General
-
Target
MVC RFQSpecification.doc
-
Size
295KB
-
Sample
210420-cgg7wlmw1e
-
MD5
191f38f0ef0adca84572330b29a32034
-
SHA1
358ebb28a5a5adf4bfccc1199901a91156063101
-
SHA256
ffdfa8e7d36238ac625b595ff40cc2faae7b76a5b1a85579943c4b42cd4738fe
-
SHA512
a9a5f93954baae12194549d477ca2241149615fcec9ef79765329f832967b1f5c34f78ddee11b637884d371cc090c86dfdaf2fdd62a6a08b5c7177828daede18
Static task
static1
Behavioral task
behavioral1
Sample
MVC RFQSpecification.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
MVC RFQSpecification.doc
Resource
win10v20210410
Malware Config
Extracted
httP://twart.myfirewall.org/firewall.exe
Extracted
remcos
sandshoe.myfirewall.org:2415
Targets
-
-
Target
MVC RFQSpecification.doc
-
Size
295KB
-
MD5
191f38f0ef0adca84572330b29a32034
-
SHA1
358ebb28a5a5adf4bfccc1199901a91156063101
-
SHA256
ffdfa8e7d36238ac625b595ff40cc2faae7b76a5b1a85579943c4b42cd4738fe
-
SHA512
a9a5f93954baae12194549d477ca2241149615fcec9ef79765329f832967b1f5c34f78ddee11b637884d371cc090c86dfdaf2fdd62a6a08b5c7177828daede18
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-