General
-
Target
payment list.xlsx
-
Size
2.4MB
-
Sample
210121-d244stnhda
-
MD5
cc672e0048d4bbc7ca1275934451fba4
-
SHA1
fdb12ba03199fdb8f4b740d1ba48abaf0ae9bb98
-
SHA256
735331b1e295c312c64f108dbff0a9bc3989551cc5ad92882598f0b5e35d7e07
-
SHA512
3c210f85b74768d3a21e8909c399d3f3b1b816c166ce69523b2881327ae00eaa33f6c9db46d10f4b5bbb73cb8af25042f43271505cbc9dd24422cf005d22dfba
Static task
static1
Behavioral task
behavioral1
Sample
payment list.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
payment list.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.classifoods.com/oean/
keboate.club
whitehatiq.com
loimtech.com
icaroagencia.com
snigglez.com
noreservationsxpress.com
villacascabel.com
5037adairway.com
growingequity.fund
stafffully.com
bingent.info
tmssaleguarantee.com
neonatalfeedrates.com
george-beauty.com
oraghallaighjourney.net
zunutrition.com
sylkysmooveentertainment.com
ddmns6tzey2d.com
dvcstay.com
304shaughnessygreen.info
ourbestbutes.com
taob345.com
fadhilaaqiqah.com
freshmarketfood.com
digitalcreativeclass.com
bitcoin-devnotes.com
rentapalla.com
ethiopianjulary.com
skillsknit.com
circleoflifeco-op.com
esteemquantum.life
indiashiksha.com
yqhbcapzy.icu
goldcrownusa.com
cinefil-i.com
pickmeagift.com
biomig.net
actusdumoment.com
theglobalfeedback.com
skindetailing.com
simplifiedvirtualsolutions.com
ggss081746bcd.xyz
spreadaccounts.com
kapiscart.com
fuyigranuletion.com
doxinlabs.com
piemontelaw.net
kstamerica.com
tueddur.com
opmania36.com
cartooninhindi4all.com
chefericcatering.com
tenshounoyu.com
over64.com
kerifletcherrock.com
ruidongcctv.com
ceejing.com
dailyxe.online
ubiquitus1.com
binggraesantorini.com
eggsmission.com
revolutionarydisciples.com
eatrestmoverepeat.co.uk
kyleknievil.com
Targets
-
-
Target
payment list.xlsx
-
Size
2.4MB
-
MD5
cc672e0048d4bbc7ca1275934451fba4
-
SHA1
fdb12ba03199fdb8f4b740d1ba48abaf0ae9bb98
-
SHA256
735331b1e295c312c64f108dbff0a9bc3989551cc5ad92882598f0b5e35d7e07
-
SHA512
3c210f85b74768d3a21e8909c399d3f3b1b816c166ce69523b2881327ae00eaa33f6c9db46d10f4b5bbb73cb8af25042f43271505cbc9dd24422cf005d22dfba
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-