General
-
Target
RFQ-9837463.doc
-
Size
2.0MB
-
Sample
210121-jytlkx4jpa
-
MD5
25af535599ad3e48d6b4713f8e599871
-
SHA1
a293b85372f9b0ffdacb46af40518f1341ddc248
-
SHA256
a8f4da2076bc00264891bc7872e70f245f47807c268fb921fc135b711c817b34
-
SHA512
99b5b3f7606405b629519d35a6d442fee454a3bb2b5a571ae2595eeb0ace33b514d7114a70feae1c740573b1e11cb9528113d8eb51efe06a423858c3a553617b
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-9837463.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ-9837463.doc.rtf
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.priscilafiorini.com/rcm/
stunninggfe-ready.today
mlmtalks.com
mountainpeakcafe.com
vlmportraits.com
broskiusa.com
yunquenet.com
webinargifts.com
theatomicclean.com
baselinefibertothehome.net
newworldnails.net
plbmw.com
natsringswerp.com
h2o4all.life
alcoholxpress.com
heliumantennaguide.com
amazon-account-app-service.com
gandhiinfotech.com
abacapitals.com
daoxfi.com
radiocota.com
kuroneko-goethe.life
id.coffee
florhodge.com
eca-group.net
vflat.world
manomkt.com
like.vision
mortgagerefinancinginc.com
vulture-yachts.com
xn--hy1bu0vivd7pa.com
croghen.com
xlcsff2020.xyz
doricwilson.com
freisaq.com
innopre.com
newyorkbr.com
fnnanowesterncanada.com
onlinetourspty.com
player-wheels.net
bloomingtonphotography.com
manateetreeservices.com
organicpepperseeds.com
jpq.xyz
deservelevel.technology
my-emissions.com
aspenridgewyoming.com
winyourmillion.com
studentfreedomalliance.com
fatisfying.com
profitableonlinebusiness.site
fufumail.com
acuracollisioncertified.com
rabbicloud.com
dsgqhg.com
beeriderrebates.com
homesecurityfortpierce.com
luabreupersonalizados.com
fashioncentsconsignments.com
buckislandfarms.com
m6onthego.com
triciavogt.com
orgasmornothing.com
iwrfwe.com
testfixmybariatrics.com
Targets
-
-
Target
RFQ-9837463.doc
-
Size
2.0MB
-
MD5
25af535599ad3e48d6b4713f8e599871
-
SHA1
a293b85372f9b0ffdacb46af40518f1341ddc248
-
SHA256
a8f4da2076bc00264891bc7872e70f245f47807c268fb921fc135b711c817b34
-
SHA512
99b5b3f7606405b629519d35a6d442fee454a3bb2b5a571ae2595eeb0ace33b514d7114a70feae1c740573b1e11cb9528113d8eb51efe06a423858c3a553617b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-