General
-
Target
40HQ of CI PL SC HR210503.docx
-
Size
10KB
-
Sample
210609-e2q4rgtnzs
-
MD5
ffde61c7250f2ad83febb03b28321b4c
-
SHA1
f37ff229c3e22cb00966eeb76d185a826b134fc1
-
SHA256
540b8aee7a87730cd824187ea04de1d6cafc7070ff9009d3aa60a8275cd4cdef
-
SHA512
c7f398a12fe7e27914cfdf45aaf16086dbabb91870ce0249c5122f95eaef432f3b8ea407e342bec8c1476ba6c299b3c630f219955088ee9a4a3091362ea68618
Static task
static1
Behavioral task
behavioral1
Sample
40HQ of CI PL SC HR210503.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
40HQ of CI PL SC HR210503.docx
Resource
win10v20210408
Malware Config
Extracted
http://bit.do/fQZTV
Extracted
lokibot
http://manvim.co/bo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
40HQ of CI PL SC HR210503.docx
-
Size
10KB
-
MD5
ffde61c7250f2ad83febb03b28321b4c
-
SHA1
f37ff229c3e22cb00966eeb76d185a826b134fc1
-
SHA256
540b8aee7a87730cd824187ea04de1d6cafc7070ff9009d3aa60a8275cd4cdef
-
SHA512
c7f398a12fe7e27914cfdf45aaf16086dbabb91870ce0249c5122f95eaef432f3b8ea407e342bec8c1476ba6c299b3c630f219955088ee9a4a3091362ea68618
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-