Overview
overview
10Static
static
80159.doc
windows7_x64
100159.doc
windows10_x64
1005504-122020.doc
windows7_x64
1005504-122020.doc
windows10_x64
102180_182_7373.doc
windows7_x64
102180_182_7373.doc
windows10_x64
1054909729_2...20.doc
windows7_x64
1054909729_2...20.doc
windows10_x64
1084813.doc
windows7_x64
1084813.doc
windows10_x64
10ARCHIVOFile.doc
windows7_x64
10ARCHIVOFile.doc
windows10_x64
10Archivo-12...53.doc
windows7_x64
10Archivo-12...53.doc
windows10_x64
10DAT_2020.doc
windows7_x64
10DAT_2020.doc
windows10_x64
10DAT_2112.doc
windows7_x64
10DAT_2112.doc
windows10_x64
1Documento-8-92514.doc
windows7_x64
10Documento-8-92514.doc
windows10_x64
10Info_29.doc
windows7_x64
10Info_29.doc
windows10_x64
10MENSAJE.doc
windows7_x64
10MENSAJE.doc
windows10_x64
10T184213_2020.doc
windows7_x64
10T184213_2020.doc
windows10_x64
10General
-
Target
a.zip
-
Size
1MB
-
Sample
210309-2jbxrs1y66
-
MD5
bcd53bb233998319549d350db7db49d1
-
SHA1
79cc83704c18a692ea7a5ed222dae223f3b86b3b
-
SHA256
65cd6ffed28f530f09c94b6455e7ae3ad605875aa79b1e368b82bed7818c34dd
-
SHA512
28cb2f2de2a25ec509508e2bb4ad414cf52bb804a1897a02e7cfe2a32cdad935eadc9add6e18e2836df8288b1a768424cbd4dd52a4d86f28b8da1a8223efe9a8
Static task
static1
Behavioral task
behavioral1
Sample
0159.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0159.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
05504-122020.doc
Resource
win7v20201028
Behavioral task
behavioral4
Sample
05504-122020.doc
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2180_182_7373.doc
Resource
win7v20201028
Behavioral task
behavioral6
Sample
2180_182_7373.doc
Resource
win10v20201028
Behavioral task
behavioral7
Sample
54909729_21_122020.doc
Resource
win7v20201028
Behavioral task
behavioral8
Sample
54909729_21_122020.doc
Resource
win10v20201028
Behavioral task
behavioral12
Sample
ARCHIVOFile.doc
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Archivo-122020-481-4753.doc
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Archivo-122020-481-4753.doc
Resource
win10v20201028
Behavioral task
behavioral18
Sample
DAT_2112.doc
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Documento-8-92514.doc
Resource
win7v20201028
Behavioral task
behavioral20
Sample
Documento-8-92514.doc
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Info_29.doc
Resource
win7v20201028
Behavioral task
behavioral22
Sample
Info_29.doc
Resource
win10v20201028
Behavioral task
behavioral25
Sample
T184213_2020.doc
Resource
win7v20201028
Behavioral task
behavioral26
Sample
T184213_2020.doc
Resource
win10v20201028
Malware Config
Extracted
http://anjumanclick.com/q/kvM/
https://duocnhanhoa.com/wp-admin/J5JbVEY/
https://yellomosquito.com/wp-includes/w/
https://thaithienson.net/wp-admin/EksZXO/
http://penambahberatbadan.info/r/pXPKwJ/
https://thienloc.org/data-sgp-kgfig/AaK/
https://ecomdemo2.ogsdev.net/wp-content/zWWB/
Extracted
http://zhongshixingchuang.com/wp-admin/OTm/
http://www.greaudstudio.com/docs/FGn/
http://koreankidsedu.com/wp-content/2cQTh/
http://expeditionquest.com/X/
https://suriagrofresh.com/serevers/MVDjI/
http://geoffoglemusic.com/wp-admin/x/
https://dagranitegiare.com/wp-admin/jCH/
Extracted
emotet
Epoch1
184.66.18.83:80
202.187.222.40:80
167.71.148.58:443
211.215.18.93:8080
1.234.65.61:80
80.15.100.37:80
155.186.9.160:80
172.104.169.32:8080
110.39.162.2:443
12.162.84.2:8080
181.136.190.86:80
68.183.190.199:8080
191.223.36.170:80
190.45.24.210:80
81.213.175.132:80
181.120.29.49:80
82.76.111.249:443
177.23.7.151:80
95.76.153.115:80
93.148.247.169:80
51.255.165.160:8080
213.52.74.198:80
178.250.54.208:8080
202.134.4.210:7080
138.97.60.141:7080
94.176.234.118:443
190.24.243.186:80
46.43.2.95:8080
197.232.36.108:80
77.78.196.173:443
59.148.253.194:8080
212.71.237.140:8080
46.101.58.37:8080
110.39.160.38:443
83.169.21.32:7080
189.2.177.210:443
81.214.253.80:443
51.15.7.145:80
172.245.248.239:8080
177.85.167.10:80
178.211.45.66:8080
5.196.35.138:7080
71.58.233.254:80
168.121.4.238:80
149.202.72.142:7080
185.183.16.47:80
191.241.233.198:80
209.236.123.42:8080
190.114.254.163:8080
70.32.84.74:8080
138.97.60.140:8080
68.183.170.114:8080
192.232.229.53:4143
62.84.75.50:80
113.163.216.135:80
46.105.114.137:8080
177.144.130.105:8080
192.232.229.54:7080
192.175.111.212:7080
35.143.99.174:80
81.215.230.173:443
1.226.84.243:8080
187.162.248.237:80
152.169.22.67:80
137.74.106.111:7080
191.182.6.118:80
181.61.182.143:80
202.79.24.136:443
50.28.51.143:8080
85.214.26.7:8080
170.81.48.2:80
111.67.12.222:8080
177.144.130.105:443
188.225.32.231:7080
185.94.252.27:443
12.163.208.58:80
191.53.80.88:80
87.106.46.107:8080
122.201.23.45:443
181.30.61.163:443
104.131.41.185:8080
190.195.129.227:8090
45.184.103.73:80
186.146.13.184:443
45.16.226.117:443
187.162.250.23:443
2.80.112.146:80
60.93.23.51:80
24.232.228.233:80
190.251.216.100:80
105.209.235.113:8080
217.13.106.14:8080
190.64.88.186:443
118.38.110.192:80
111.67.12.221:8080
201.75.62.86:80
70.32.115.157:8080
188.135.15.49:80
Extracted
emotet
LEA
80.158.3.161:443
80.158.51.209:8080
80.158.35.51:80
80.158.63.78:443
80.158.53.167:80
80.158.62.194:443
80.158.59.174:8080
80.158.43.136:80
Extracted
http://biglaughs.org/smallpotatoes/rRwRzc/
http://josegene.com/theme/gU8/
http://paulscomputing.com/CraigsMagicSquare/H/
https://goldilockstraining.com/wp-includes/bftt/
https://jeffdahlke.com/css/bg4n3/
http://azraktours.com/wp-content/NWF9jC/
http://goldcoastoffice365.com/temp/X/
Extracted
http://fmcav.com/images/7FV4Nd/
http://theprajinshee.com/otherfiles/wAFP/
http://www.removepctrojan.com/wp-admin/ak0chH/
http://www.geosrt.com/aqqhwdap/l0/
http://geoffoglemusic.com/wp-admin/7C11oAC/
http://www.achutamanasa.com/garmin-pro-fei8o/mW/
http://johnloveskim.com/a/Tff/
Targets
-
-
Target
0159.doc
-
Size
209KB
-
MD5
8e28f73afbc9589c8f3046f45dba8e79
-
SHA1
da94793e6dfb9c7d90227a36009092c881f9a525
-
SHA256
6f4c3417fddd5dd0eea7bb254bbbb7da54dbf9bac497043143c51a0008b2e1cf
-
SHA512
c824c937d8afd0527b1c51ac14036363ddd7e28f096a051d47ecbc0e3e3f068435e1f7ca1ff426e0e04d8e65583816a0e2523694e7171530ebe9b5f7985142be
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
-
-
Target
05504-122020.doc
-
Size
208KB
-
MD5
129154ace2845c087bbd66916306f1fb
-
SHA1
65b731e5b97c63e59c03d2571de02414d4912eeb
-
SHA256
effe6ed0eaae43f9ab347679a9abfe647cc606e64c1f742259f8ddc73f58923a
-
SHA512
6616267e59fb1fb124b032b800b54d664ed44d8cdcd1ab3851d3fb90746e6264aee748956badbc0327a3b4f05b03c52c7331c9a1a1b7681443037f3273cdfd4a
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
-
-
Target
2180_182_7373.doc
-
Size
202KB
-
MD5
6a7c63f7c62819d81c626e8b57c790ef
-
SHA1
64046c4dc460727d2ab4c465acb96f98087e6bf3
-
SHA256
15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4
-
SHA512
1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
54909729_21_122020.doc
-
Size
201KB
-
MD5
860d2dae30c61fc8b374685a2726d089
-
SHA1
5d34c3b40f1980215827abba54d57929776dab2d
-
SHA256
af46527c3afb67db04896d6a01ed9457d9c379af2c130e26ff3b2ff9a5cd2639
-
SHA512
590b5ca22762a073c8ab7701b5f2a0949625dbbcb6461ab5eac5022c66197a68523a6717e139e27bc1d93461ca95ee66cd83f45851b5e2cea6087793f6595996
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
84813.doc
-
Size
200KB
-
MD5
f2065422dbe07efcee89e7b2355ef8c4
-
SHA1
fa37a71fe24953b3c8678733c89fe70dd5be76c0
-
SHA256
8eb07a5d212d9c3c87c9c739da4694647d5ac601401e0a4add2dc78a61081913
-
SHA512
4ad7b3337c344806eaee72d89bff157a9ddc2a66bfe265e011e761db0f58787195ae8d70ca914e3f3be0536a3b31a8b984a63f02ccea5450dd714723657d7463
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
ARCHIVOFile.doc
-
Size
200KB
-
MD5
4e85b78af63a61e7ddea0760b6e4e3c5
-
SHA1
67ef9d35b257279d1e0fe5488b20bea1c2a1ed8c
-
SHA256
25332ae11bc3d7cbfc43fd78f3eeb96f5bd21df4f93dd2bea6eade75cc73db44
-
SHA512
623848025adecb4f580b4f0636216d5966641441c20f97fcd92eeef0e96de9a0f1d93ae09085fbca5ae48fa7c7f25579bb21438f8415dccaf08fda03fe87c033
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
Archivo-122020-481-4753.doc
-
Size
201KB
-
MD5
2a61e1db564efb537635b45b2cbf235d
-
SHA1
d7f45bcc50c83e6f2920285e4934c931d95ac285
-
SHA256
ad7ca5a820eee8fa220415696137a31c5a2f50788598d1115bd6bef3bc8a9003
-
SHA512
dbd92067d1cd829fdea47328bc328a28b9009a203a03adf3274427065d7e9f184814cecb3b132c03c7f4abe727160e50709e19d1d249b020b90576399b2c61fb
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
DAT_2020.doc
-
Size
200KB
-
MD5
e5fa8feb10d2d772e7be4a5b731bbb3b
-
SHA1
c50d9553344006d7a43d70536946b0e06c5cc1ed
-
SHA256
6ab02806cb13d2944c7df12c9dfc17e72bd46c7285428ef8338e5889776c7fe5
-
SHA512
d7d6be3ca4e645836d41a51419645bdc386445011ab3f871df9d439f9083eb8f4308246e4e7fdc775d48f849baa3dd5fc6cc6519034de37617015b9ebf79d039
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
DAT_2112.doc
-
Size
201KB
-
MD5
0b0b1ef804382ed6f25b3aa11b657b72
-
SHA1
cfd0c0603103c585185433aaf1d53879e97d5d31
-
SHA256
687a53748f70c72633a9f00a47b027ca46def57962e21f2150a82e7567bd1c25
-
SHA512
7043392bd4604a1321c6253041ebd095eaef2282bc4a35fd9679349a46be0e8a03a7d357a1a4a3000ff9135b2aeeac3438b2a460e51711213b76639a6eafaf5e
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
Documento-8-92514.doc
-
Size
208KB
-
MD5
5e106f61c1d088f599c47cf756592171
-
SHA1
829d57a809bc9a5ed24afc2beca25703dd48859e
-
SHA256
e725bc02dd4202860e222fe77a07432c587de089daa010f4543451a945236d9d
-
SHA512
03dafd4aee8a06b0d1da43eefb8f67bcd3b06eff79b8f3b7cad907e6c569928a112c95a812d1a6f90a725bb5a106aa065726ee4f429760174b79d3307584b263
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
-
-
Target
Info_29.doc
-
Size
159KB
-
MD5
8ae1dced4aa0b93fb54784bbd0c0fc07
-
SHA1
02b3440f2f55ed04e48dd49ce824d8fbba2df694
-
SHA256
873805d1821aea66b16872720c8cda5fffaefc6ba69f9b05c074262d66b2edea
-
SHA512
b85ec2ee2cd39dde94ea170f753fc45e6f204e43d7af1ccb31b8b3421939b55f48ac1fa0f895392b0224e1ef8726ed71d351197261bfb20a4481fa1efd084cf6
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
-
-
Target
MENSAJE.doc
-
Size
202KB
-
MD5
9d4d116932dca89da824904da20599ec
-
SHA1
c3640d3f33701aad9d74217d59dd455469de2aee
-
SHA256
d6ac4f01d275ae5367b2b7fb961c3d36bd8e3ca0a05d81a16fcf3fe35979b321
-
SHA512
cdb8ce668827e3e6925e9777b8d26f7a95c8eacd69da753d078f5d79458d3e32b8c7765bae6af67b059f3b92fb2e4e90cf005592860713de6ce1753df37eab34
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
T184213_2020.doc
-
Size
208KB
-
MD5
5e106f61c1d088f599c47cf756592171
-
SHA1
829d57a809bc9a5ed24afc2beca25703dd48859e
-
SHA256
e725bc02dd4202860e222fe77a07432c587de089daa010f4543451a945236d9d
-
SHA512
03dafd4aee8a06b0d1da43eefb8f67bcd3b06eff79b8f3b7cad907e6c569928a112c95a812d1a6f90a725bb5a106aa065726ee4f429760174b79d3307584b263
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in System32 directory
-