General
-
Target
Inquiry No TBD-6-5659.doc
-
Size
2.1MB
-
Sample
210121-17c64yg12n
-
MD5
1487709f7e0bd31d246132df9e334e9c
-
SHA1
6f4250f4ffa15136852127b7d9dbfeabdd85d020
-
SHA256
49615f1281e974a6f58c4dea63673b24ae8b331a3801788244710a3a19194a7a
-
SHA512
aca6e69fe09e1c8446ffee3047fa3cefc3028ff203edf4d3b964f46b538cf83af5373e0a9e971b010ac568ebddb96e27769f927a0304e5e3d27e930a091fe462
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry No TBD-6-5659.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Inquiry No TBD-6-5659.doc.rtf
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.raleighblacknursesrock.com/sly/
nature-nectar.com
lavenderbunch.com
itsguapo.com
silabrenda.digital
madelynmason.com
uslawyer911.com
sumarjewelry.com
therefundexperts.com
smartunity.community
jamesdalby.com
7697vip3.com
bytethug.com
f22.info
positivechargerecycling.com
srimps.net
conversica.partners
chezmireillestore.com
ukiyoservices.com
catsdungeon.com
svactionwmdp7955.com
petnosis.com
dorealgood.vote
meganpeasley.com
southafricanbands.com
donatecbb.com
coinlocaly.com
sharbay.net
nehyam.com
niviholdings.com
baielinda.com
secserve.email
primefoodny.com
coppermachines.com
shionoriginal.com
customtiletables.com
carlsondellosa.com
studiofalaise.com
mdtilenh.com
cpointsolutions.com
iteacherpreneur.com
southerngp.com
hf-te27g5.net
laligaproplayer.com
spreadwordsnotcovid.com
propertysolutionspecialist.com
instore.express
livelinecoffee.com
transfigurethis.com
sabeelfund.com
suntour-nb.com
eatonvancewateroakadvisers.info
kakavjesajt.com
zillion-ch.com
indiancoderclub.com
gymlessbakery.com
bclub.info
atqkhmlqi.icu
gatele3s.com
smb-cybersecurity-services.com
pssjzz.com
miniteco.com
yowoit.com
analytics-ocean.com
shivamshield.com
Targets
-
-
Target
Inquiry No TBD-6-5659.doc
-
Size
2.1MB
-
MD5
1487709f7e0bd31d246132df9e334e9c
-
SHA1
6f4250f4ffa15136852127b7d9dbfeabdd85d020
-
SHA256
49615f1281e974a6f58c4dea63673b24ae8b331a3801788244710a3a19194a7a
-
SHA512
aca6e69fe09e1c8446ffee3047fa3cefc3028ff203edf4d3b964f46b538cf83af5373e0a9e971b010ac568ebddb96e27769f927a0304e5e3d27e930a091fe462
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-