General
-
Target
INV895212 200121.doc
-
Size
158KB
-
Sample
210215-fklkz78fse
-
MD5
67c9e5cb7f3d94b57b015f898e47f7ae
-
SHA1
6b15c55ddc7bd8fd48847f99469e60cb8b376f63
-
SHA256
7b8c40801574e57e1e8ec63d7ef48d8072a41b95e548f7b140744017b2b3c0f3
-
SHA512
5bf584e06564664ea022cf992e6c54ee58ba91d1bf7e4dc31b9604ace0f99b9f6d441021fa6c9709b14762743806daae668d7eb4297be74890a7f8d3795d0f57
Behavioral task
behavioral1
Sample
INV895212 200121.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INV895212 200121.doc
Resource
win10v20201028
Malware Config
Extracted
http://zhongsijiacheng.com/wp-content/jn5/
http://artistascitizen.com/wp-content/Bx3cr6/
http://ombchardin.com/archive/V/
https://apsolution.work/magneti-marelli-zkkmb/toq7Eiy/
https://happycheftv.com/wp-admin/z6uGcbY/
https://careercoachconnection.com/tenderometer/4K/
https://tacademicos.com/content/JbF68i/
Extracted
emotet
Epoch1
181.10.46.92:80
2.58.16.88:8080
206.189.232.2:8080
178.250.54.208:8080
167.71.148.58:443
202.134.4.210:7080
187.162.248.237:80
78.206.229.130:80
85.214.26.7:8080
5.196.35.138:7080
1.226.84.243:8080
110.39.162.2:443
185.183.16.47:80
152.231.89.226:80
138.97.60.141:7080
94.176.234.118:443
46.101.58.37:8080
93.146.143.191:80
70.32.84.74:8080
137.74.106.111:7080
80.15.100.37:80
68.183.190.199:8080
154.127.113.242:80
70.32.115.157:8080
12.163.208.58:80
31.27.59.105:80
110.39.160.38:443
68.183.170.114:8080
87.106.46.107:8080
105.209.235.113:8080
185.94.252.27:443
209.236.123.42:8080
60.93.23.51:80
186.177.174.163:80
177.85.167.10:80
111.67.12.221:8080
191.241.233.198:80
149.202.72.142:7080
12.162.84.2:8080
217.13.106.14:8080
197.232.36.108:80
192.232.229.53:4143
143.0.85.206:7080
177.23.7.151:80
213.52.74.198:80
51.255.165.160:8080
181.30.61.163:443
93.149.120.214:80
212.71.237.140:8080
51.15.7.145:80
190.247.139.101:80
188.135.15.49:80
155.186.9.160:80
91.233.197.70:80
95.76.153.115:80
46.43.2.95:8080
152.169.22.67:80
138.197.99.250:8080
104.131.41.185:8080
211.215.18.93:8080
81.215.230.173:443
152.170.79.100:80
190.114.254.163:8080
190.251.216.100:80
201.241.127.190:80
82.208.146.142:7080
172.245.248.239:8080
190.64.88.186:443
192.175.111.212:7080
50.28.51.143:8080
81.17.93.134:80
202.79.24.136:443
190.24.243.186:80
190.162.232.138:80
62.84.75.50:80
190.210.246.253:80
190.45.24.210:80
172.104.169.32:8080
82.48.39.246:80
188.225.32.231:7080
45.16.226.117:443
178.211.45.66:8080
138.97.60.140:8080
122.201.23.45:443
170.81.48.2:80
81.214.253.80:443
80.249.176.206:80
83.169.21.32:7080
46.105.114.137:8080
83.144.109.70:80
191.223.36.170:80
200.75.39.254:80
201.185.69.28:443
Targets
-
-
Target
INV895212 200121.doc
-
Size
158KB
-
MD5
67c9e5cb7f3d94b57b015f898e47f7ae
-
SHA1
6b15c55ddc7bd8fd48847f99469e60cb8b376f63
-
SHA256
7b8c40801574e57e1e8ec63d7ef48d8072a41b95e548f7b140744017b2b3c0f3
-
SHA512
5bf584e06564664ea022cf992e6c54ee58ba91d1bf7e4dc31b9604ace0f99b9f6d441021fa6c9709b14762743806daae668d7eb4297be74890a7f8d3795d0f57
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-