General
-
Target
case (166).xls
-
Size
153KB
-
Sample
210126-tsy7qm738a
-
MD5
44b43922e08e0e8e1ec65300b3b1aa74
-
SHA1
ec1a847009295036381af1b0a4383a61c3dcbb75
-
SHA256
9b8516fcbe183de0a53ac47ea7f4289176e23fc82da1fe67c70cedc823f5dba6
-
SHA512
f54baff4c52037180433a6b246bbf773924327e8ebc641e7a896a2a7ee79ae4e9326984cbd646be73f9d5fa97f2b8e8e5e7628f277df70deb2cb9e7771f69356
Behavioral task
behavioral1
Sample
case (166).xls
Resource
win7v20201028
Malware Config
Extracted
https://rnollg.com/kev/scfrd.dll
Extracted
zloader
kev
26/01
https://gadgetswolf.com/post.php
https://homesoapmolds.com/post.php
https://govemedico.tk/post.php
Targets
-
-
Target
case (166).xls
-
Size
153KB
-
MD5
44b43922e08e0e8e1ec65300b3b1aa74
-
SHA1
ec1a847009295036381af1b0a4383a61c3dcbb75
-
SHA256
9b8516fcbe183de0a53ac47ea7f4289176e23fc82da1fe67c70cedc823f5dba6
-
SHA512
f54baff4c52037180433a6b246bbf773924327e8ebc641e7a896a2a7ee79ae4e9326984cbd646be73f9d5fa97f2b8e8e5e7628f277df70deb2cb9e7771f69356
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-