32.0.0 Black Diamond
IR
432659
CloudBasic
16:30:12
10/06/2021
INQUIRY-PO3010773..EPR55804.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
ca66b439a178c115e4a0634da09c27ce
076b862373c50f30b121b8f64b60673434ca9b90
4e0fefa37d9dc5faec3e64cc9129b8004fd349b209228a97101c66b30cde4e10
Rich Text Format (5005/1) 55.56%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\sirtx[1].exe
true
B0901D0A6B90E6B371BA80E2C31ADE52
2F175D971E4D6F4938083A78DE9BE10EB6BA0E05
08DA4E7DE40F2EEC9CD1670E3DB354D49D3101FD9ACE7AAA5F99B235D2CE46FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24B24510-30CA-4646-ACFF-79FC9E14ADCB}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2D3EB9C-AB70-4784-8852-5C03B64EE05D}.tmp
false
F6FC66228E256A219ADEFA4A225D8312
7EF9D094485DF1805A0960B89668724E91CA086D
F3DACDF728DB5A725C0190C1AD8196083F6FB601F3DBE0CD00588ACBC94E77A4
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INQUIRY-PO3010773..EPR55804.LNK
false
7B55641D9E489C77C414B0DE237536CA
614F68C016F2E3E4FA739ABF40DBE2A79FAA472D
E25D5933699069B16D86641DFFDE7D5915BE6E8A5D359BA74C6F80687B3B2D93
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
421FEBE66B459A401FDB08EB92EC25DE
9A5B7D7F77308F2B81D675C04C9BEA095A3986E4
6FDB76C67B03756E71BC3853E225C7C4893B5835C3B55B893DE5EED90324CA48
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
F3E6EBAC97D4DEF04C645869D96DC090
F6ADEED4922A5BEFAEC456E3F1BA1C3D424C0F60
67DC32FE6B29E78D53027D0ABF9458FFC4CD1054A1A060EB96655C2449B5B728
C:\Users\user\AppData\Roaming\sirt3512.exe
true
B0901D0A6B90E6B371BA80E2C31ADE52
2F175D971E4D6F4938083A78DE9BE10EB6BA0E05
08DA4E7DE40F2EEC9CD1670E3DB354D49D3101FD9ACE7AAA5F99B235D2CE46FF
C:\Users\user\Desktop\~$QUIRY-PO3010773..EPR55804.doc
false
F3E6EBAC97D4DEF04C645869D96DC090
F6ADEED4922A5BEFAEC456E3F1BA1C3D424C0F60
67DC32FE6B29E78D53027D0ABF9458FFC4CD1054A1A060EB96655C2449B5B728
40.65.124.100
64.98.145.30
185.239.243.112
carbinz.ga
true
185.239.243.112
www.869bernardilane.com
true
40.65.124.100
www.363dahlia.com
true
64.98.145.30
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook