32.0.0 Black Diamond
IR
404284
CloudBasic
21:32:59
04/05/2021
PL_503_13_570.docx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
158e499db47d9c6a56449c86f3b1596f
6d0e9274649112ec7e9a757168b7de6eb2c48ff2
5e7fe9a4eb6dc098b6ed28b083d277455d66a515e7c78b270ad0515a90279f45
Word Microsoft Office Open XML Format document (49504/1) 49.01%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\826308279625120\temp
false
903C35B27A5774A639A90D5332EEF8E0
5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
C:\ProgramData\843743064682002\_8437430646.zip
false
CCE01036DA6BD61C2A24F57DB56FBDB9
64E77351399FF115A78941FE736CB446B50FAFF6
361C355FE280B3E7496029625B34774A7E4F6AA254483A489E7472B713560EFA
C:\ProgramData\843743064682002\cookies\Google Chrome_Default.txt
false
D7778B3A3B8250AA23886E063110E242
8B1FF81515E8D34FBC06647FF14B62D8D3EFF7F7
91749AF611BAB1C703B58EF9B1750BC9CC9BB4713E9BEE36699D53A5B52AABB0
C:\ProgramData\843743064682002\cookies\Mozilla Firefox_7xwghk55.default.txt
false
1CC1A2AA61983723337368F30E206D3A
90451FAA80DD20736D4CEE3236967D86F952EA09
47A3DD7534EC80C721BBE6614A6C4C573867BD17383BB80145B8E57244639964
C:\ProgramData\843743064682002\screenshot.jpg
false
6B7120F418DC6BFB1E3203B90B0D5FDB
1A61B1E796CF8C29638FCD7BDFE4E00CC4A47A73
6F5F9DEA007A47B583A7EB4B9394C18F39C92BF2DFD90A2E7EE6A238C6CBD7B0
C:\ProgramData\843743064682002\system.txt
false
FFD75CD605399308AF82482A9AE51AF0
4EA25EEAFE29842A3599BFDC6751D8C666E15DA4
530801A52610B6C42FA69A815F5BC3C9E2EF6B2FBBCBDAFE50E5B3871F1215A6
C:\ProgramData\843743064682002\temp
false
F8F1E2781634D77A5F5A572598B4BF40
F64083052E1F94802F08607E55005A99618FE523
24EAE413DDF596D401FA0F48FBDCEB6AD0368D14D5D53A5A5763CFA68C46E598
C:\ProgramData\freebl3.dll
false
EF2834AC4EE7D6724F255BEAF527E635
5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
C:\ProgramData\mozglue.dll
false
8F73C08A9660691143661BF7332C3C27
37FA65DD737C50FDA710FDBDE89E51374D0C204A
3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
C:\ProgramData\msvcp140.dll
false
109F0F02FD37C84BFC7508D4227D7ED5
EF7420141BB15AC334D3964082361A460BFDB975
334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
C:\ProgramData\nss3.dll
false
BFAC4E3C5908856BA17D41EDCD455A51
8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
C:\ProgramData\softokn3.dll
false
A2EE53DE9167BF0D6C019303B7CA84E5
2A3C737FA1157E8483815E98B666408A18C0DB42
43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
C:\ProgramData\sqlite3.dll
false
E477A96C8F2B18D6B5C27BDE49C990BF
E980C9BF41330D1E5BD04556DB4646A0210F7409
16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
C:\ProgramData\vcruntime140.dll
false
7587BF9CB4147022CD5681B015183046
F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exe
true
5753388FBFCDE9E08D00AC9E2BE5D881
48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C112D4.png
false
23A2AF973BBF6CC30633EB218EF11067
69E4BB8450F096694A026CA859498AE30D3FB1FB
1AD903E11D4A00E9AF3A24E5F92A71295A693945CC3BBF894D6176BA831445C4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C77723-97C0-4A14-814E-1968BCE52029}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FDB545E2-A1F4-4D0B-BC71-CA4D3862B689}.tmp
false
97D70616A654FEB5A6CEE5B01A432322
2DBEA561E55077EF2723753349B8946BE60ADAB5
91C46782F089DA12A9AA47E3C310AB89C4096F8D06739CA88126CBEC17C09929
C:\Users\user\AppData\Local\Temp\toqqx.exe
true
5753388FBFCDE9E08D00AC9E2BE5D881
48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PL_503_13_570.LNK
false
5232E49EC240FE9965EABF74911D0C3E
C6B13BDFD7E8CDE5BB38E121ED102AAC02A38D21
27692E721D72C8E230FEA5EDA37E344EEBD3CCC679D6FA443CF7ED0AFB466838
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
E2DDBD406167EFBA76CDD5993E8BA39B
26C3D0CC660821981ABB73AF70FCA21350F41BA4
AF0B1925B6C9A942B992164D588D81C1CEC281626527C8636F58E15A75EA7691
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe
true
5753388FBFCDE9E08D00AC9E2BE5D881
48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
C:\Users\user\Desktop\~$_503_13_570.docx
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\toqqx.exe
true
5753388FBFCDE9E08D00AC9E2BE5D881
48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
198.98.60.43
31.210.20.6
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected Vidar stealer