General
-
Target
case (1522).xls
-
Size
153KB
-
Sample
210126-n79hc9hh7x
-
MD5
933ac69cb772d6e28636a81fc7665a26
-
SHA1
7bb7870ebb261a2e0302600330abbc819d00acd3
-
SHA256
d4592471179f7d3fbd94be05591c09c74b0d8b7dcca580504694c7514c1d9ef0
-
SHA512
e4be1fa90192bb991468ce7edd1b951358de9287f26a1975a82ac60ded95ca9d337a0b89dc1deacc9ef836077c7345c4067de99bf82d15a406b6b3ce53ad8b52
Behavioral task
behavioral1
Sample
case (1522).xls
Resource
win7v20201028
Malware Config
Extracted
https://rnollg.com/kev/scfrd.dll
Extracted
zloader
kev
26/01
https://gadgetswolf.com/post.php
https://homesoapmolds.com/post.php
https://govemedico.tk/post.php
Targets
-
-
Target
case (1522).xls
-
Size
153KB
-
MD5
933ac69cb772d6e28636a81fc7665a26
-
SHA1
7bb7870ebb261a2e0302600330abbc819d00acd3
-
SHA256
d4592471179f7d3fbd94be05591c09c74b0d8b7dcca580504694c7514c1d9ef0
-
SHA512
e4be1fa90192bb991468ce7edd1b951358de9287f26a1975a82ac60ded95ca9d337a0b89dc1deacc9ef836077c7345c4067de99bf82d15a406b6b3ce53ad8b52
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-