General
-
Target
_RFQ_MVSEASAIL_34.xlsx
-
Size
2.2MB
-
Sample
210121-j8c7v8gnk2
-
MD5
1e885c00156d5de8ae0b075c09638ebb
-
SHA1
62d93138955f35ef8ddadbf4f530fd6dc0d1beb1
-
SHA256
611ccb1d6251e3c51bf807fe03850e09229f3420477bf9a5d18e185f3dd7b4a4
-
SHA512
7af24dd6ac7e6b33c498cde3d2783d882c78ec84ebd0e5f6369e3ea74e9e3c339398232f9db7a4d2c9348ab4e31910b387f4f709cdc5c936962c4449d8a864b9
Static task
static1
Behavioral task
behavioral1
Sample
_RFQ_MVSEASAIL_34.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_RFQ_MVSEASAIL_34.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.kaiyuansu.pro/incn/
1bovvfk93jd.com
enlightenedhealthcoaching.com
findthatsmartphone.com
intelligentsystemsus.com
xn--lmsealamientos-tnb.com
eot0luh5ia.men
babanewshop.com
beyond-bit.com
meritane.com
buythinsecret.com
c2ornot.com
twelvesband.com
rktlends.com
bourseandish.com
happyshop88.com
topangacanyonvintage.com
epersonalloansonline.com
roofers-anaheim.com
shanghaiys.net
bickel.wtf
macetitasdecorativas.com
maisonscoeurdepivoine.com
milano1980.com
thetealworld.com
khocam.com
electrofranco.com
biduoccotruyen.xyz
marcagrafika.com
goodgrabber.com
sentire.design
180wea.com
pnwfireextinguishers.com
paulborneo.com
potlucks.net
sdyqxx.com
pjy589.com
lovetovisit.info
vaultedslabs.com
mirrorimpact.net
americanmarketedge.com
therandstadride.com
yamadaya-online.com
stardust-cafe.com
sk375.com
abipisan.com
thesalesforceradi.computer
ronaldmorrisdc.com
thetreasurebook.com
personalruncoach.com
quba6.com
uoawrlhwg.icu
cathygass.com
tribesy.net
nishagile.com
aworldthroughhereyes.com
adeptroofmaintenance.com
jacketgraffiti.com
deeprigelphoto.com
qth.xyz
pontacols.com
sunflour-bakehouse.com
forevermesmerizedcomplexion.com
maglex.info
somright.com
Targets
-
-
Target
_RFQ_MVSEASAIL_34.xlsx
-
Size
2.2MB
-
MD5
1e885c00156d5de8ae0b075c09638ebb
-
SHA1
62d93138955f35ef8ddadbf4f530fd6dc0d1beb1
-
SHA256
611ccb1d6251e3c51bf807fe03850e09229f3420477bf9a5d18e185f3dd7b4a4
-
SHA512
7af24dd6ac7e6b33c498cde3d2783d882c78ec84ebd0e5f6369e3ea74e9e3c339398232f9db7a4d2c9348ab4e31910b387f4f709cdc5c936962c4449d8a864b9
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-