General
-
Target
Mv Maersk Kleven V949E.xlsx
-
Size
2.2MB
-
Sample
210121-bqpfg6z9h2
-
MD5
6f9c071d241b667471112d7ac12a95a1
-
SHA1
43988263671b7f696dc63c4e87f9a034efb5d31a
-
SHA256
4bed0018133b549db2caeff1d8902e4b8c74188b3671d099f8206168d8e7aeca
-
SHA512
7bc3c032de74041d15c467dba7fda004c65bd6fa383db2824f0ba97de498be8cbad44b3e8d962583d1efa368fabd258a30ea739055ea482cbc97f3e69dd193d5
Static task
static1
Behavioral task
behavioral1
Sample
Mv Maersk Kleven V949E.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Mv Maersk Kleven V949E.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.learnhour.net/eaud/
modshiro.com
mademarketingoss.com
austinjourls.info
wayupteam.com
crossingfinger.com
interseptors.com
gigashit.com
livetigo.com
halamankuningindonesia.com
windhammills.com
aylinahmet.com
mbacexonan.website
shopboxbarcelona.com
youyeslive.com
coonlinesportsbooks.com
guorunme.com
putlocker2.site
pencueaidnetwork.com
likevector.com
vulcanudachi-proclub.com
bestcollegelms.online
bosman-smm.online
maglex.info
tolentinestore.com
layaliskincare.com
pensionbackup.com
mettyapp.com
sun-microsoft.com
cheapcialisffx.com
egio.digital
syndicatesportspicks.com
pinnacle.international
realestatejewel.com
dajiankang.love
acaijunglegroup.com
youraircases.com
cdxxcenter.com
ndblife.com
mersinsimsek.com
modernofficeaccessories.com
opioidfactswalgreens.com
yesmywigs.com
lebaronfuneraire.com
missfoxie.com
minbarlibya.com
themalaysialife.com
glz-cc.com
go892.com
eriesbestcaterer.com
geraldreed.com
casinocerto.com
beambitioussummit.com
rfs.company
juliandehaas.com
enooga.com
sulpher.network
toords.com
breaking-news4u.com
erkdigitalmarketing.com
blazorstore.com
weoneqa.com
coalitionsentiment.win
atoidejuger.com
cumbiamba.com
Targets
-
-
Target
Mv Maersk Kleven V949E.xlsx
-
Size
2.2MB
-
MD5
6f9c071d241b667471112d7ac12a95a1
-
SHA1
43988263671b7f696dc63c4e87f9a034efb5d31a
-
SHA256
4bed0018133b549db2caeff1d8902e4b8c74188b3671d099f8206168d8e7aeca
-
SHA512
7bc3c032de74041d15c467dba7fda004c65bd6fa383db2824f0ba97de498be8cbad44b3e8d962583d1efa368fabd258a30ea739055ea482cbc97f3e69dd193d5
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-