General
-
Target
case (2553).xls
-
Size
153KB
-
Sample
210126-7d9znww1ts
-
MD5
cab7720d67d7700d40b24fee321734ce
-
SHA1
cb22de552873492e9925853b3cb7ad2ad5a00e8c
-
SHA256
440496a116ae475c19a8a00af2b51c05c6a62040c4ec556fc7e7788682962be6
-
SHA512
2e9a2d66ac702b37a2326782de191c83dc9dbee0f3507dfe003b5f75de68de4771be132cbfb1b00065ba322ce4515d1e292de83a5819726acfbe7c3325f4ac87
Static task
static1
Behavioral task
behavioral1
Sample
case (2553).xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
case (2553).xls
Resource
win10v20201028
Malware Config
Extracted
https://coopacaustro.com/kev/scfrd.dll
Extracted
zloader
kev
26/01
https://gadgetswolf.com/post.php
https://homesoapmolds.com/post.php
https://govemedico.tk/post.php
Targets
-
-
Target
case (2553).xls
-
Size
153KB
-
MD5
cab7720d67d7700d40b24fee321734ce
-
SHA1
cb22de552873492e9925853b3cb7ad2ad5a00e8c
-
SHA256
440496a116ae475c19a8a00af2b51c05c6a62040c4ec556fc7e7788682962be6
-
SHA512
2e9a2d66ac702b37a2326782de191c83dc9dbee0f3507dfe003b5f75de68de4771be132cbfb1b00065ba322ce4515d1e292de83a5819726acfbe7c3325f4ac87
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-