General
-
Target
case (4335).xls
-
Size
153KB
-
Sample
210126-15b7wdmnj2
-
MD5
bf86559630b855e4bf2c54d641147b24
-
SHA1
182cbac1bdd020fa5fee6ed9d6a50d1071fbe320
-
SHA256
31ea3370ca06a2af45514a59a0ae49dc62ac34bc4dce44402f169a9d6fb93853
-
SHA512
f188cdd1ae628850d5a48f32ec17d399fdbed68ed6a6e92977374dac61a0d3286f0a2c1ff83ae4b70af219c9f3d7b49aa4ac5125f63f7f75fc6b70a17a4ddc83
Behavioral task
behavioral1
Sample
case (4335).xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
case (4335).xls
Resource
win10v20201028
Malware Config
Extracted
https://rnollg.com/kev/scfrd.dll
Extracted
zloader
kev
26/01
https://gadgetswolf.com/post.php
https://homesoapmolds.com/post.php
https://govemedico.tk/post.php
Targets
-
-
Target
case (4335).xls
-
Size
153KB
-
MD5
bf86559630b855e4bf2c54d641147b24
-
SHA1
182cbac1bdd020fa5fee6ed9d6a50d1071fbe320
-
SHA256
31ea3370ca06a2af45514a59a0ae49dc62ac34bc4dce44402f169a9d6fb93853
-
SHA512
f188cdd1ae628850d5a48f32ec17d399fdbed68ed6a6e92977374dac61a0d3286f0a2c1ff83ae4b70af219c9f3d7b49aa4ac5125f63f7f75fc6b70a17a4ddc83
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-