31.0.0 Red Diamond
IR
321163
CloudBasic
13:46:20
20/11/2020
Bill # 2.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
483b35b49726fc59ba720ca3106a69f6
58b66c28ec98e732920179eb4e270e7b00517f08
982e68644911b369c8d440f2ca7e0380b5bb7b3400fe2f53d13f34f2fce5505b
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
AB6DA8AE6AA88FCEAE65300C795001E1
1CE227376FC49D31FB9F66A9C2FD0CF6121495F4
DC99379FCEAA00E3BC2BF531C24C7A88ABDF449FDED25CA6423B1BEAD9658A91
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tochi[1].exe
true
C11D6124EE0522C7AB71D20CF3474DC0
C52A64B7189C762B907A9D727950F3D1364C68BA
871A7F14C61157DBEA48D27F92BC64097E10EB44A9C8EF7543C435E275CA249C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BF0B00E.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6B13A00.emf
false
EADDF03549BDB2AE98C0705F0D40A075
151E9F9681CEFFFFCDD6EBC06794FAA20A17D454
B8B4B2780C4A577E6B123F1685E703804C2B8EE0891E3BAEBC5BEE8F23CA9862
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE1BF201.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Temp\Cab4338.tmp
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\Tar4339.tmp
false
D0682A3C344DFC62FB18D5A539F81F61
09D3E9B899785DA377DF2518C6175D70CCF9DA33
4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\Desktop\~$Bill # 2.xlsx
true
96114D75E30EBD26B572C1FC83D1D02E
A44EEBDA5EB09862AC46346227F06F8CFAF19407
0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe
true
C11D6124EE0522C7AB71D20CF3474DC0
C52A64B7189C762B907A9D727950F3D1364C68BA
871A7F14C61157DBEA48D27F92BC64097E10EB44A9C8EF7543C435E275CA249C
23.21.42.25
198.23.212.152
elb097307-934924932.us-east-1.elb.amazonaws.com
false
23.21.42.25
us2.smtp.mailhostbox.com
false
208.91.198.143
api.ipify.org
false
unknown
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla