33.0.0 White Diamond
IR
448719
CloudBasic
16:54:15
14/07/2021
Booking Confirmation.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
870a4c72bccd58de144c7b845d56c626
482681f75180bbb1286e1f93ce44dfae0b6b0007
37fffcbacca59290a7a3b6271ebf475a50b9e17eba113459cfc00508a7268b68
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe
true
FCFB0EC70F1419EDE8A534CC95CB61E9
D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E7724F.jpeg
false
722C1BE1697CFCEAE7BDEFB463265578
7D300A2BAB951B475477FAA308E4160C67AD93A9
2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33A5C606.jpeg
false
738BDB90A9D8929A5FB2D06775F3336F
6A92C54218BFBEF83371E825D6B68D4F896C0DCE
8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E10AF3D.emf
false
AF315ACBE803E8A5729F0B6B0CA5942C
C21EDD8E79667300365573DF36DBEAD853977E9C
013B5B9200F01398565C59B4F815AF21F513FF7DC696787C8D838A510A101199
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87034804.png
false
17EC925977BED2836071429D7B476809
7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89452338.jpeg
false
722C1BE1697CFCEAE7BDEFB463265578
7D300A2BAB951B475477FAA308E4160C67AD93A9
2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C86F0153.jpeg
false
738BDB90A9D8929A5FB2D06775F3336F
6A92C54218BFBEF83371E825D6B68D4F896C0DCE
8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9A0341A.emf
false
90E7CF2722D8B0130292A0D91E15C2DF
B2FBF1814AC8BBEED7A6F3074703BA34B392F107
ED43E23E4285C0EFBA4F46C6227BDDF4FD3C4DD758DD1280A6D8D5C21BD7E210
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F50319D9.png
false
17EC925977BED2836071429D7B476809
7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\Desktop\~$Booking Confirmation.xlsx
false
96114D75E30EBD26B572C1FC83D1D02E
A44EEBDA5EB09862AC46346227F06F8CFAF19407
0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe
true
FCFB0EC70F1419EDE8A534CC95CB61E9
D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
180.214.239.39
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Yara detected GuLoader