2017-09-18: #locky email phishing campaign "Message from KM_C224e"

Email sample:
-------------------------------------------------------------------------------------------------------------
From: <copier@[REDACTED]>
To: [REDACTED]
Subject: Message from KM_C224e
X-Mailer: KONICA MINOLTA bizhub C224e
Date: Mon, 18 Sep 2017 14:35:03 -0500

Attachment: 20171809_12476062947.7z -> 20170918_84047158233.vbs
-------------------------------------------------------------------------------------------------------------
- sender is "copier@<recipient's domain>"
- subject is "Message from KM_C224e"
- email body is empty
- attached file "20171809_<11 digits>.7z" contains file "20171809_<11 digits>.vbs", a VBScritp downloader

Download sites:
http://accountingservices.apec.org/DKndhFG72
http://autoecoleeurope.com/DKndhFG72
http://autoecolekim95.com/DKndhFG72
http://cornyproposals.com/DKndhFG72
http://demopowerindo.com/DKndhFG72
http://dmlex.adlino.be/DKndhFG72
http://eurecas.org/DKndhFG72
http://georginabringas.com/DKndhFG72
http://lasdamas.com/DKndhFG72
http://montecortelhas.com/DKndhFG72
http://petromarket.ir/DKndhFG72
http://pnkparamount.com/DKndhFG72
http://targeter.su/p66/DKndhFG72
http://v-chords.de/DKndhFG72
http://walkama.net/DKndhFG72
http://wenger-werkzeugbau.de/DKndhFG72
http://wiskundebijles.nu/DKndhFG72

Malware:
- locky, .ykcol variant
- SHA256: 24b29b6c856f24b4385b8aefedada88cb3aebf88b29b90348a928d8bae5c7cc2, MD5: bab1c043a2fba947f682b6a012a9f362
- VT: https://www.virustotal.com/en/file/24b29b6c856f24b4385b8aefedada88cb3aebf88b29b90348a928d8bae5c7cc2/analysis/1505762333/
- HA: https://www.reverse.it/sample/24b29b6c856f24b4385b8aefedada88cb3aebf88b29b90348a928d8bae5c7cc2?environmentId=100