33.0.0 White Diamond
IR
462616
CloudBasic
15:28:23
10/08/2021
New Updated 20210810.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
e7228f0fdb6675e599fce2e7697e237f
4ee29bd4a9e6756326728a6d3a2bcdb504d01e6a
03e73adb2a943786db217feedb75a14e7ce7ce39b8fb9f91a0fec989d1ce9188
Rich Text Format (5005/1) 55.56%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe
true
83F58ECF0778E3B0ACCA8497DF23EF23
A2123E816FCD387873272E022220FBC05B96D392
437FAE5AA2CAD8DDB1FE3E316AFDC6A1FDD2676084131FDC082FFDC8A53F066D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{23BF6A28-299E-4B99-A605-44EE5B79BCDD}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2185495-5638-43A1-A616-4B202C23444A}.tmp
false
DFC4EEF2C75137EE683C0A0BC9B953F0
652A5D6FBE99DBA066F9059515061C26A01228BC
E62B60E5D4261CDBE6F611A6D0F7BC42F62C5A7C07234BA0F0F72077780004F8
C:\Users\user\AppData\Local\Temp\InstallUtil.exe
true
BB85AA6D90A4157ED799257072B265FF
F97DA28D82E9D81672C78FFBE03123E985E7F6D4
815FD29D891CB94418BB0CDC44D5095230989FE9DA58421319FCD57E458E39A9
C:\Users\user\AppData\Local\Temp\bhvC767.tmp
false
2DEBCCB53B8D793E28AE6121867FA6B6
4F5F6E1976D924B31895F32DC6B52DFDF7C79A5D
2F23BFB6E0EF2D829DB46E4329BAF30A44CB37732F411D2D97CAED5AD38F7BE8
C:\Users\user\AppData\Local\Temp\holderwb.txt
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New Updated 20210810.LNK
false
2D2029DD0C9AB7CDEB1CB5474691D3FF
36617B8D986F86ABC54BA3EFEC9DA53F14DCA964
2CF7D8B36F1F9433C03386DF32CD65BF089AB76ADD81954028731DEB9363D82C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
31C4D1728DA7B6F622EFBC2CEB4AD8EC
38134D2FDC6C6AF7C865F531D3F9F9B6431FF14C
D7F13619B7963476C6AADD9FB50BC480B7E32B29ED2CC208F863DC861F1C52E6
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
390880DCFAA790037FA37F50A7080387
760940B899B1DC961633242DB5FF170A0522B0A5
BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\name.exe
true
83F58ECF0778E3B0ACCA8497DF23EF23
A2123E816FCD387873272E022220FBC05B96D392
437FAE5AA2CAD8DDB1FE3E316AFDC6A1FDD2676084131FDC082FFDC8A53F066D
C:\Users\user\AppData\Roaming\pid.txt
false
A1D33D0DFEC820B41B54430B50E96B5C
B7ECF1CA1C97492DE831D17A3AB559D4A1F8B735
8B80F49EC2822CB3CDBE97D9405E39AE40BA418B084C06604B51E2A5AF11A7F8
C:\Users\user\AppData\Roaming\pidloc.txt
false
2D61FD97BB78C3900DD39B26447C5C1A
117F447B8159E31DF5B4422F07B04267231B4A8E
49A7F6995E282A8964916CFCB0A1982BC5418EF85AB7224EBC420C21281B91C9
C:\Users\user\Desktop\~$w Updated 20210810.doc
false
390880DCFAA790037FA37F50A7080387
760940B899B1DC961633242DB5FF170A0522B0A5
BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
142.250.185.196
103.255.237.180
45.141.152.18
vecvietnam.com.vn
true
103.255.237.180
ftp.badonfashoin.com
true
45.141.152.18
www.google.com
false
142.250.185.196
64.89.4.0.in-addr.arpa
true
unknown
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView