31.0.0 Emerald
IR
383965
CloudBasic
13:17:02
08/04/2021
DHL Shipping doc & Shipment tracking details.docx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
30909a9932c77fb923a96b1b090b4806
2bbe988290a47de63763796db6a39de0e268a5cf
23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741
Word Microsoft Office Open XML Format document (49504/1) 49.01%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
false
6DB8CD96B4C85B119FD1C5B854A23016
74E2EFBB0C5EC24C8945BBDACE3C1F37433E2763
E2B7AF33C81B0725788BEE74791BF3C3AB509659FF1B4FB24EB606AF885B63D8
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BBF4E4AC-D3FE-4235-914F-E64626B221A9}.FSD
false
F9C192CF1A2AA18A2EEF25F8D00AA502
6334110BACAA7F22FDF3F1B89E49A3B0449615D8
E81EF857EC9E51A8864218C434827A17B0F5ED7C0DBFEB5D19EDE33F5BB33518
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
false
8E89C48D746C11FEA804C52D0881BDAA
216261EE5B07A5701F888EBF3485A1B2668B114A
25F668C71F47BA804180E2BF2CB3812D662AE9D1CC3451D56C7C40047D700AC9
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
false
C1A68D7886D4521B3D0A82B54BC64BD3
57BCE888FB80B07B86F079E60711BE21195CAA44
07389D13244E78927034E12F50F65215243278CEF49AA0B5D920668CD7DD421D
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0FF8CE56-196E-41FE-8549-99098D12EE98}.FSD
false
B18103AA0D6EEA8856232FC898D97E5E
26402AF85EDC2D27C35AD596062221F59F36C5FD
9D1E3BBC512969B394953AFC777FD57E9623505811F4F68D0AAF9B131A392AC7
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
false
2F501DC5F7800E311E86D84AAE819491
2CF0729178CC544847F42195AB8AC122FADCABD2
1B594DE9AE52DF312BB9D8329B9F01594342B75A2CD49CB0156F58A5C7D2B19E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe
true
29E8627D7B80C21FC98C82314F3DF5E2
22817310A3108CED7EC26488E1E2D3D2F8C32018
98BF20A283219C4CC786234B7D389766FDDBE3B095D13C9109F5406128E83103
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Z1MU4GXL.dot
false
40F03856876FDA8B3BDA880D1D5A4636
D252C054154C5524DFBF3F3238B32F711290FD36
A4358B898C41852211EE727E4B8C0D05301BF4C6A90A4780C5A6F8B1B1CF5C81
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9585664.dot
false
40F03856876FDA8B3BDA880D1D5A4636
D252C054154C5524DFBF3F3238B32F711290FD36
A4358B898C41852211EE727E4B8C0D05301BF4C6A90A4780C5A6F8B1B1CF5C81
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0863C5D3-5908-4917-8FD7-8909E0160183}.tmp
false
28ADF62789FD86C3D04877B2D607E000
A62F70A7B17863E69759A6720E75FC80E12B46E6
0877A3FC43A5F341429A26010BA4004162FA051783B31B8DD8056ECA046CF9E2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24814E40-30CA-4646-ACFF-79FC9E14ADCB}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D2384D6F-8836-4311-8D36-3954D2EB570F}.tmp
false
23F1AC7DB1600320D6CE2850F3D9249B
DDC40E4D9B52AE057E75EA9CB05F4A974C0AB617
F8DBD12BE3629F58B4AF662A9CC7E21768C3664CDD694792164D7153EF7C0C0B
C:\Users\user\AppData\Local\Temp\{1C9178E2-878F-41DC-A2DA-5DC2C3F4A84B}
false
4D6E76FC3F17F88B29F9510EAEC618F0
1BC12ACA14DB8234EAF370EBA124F72349978D08
E9AE520B79C76971B6ACC434C4A99BE471FBBF5EA88EE908CF88F376169B52ED
C:\Users\user\AppData\Local\Temp\{A39B5EA0-B931-48AE-A182-26B457E12238}
false
A9E98123C36986634228A6B4DF1F01AD
B8D2423B8D46BF2F219E659BAB7C45CBEFEC53D0
75C0DA02749FC6DD69B5BDE84F77A64551BB325B39CA96757BABCD7C245028B3
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.- on 23.95.122.24.url
false
9068824ABC5363BBBB1BC24BDC796847
3234BF172D79876FDA384D7326F000847961F145
7B6042BC97E26DEF346B27CE7BE84A74D59900B0894957709BCB11B9EFB5B17D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\................................................................................dot.url
false
73B2615362C3FE0FB01D66FCE88877F1
F5EB7FC057528410EB83F62B8D6F981A40351BF6
063F86C8C5E079BE7349F051DFDDB8EF5CD8A8FF8B1BB5C7288F41CC37DB992D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DHL Shipping doc & Shipment tracking details.LNK
false
9BC6F39551E02BD9C07CA63F140F125C
5C646BC35575C90D87971033761C66C636002C51
4A9F4D594C82D025F771F9DBDC3FA1B426ED020A38974E92FFEECDC36FA6D14E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
F13178557A2770D28E9168A7D862AC2E
67394C8D3DC0B10C769E5163DAE8AEB60BE361E0
31D356CA93634748DFC4709B96D9D4480BC0BB0A2169AF7E96F7536406151465
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\Desktop\~$L Shipping doc & Shipment tracking details.docx
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\vbc.exe
true
29E8627D7B80C21FC98C82314F3DF5E2
22817310A3108CED7EC26488E1E2D3D2F8C32018
98BF20A283219C4CC786234B7D389766FDDBE3B095D13C9109F5406128E83103
213.186.33.5
23.95.122.24
www.nevomo.group
true
213.186.33.5
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook