General
-
Target
EASTEND.doc
-
Size
299KB
-
Sample
210121-7emyrcanls
-
MD5
4ba5af0ca862e168e6be9b311c19d023
-
SHA1
489c5f20f70391e817a1b2406f164b789094c376
-
SHA256
91a88238f5b4dc93a3626e9fc6cf1c5e10b5690153bac179606128380fb45142
-
SHA512
36ee5ddeadf4cb447b52810174173b8919b7ecd93659cf091ba1f5aab79618b4a416807b3feb6e42eb7a0a2e19e5d63dcbfb412cd54245e04afe535c3f4213e9
Static task
static1
Behavioral task
behavioral1
Sample
EASTEND.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
EASTEND.doc
Resource
win10v20201028
Malware Config
Extracted
remcos
gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu:2177
Targets
-
-
Target
EASTEND.doc
-
Size
299KB
-
MD5
4ba5af0ca862e168e6be9b311c19d023
-
SHA1
489c5f20f70391e817a1b2406f164b789094c376
-
SHA256
91a88238f5b4dc93a3626e9fc6cf1c5e10b5690153bac179606128380fb45142
-
SHA512
36ee5ddeadf4cb447b52810174173b8919b7ecd93659cf091ba1f5aab79618b4a416807b3feb6e42eb7a0a2e19e5d63dcbfb412cd54245e04afe535c3f4213e9
Score10/10-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-