31.0.0 Red Diamond
IR
321136
CloudBasic
12:01:04
20/11/2020
PO1.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
825745a31fc275a41849f257818a6e5e
3cbd4431678267fd6660eab67d7c47bc6397e4c6
3a843efb1f58cbc577e62bbf34451912ac5618c8b79c18ecfa0e0257f927f0cf
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
17FE41C8397CB4C39C503CA7892E128E
69D074F9B7A37EABAD5599A752C1815930E77C20
C52BE95C7DB1CEC17548DFBF604FE6226CE3F6458BD9EF66FBACC06814121630
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
true
3D549885E44863C57F59EAB47F2271CC
76C51BE921EF41FF2596F3F882B91C8EDE3713C7
1D9C8EE9BE6E0EE20B600C71989292AA2EFD0849611389E3121BAE364D9D6ADF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2505BD01.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1B89C3B.emf
false
0EACAACA6696FF166D2BE2957DE495B1
6FC6E9625708DE1A29DA8607A9D475EE08554B69
FA9654EB231E5284BB041DB4212EC6975019F29A0E7801F5C75C8BC568D25B77
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6627100.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Temp\CabCE09.tmp
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\TarCE0A.tmp
false
D0682A3C344DFC62FB18D5A539F81F61
09D3E9B899785DA377DF2518C6175D70CCF9DA33
4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\AppData\Roaming\xjp3jnfs.ylv\Chrome\Default\Cookies
false
903C35B27A5774A639A90D5332EEF8E0
5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
C:\Users\user\AppData\Roaming\xjp3jnfs.ylv\Firefox\Profiles\7xwghk55.default\cookies.sqlite
false
1138F6578C48F43C5597EE203AFF5B27
9B55D0A511E7348E507D818B93F1C99986D33E7B
EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
C:\Users\user\Desktop\~$PO1.xlsx
true
96114D75E30EBD26B572C1FC83D1D02E
A44EEBDA5EB09862AC46346227F06F8CFAF19407
0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe
true
3D549885E44863C57F59EAB47F2271CC
76C51BE921EF41FF2596F3F882B91C8EDE3713C7
1D9C8EE9BE6E0EE20B600C71989292AA2EFD0849611389E3121BAE364D9D6ADF
192.3.141.160
208.91.199.223
174.129.214.20
elb097307-934924932.us-east-1.elb.amazonaws.com
false
174.129.214.20
us2.smtp.mailhostbox.com
false
208.91.199.223
smtp.tzdieep.net
true
unknown
api.ipify.org
false
unknown
Contains functionality to detect sleep reduction / modifications
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla