General
-
Target
1111.xls
-
Size
153KB
-
Sample
210127-gjdnm9d6zn
-
MD5
6bb69e29bcbe8950f250fbf92e779682
-
SHA1
4dfb1de7f258afab63d166ebc275a552c5b8a0a6
-
SHA256
ddf32aed6b7cda0de80bec9b11a506a32404c298c10a35bb6299a57d6b3ee823
-
SHA512
52ff8915e8dfccd84fc709129a8057cc50a70ac72e2f95fe187c2b834455ad205770067430f99b9ece1b251665b014d00b0d65b19cb17e6767e93ce92860e8ab
Static task
static1
Behavioral task
behavioral1
Sample
1111.xls
Resource
win7v20201028
Malware Config
Extracted
https://coopacaustro.com/kev/scfrd.dll
Extracted
zloader
kev
26/01
https://gadgetswolf.com/post.php
https://homesoapmolds.com/post.php
https://govemedico.tk/post.php
Targets
-
-
Target
1111.xls
-
Size
153KB
-
MD5
6bb69e29bcbe8950f250fbf92e779682
-
SHA1
4dfb1de7f258afab63d166ebc275a552c5b8a0a6
-
SHA256
ddf32aed6b7cda0de80bec9b11a506a32404c298c10a35bb6299a57d6b3ee823
-
SHA512
52ff8915e8dfccd84fc709129a8057cc50a70ac72e2f95fe187c2b834455ad205770067430f99b9ece1b251665b014d00b0d65b19cb17e6767e93ce92860e8ab
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-