/Bx3cr6/
exe.dropper

http://ombchardin.com/archive/V/
exe.dropper

https://apsolution.work/magneti-marelli-zkkmb/toq7Eiy/
exe.dropper

https://happycheftv.com/wp-admin/z6uGcbY/
exe.dropper

https://careercoachconnection.com/tenderometer/4K/
exe.dropper

https://tacademicos.com/content/JbF68i/

Extracted

Family

emotet

Botnet

Epoch1

C2

181.10.46.92:80

2.58.16.88:8080

206.189.232.2:8080

178.250.54.208:8080

167.71.148.58:443

202.134.4.210:7080

187.162.248.237:80

78.206.229.130:80

85.214.26.7:8080

5.196.35.138:7080

1.226.84.243:8080

110.39.162.2:443

185.183.16.47:80

152.231.89.226:80

138.97.60.141:7080

94.176.234.118:443

46.101.58.37:8080

93.146.143.191:80

70.32.84.74:8080

137.74.106.111:7080
rsa_pubkey.plain

Targets

    • Target

      INV895212 200121.doc

    • Size

      158KB

    • MD5

      67c9e5cb7f3d94b57b015f898e47f7ae

    • SHA1

      6b15c55ddc7bd8fd48847f99469e60cb8b376f63

    • SHA256

      7b8c40801574e57e1e8ec63d7ef48d8072a41b95e548f7b140744017b2b3c0f3

    • SHA512

      5bf584e06564664ea022cf992e6c54ee58ba91d1bf7e4dc31b9604ace0f99b9f6d441021fa6c9709b14762743806daae668d7eb4297be74890a7f8d3795d0f57

    Score
    10/10
    emotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks