General
-
Target
case (1057).xls
-
Size
153KB
-
Sample
210126-49qfm3xyv2
-
MD5
cbc37bc9a7ec9836c033708d090db81c
-
SHA1
a1fbde54662fb5cdb677f5841a3603df30345108
-
SHA256
95e0295b15b7c624febe347f44747dada5cb1fc79b73561b3153af81b351a8de
-
SHA512
03c04ea7f7f64836491fa345f075f86f9e983770e0ce174daa2ee187a79c748b548b82c3a1c4f870d6390a616a03a8f713795c2b902d788c4bc2aa17e21d2f05
Behavioral task
behavioral1
Sample
case (1057).xls
Resource
win7v20201028
Malware Config
Extracted
https://rnollg.com/kev/scfrd.dll
Extracted
zloader
kev
26/01
https://gadgetswolf.com/post.php
https://homesoapmolds.com/post.php
https://govemedico.tk/post.php
Targets
-
-
Target
case (1057).xls
-
Size
153KB
-
MD5
cbc37bc9a7ec9836c033708d090db81c
-
SHA1
a1fbde54662fb5cdb677f5841a3603df30345108
-
SHA256
95e0295b15b7c624febe347f44747dada5cb1fc79b73561b3153af81b351a8de
-
SHA512
03c04ea7f7f64836491fa345f075f86f9e983770e0ce174daa2ee187a79c748b548b82c3a1c4f870d6390a616a03a8f713795c2b902d788c4bc2aa17e21d2f05
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-