31.0.0 Red Diamond
IR
339205
CloudBasic
17:22:41
13/01/2021
Order_00009.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
f99314a2a08dbbc7ddff20a83f1a5f32
1914f9f5eedef3300ced36713b4bea07597679c4
2f3772ae0a61ae1f913ba2e34f97dd86e7c2e619bc839171f8ff67cb06fbb209
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe
true
92FF500A693078263908C83B4B290481
FA5DCC6012C71490EFDF320791A90C7A18958A95
767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42642D43.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C6583CA.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD4B81AD.emf
false
739C90CC501B567B3583C7112965FBAE
6CB98735B981DF53624CB291BA97008E6D6AA031
94D6F2541AA51338AD7D2E9D0E187A6E5F60755CDA6156E0E0F1F16D0EF80FBC
C:\Users\user\AppData\Local\Temp\tmp85C4.tmp
true
7B767F4ADFBFE8B34E939F792715BA76
1ECED80560CC6F7783F5CCE529757B204FABBFEE
8BF947EA2B775820BE78CB9B0358CAE4127D73F5DDCC54C2624FC4D9A4A9E0D5
C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe
true
92FF500A693078263908C83B4B290481
FA5DCC6012C71490EFDF320791A90C7A18958A95
767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
C:\Users\user\Desktop\~$Order_00009.xlsx
true
96114D75E30EBD26B572C1FC83D1D02E
A44EEBDA5EB09862AC46346227F06F8CFAF19407
0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe
true
92FF500A693078263908C83B4B290481
FA5DCC6012C71490EFDF320791A90C7A18958A95
767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
160.153.136.3
34.102.136.180
35.172.94.1
185.26.106.165
s.multiscreensite.com
false
35.172.94.1
fixmygearfast.com
true
160.153.136.3
www.shemaledreamz.com
false
45.11.187.140
medicelcoolers.cn
true
185.26.106.165
brainandbodystrengthcoach.com
true
34.102.136.180
www.stattests.com
true
unknown
www.beamsubway.com
true
unknown
www.herbmedia.net
true
unknown
www.brainandbodystrengthcoach.com
true
unknown
www.fixmygearfast.com
true
unknown
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook