General
-
Target
NEW ORDER.xlsx
-
Size
2.3MB
-
Sample
210122-x74hbmnwxj
-
MD5
5ce08c29f2632b716acc24b405c379a1
-
SHA1
599f3ed25603c0315ac8f85449c708095069d1ff
-
SHA256
2e8ccd25523029d5fb95e26d019b7730c0e22d15572c7ddc272828f2e99d9633
-
SHA512
07cb7e63e526f0a7c82cc0bfaeb27020478304964488fb1215c90fb968b7abcbf7d74e9c80a9109f29c75f298827d13824da6d9b387b455ba0fff330d3013a91
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
NEW ORDER.xlsx
Resource
win10v20201028
Malware Config
Extracted
lokibot
http://becharnise.ir/fa9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
NEW ORDER.xlsx
-
Size
2.3MB
-
MD5
5ce08c29f2632b716acc24b405c379a1
-
SHA1
599f3ed25603c0315ac8f85449c708095069d1ff
-
SHA256
2e8ccd25523029d5fb95e26d019b7730c0e22d15572c7ddc272828f2e99d9633
-
SHA512
07cb7e63e526f0a7c82cc0bfaeb27020478304964488fb1215c90fb968b7abcbf7d74e9c80a9109f29c75f298827d13824da6d9b387b455ba0fff330d3013a91
Score10/10-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-