General
-
Target
Quote 2405987021.docx
-
Size
10KB
-
Sample
210525-2w4tsymesn
-
MD5
992acd038fd49f200bd5510c029e74b1
-
SHA1
f1a0abb5f96c21f8a799e4f65c4216bd968c29b7
-
SHA256
5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f
-
SHA512
e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10
Static task
static1
Behavioral task
behavioral1
Sample
Quote 2405987021.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Quote 2405987021.docx
Resource
win10v20210408
Malware Config
Extracted
http://198.46.132.185/..-.-.-......................................................-...-/..................................................wbk
Extracted
formbook
4.1
http://www.mpaiji.com/c244/
ssgasija.com
procyoon.com
mood-street-food.com
yeglifeview.com
baoyai.com
sundarsheni.com
notoli.photography
sweetape.com
ergas.group
asyrill.com
jin188v.com
stlazarushospitalnola.com
dohertyfamily5.com
duniaclubs.club
ngobryles.com
scottsavocasalon.com
unifiui.com
baileyfred.com
nabiagency.com
alyssaternanphotography.com
whitehome-re.com
nitaraine.com
rklogtransportes.com
closetcouturenc.com
day.gallery
suxfi.com
mittikasaman.com
livesupgrade.com
hasbiadam.com
masdelafont-mauguio.com
topadofa.com
humanimmunogenomics.com
exit-blog.com
andersonsignandbannerco.com
ellasween.com
jmycjj.com
dhshk.com
peaceful-dolphin.com
flossydesigns.com
mrevivalkids.com
paintmehappywithcassandra.com
daishuaku.com
c2spot.com
odiaproduct.com
skillfultopshop.com
mentorbp.com
annualchecklist.com
jasaborongan.com
fasttrainheal.com
flatfootedhatting.com
brionreilly.com
ogcaterers.info
uuhlashwe.club
subsidy-kennwort.info
logisticmoversusa.com
houseofkabbalah.com
ahealingjournee.com
diemtinthitruong.com
naturallybossed.com
turksandcaicosdirect.com
hudsonvalleyfinearts.net
brocousa.com
getyourcostsdown.com
liveitupmusic.com
Targets
-
-
Target
Quote 2405987021.docx
-
Size
10KB
-
MD5
992acd038fd49f200bd5510c029e74b1
-
SHA1
f1a0abb5f96c21f8a799e4f65c4216bd968c29b7
-
SHA256
5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f
-
SHA512
e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-