General

  • Target

    http://tentandoserfitness.000webhostapp.com/wp-admin/invoice/ehn410274214523502210vlbxohwp4//

  • Sample

    210610-ac4l8aw1an

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://an9news.com/aokhf/XPXV7/

exe.dropper

https://www.17geci.com/vi2w6/Z5i/

exe.dropper

https://rubycityvietnam.com/wp-admin/1c0NVtp/

exe.dropper

https://lami-jo.com/wp-admin/VMeklEt/

exe.dropper

http://vayvontinchap5s.com/vayvon5s.com/YH3mx/

exe.dropper

http://jiamini.us-east-1.elasticbeanstalk.com/static/P1Vcv/

exe.dropper

http://wach8.com/cgi-bin/5JyZcRU/

Targets

    • Target

      http://tentandoserfitness.000webhostapp.com/wp-admin/invoice/ehn410274214523502210vlbxohwp4//

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with macros.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks