General
-
Target
40HQ_of_CI_PL_SC_HR210503.docx
-
Size
10KB
-
Sample
210503-zl4vg68bra
-
MD5
78e85cb8cd9169dfe6fe6ddcf4090a97
-
SHA1
6ca04ffc772794b12f4b6c724387823c185cce6e
-
SHA256
ab80b9b17c044eeed0605980caeaf6617c48f04d4f11a5f19d9a65256a940e95
-
SHA512
d330a14930f4fe9e74a0973e261bd060844b62211fa00f316c4d8233907a7cd845b6782a2cb646c5eb33246cad65d9f41dc42c57d57401f5ec0425e686e3256d
Static task
static1
Behavioral task
behavioral1
Sample
40HQ_of_CI_PL_SC_HR210503.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
40HQ_of_CI_PL_SC_HR210503.docx
Resource
win10v20210408
Malware Config
Extracted
http://107.173.219.80/prf/regasm.dot
Extracted
xloader
2.3
http://www.stonescapes1.com/de92/
zindaginews.com
tyelevator.com
schustermaninterests.com
algemixdelchef.com
doubscollectivites.com
e-butchery.com
hellbentmask.com
jumbpprivacy.com
teeniestiedye.com
playfulartwork.com
desertvacahs.com
w5470-hed.net
nepalearningpods.com
smoothandsleek.com
thecannaglow.com
torrentkittyla.com
industrytoyou.com
raquelvargas.net
rlc-nc.net
cryptoprises.com
chinjungmom.com
blondedevil.com
associationindependence.com
tokachiashi50.xyz
cantstoptennis.com
english3s.com
flowtechblasting.com
customputtputtgolf.com
onointeriors.com
lenafive.com
jygraphics.com
plantologia.com
withatwist2016.com
bingent.info
nakedsumac.com
rosetheamazingrealtor.com
gogoivyschool.com
silhouettebodyspa.com
fomssdf4.com
goodcontractor.net
republicpc.com
zante2020.com
t-junko.com
kittens.finance
mkchemicalvina.com
quadacross.com
maemaetravelworld.com
bradforrexchange.com
fashiongomaufacturer.com
hollapac.com
qxmenye.com
neuro-robotics.com
365shared.com
dinamisapp.com
b3service.com
getyourquan.com
udothat.com
cutting21778.com
vdacouture.com
venerossala.com
thefunboxshoppe.com
indomedianewsc.com
nagansatu.com
precisionoxes.com
Targets
-
-
Target
40HQ_of_CI_PL_SC_HR210503.docx
-
Size
10KB
-
MD5
78e85cb8cd9169dfe6fe6ddcf4090a97
-
SHA1
6ca04ffc772794b12f4b6c724387823c185cce6e
-
SHA256
ab80b9b17c044eeed0605980caeaf6617c48f04d4f11a5f19d9a65256a940e95
-
SHA512
d330a14930f4fe9e74a0973e261bd060844b62211fa00f316c4d8233907a7cd845b6782a2cb646c5eb33246cad65d9f41dc42c57d57401f5ec0425e686e3256d
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-