32.0.0 Black Diamond
IR
433305
CloudBasic
15:57:53
11/06/2021
Swift_Payment.MT103.docx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
b222a3ced51fbd79d5fb84bbca12e509
bc2f5c72b5e3ddd58e991d83c94cb071152a2671
3332ad1461dc79f815e43bf55a6e105bddef5324468b041a97457de7dfcaf2b4
Word Microsoft Office Open XML Format document (49504/1) 49.01%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
false
B95829EAC0EEA9848A14EC3FEDEE4434
3182A302250C848D751C4027807EC1EC99B56867
48C83212438192ACC0166D41B75C311DC97BF50FAFA7DAEE20623B91C5D63256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AD8A7C7D-3F97-4401-8621-33ABFBA7519B}.FSD
false
AA5DF115AAA115C450FE92554FA222D5
2AADB60616CD6BAD558C969A1A4B8D9C93E7AFEE
D80BA711135BC820E5A9E1D09B91BFFE76B05B254E81D4168B55D049721D7CD3
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
false
C1BAA09ECF9B8D2CB8FD5949C716D22D
A1E64253E9E1471A5024C318D70558C6BDF8DD02
B4A86ED0B9EFD90F2CB06B912E80A53BAE138573A151186DE12DB79D95C8733E
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
false
9B5DFE2E1E6A33DB8EBCDC8538D07F05
850EF2323B1B9A1A50592025BC32A1C27A79253F
35ECE7BC2CBB407187385A05F8F70A1FEDB3DF5D0809CDB1D156C775454EB0B3
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{23A36F79-3DE3-41DA-8F76-5F7EB48D2868}.FSD
false
920DC7EC50EF6DF90D30200C2FDDD0E5
197AD32C6AEB1182B87114AE00D1307EDB849737
BB3446BB79989AB742F09F008A2E5B1BA798ADB64213C6A30BEB08CFB48A4B23
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
false
51289AF5580FEA8B00E91D3796721F03
CF4FBE5400B99444207A5F3A8009BFC3A6902771
1A1C733E011D1C41E43E26AC0F7DCE8A77B971EA9C61963005EB68CF5AD4B145
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\o[1].doc
true
FDB098884C0039D65230141896DA89A9
5BB80B89290B64086F1DD07FBCBCE1BC608468B0
D99B9F24FFDBD5BB9D8DF6ED5120D58FCC035859C943093A9F70B41CBD7B52B7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe
true
616A10FDC3307FD483916E1B578C9F9C
940A937103F7F406291C416C6EC4D601FBCA7234
AF9E4AF9E1C7C2991D0FE0E5EEDD11A819CB5D697EF75606AE620F3B7FD20775
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\C20Q01TC.htm
false
9061AADDFDD374DE11E04F3B54101854
D1C1AA1CC4BEE4922DC94B1212EE449467828162
CE708B29A47B2778D931D63DD75C230FA8D4FFFC670D73FEC68A2A378EE5A567
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\e9yj[1].htm
false
011C131B3F6FFEEBF65EF2BCB8A0C76F
DFF1A10A3A014CB792C55C51634262FE6985890C
1D541E551F8F7D9177EAD075ADE5A0C08846B039D0EB77C1EF608DDD58C58013
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27720357.doc
true
FDB098884C0039D65230141896DA89A9
5BB80B89290B64086F1DD07FBCBCE1BC608468B0
D99B9F24FFDBD5BB9D8DF6ED5120D58FCC035859C943093A9F70B41CBD7B52B7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{76C1187F-5961-4AD1-8352-EEED0FAE6D6A}.tmp
false
91B9BE1FBB0E36E7D0D9CE112C50B5E0
CDE57A76B41CF6254EF44044D845C3C898D6F610
613697FBD8229A9CB415877760C4075CF35DE4146CF83964DC2C265C37AC71D7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5FAB51B-61BE-41BF-89DB-AF92964D1C77}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F060F5F7-4AFC-467A-BE44-A714D3C0AD58}.tmp
false
28ADF62789FD86C3D04877B2D607E000
A62F70A7B17863E69759A6720E75FC80E12B46E6
0877A3FC43A5F341429A26010BA4004162FA051783B31B8DD8056ECA046CF9E2
C:\Users\user\AppData\Local\Temp\{27A10D79-7F70-46CF-8119-16E3C539D501}
false
D0B387DA05C4FCE9F3B2A73731997139
7D76CD1FDD4CED7DCDC723D2629969EF6814075A
420B0F142E2217052D33E15A5271085AC7DCC0E50CCEC79F301106859B089A10
C:\Users\user\AppData\Local\Temp\{5C5D433B-B19C-40C3-8FD6-B75904B3140D}
false
E74890E2DF7355F7A20141C3FD59BCA0
8FAB8F7375DD1559D07758AF66FEDD59EAE8D535
64FD0C13CED71412F93F51769FFC3E14A6AA805EC0029435AE1ED7A76A39307D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Swift_Payment.MT103.LNK
false
DA3D6DDFEC9FA61A95A5D3A5E93E150D
2F5C7C24E77F739F08AA0BE9711AE34E8B425EA7
4F70427E73024F7778D5FCA4800241105F7E7788DECC42F8F11E495F58A9BFAA
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\e9yj.url
false
F5C72945D1BDAE24FB4393F7D97E953F
54F64CEB083CF2A20C31EEFD64DF7E0878D84CA9
4E41F3B4FACF193C7F5346832A5EB04EA96FDF0DDF1465D798D354EA9788D1D2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
9D54F65C474E3F0A12BF527B27FD6676
9CF0F170E0D247A02111B94DA088F1C2B4A1F218
8DD61A3211C69BDDE73E33E295CAC121EF2693A9CC3B08A6AAFA374F016A65B6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\oti on 192.3.141.164.url
false
FE717A28A8B635BCE51A0137BFABDF24
3070711C4A68953981A28E2A51D1DD70078305FA
17120A45D48F98C66E2E0A286C39ACD8E028140E4CF9CECE80DADD45B7385212
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Desktop\~$ift_Payment.MT103.docx
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\vbc.exe
true
616A10FDC3307FD483916E1B578C9F9C
940A937103F7F406291C416C6EC4D601FBCA7234
AF9E4AF9E1C7C2991D0FE0E5EEDD11A819CB5D697EF75606AE620F3B7FD20775
91.227.139.235
34.102.136.180
192.3.141.164
93.157.97.6
www.loundxgroup.com
true
91.227.139.235
grandcanyonbean.com
false
34.102.136.180
xy2.eu
true
93.157.97.6
www.grandcanyonbean.com
true
unknown
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus detection for dropped file
Contains an external reference to another document
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook