Overview

overview

10

Static

static

8

SPE930231839KJ.doc

windows7-x64

10

SPE930231839KJ.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SPE930231839KJ.doc

  • Size

    284KB

  • Sample

    230322-try5hsaa26

  • MD5

    1ed1a8d46dc3e3d89fdbf5eb00f42edb

  • SHA1

    1b6e2c9ba31d58d4e330874314e59a7fce33dad5

  • SHA256

    d7e01bffc54e99f8ead1a8499dae9d51fa259a4f18062f2d5312cd3ee09394ad

  • SHA512

    817af8445436c2325e8d2c5047b66149d776dca834f4b1fb584e938f287791cd0545c59430dbd927c3a88c23ec0c06f10f2272085a1c1913ac1a4a05af0287d2

  • SSDEEP

    3072:2IdQGckpM56QDp+SBTA8ku4afD4Ka1Rvl/4Wbqzwc7vanLubTvjVwKVi3yJuq6r:x9HkpzTTfD4KuNbqzryKvmKV8yJor

Score
10/10
emotetepoch4bankermacromacro_on_actionpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080
eck1.plain
ecs1.plain

Targets

    • Target

      SPE930231839KJ.doc

    • Size

      284KB

    • MD5

      1ed1a8d46dc3e3d89fdbf5eb00f42edb

    • SHA1

      1b6e2c9ba31d58d4e330874314e59a7fce33dad5

    • SHA256

      d7e01bffc54e99f8ead1a8499dae9d51fa259a4f18062f2d5312cd3ee09394ad

    • SHA512

      817af8445436c2325e8d2c5047b66149d776dca834f4b1fb584e938f287791cd0545c59430dbd927c3a88c23ec0c06f10f2272085a1c1913ac1a4a05af0287d2

    • SSDEEP

      3072:2IdQGckpM56QDp+SBTA8ku4afD4Ka1Rvl/4Wbqzwc7vanLubTvjVwKVi3yJuq6r:x9HkpzTTfD4KuNbqzryKvmKV8yJor

    Score
    10/10
    emotetepoch4bankerpersistencetrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks