33.0.0 White Diamond
IR
501830
CloudBasic
09:58:13
13/10/2021
Import order764536.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
cf9700bcf6687a0f9bc3b205b43b40ba
1bcc9522f4f8e1938939e2721b834c5f51cf81d1
61c38201d62bd19e606f4f4e78805932442d872aea57651ab949b96bbb6b4121
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\33920049\aauo.exe
false
3A48081CF7D4D709399A376B3A8AADF2
E0D7DDAA464FC3565D92DF4ECC7BD30286D519CA
7EBB903522348C2326DFFBC66B5D20C8E7C120C4D7CEE15640CAE5187C5741C0
C:\Users\user\33920049\abjtjj.gcm
false
1E44C5E2D839F53AC114916DFA41912B
9B67ABC94E2959683B5D784C8B076D6171AF7237
0FB93824D410F1E4BA2B233F405027D042EDF2E729FA34A41BE910B50ED99416
C:\Users\user\33920049\aricevnrq.msc
false
AE35EB6B3B57EEB5BED5821AA2E6D92D
9D8C94DEF5AE1D05D727E19EFF0A55917094DD67
565B05521D79388A417C7210739CFC5EB4F8E41E50D0D76D6710FE7533FF4B98
C:\Users\user\33920049\bbofcjswrb.bmp
false
152ACD87F50B620928B85D1F6EA00588
5A704ED20090C635BC28A71A343FFF741F482D06
B8F8B30B8BFDFE6E4EBA9D663264F8DE1FEC9A94B1530E0DC13001953324DDEE
C:\Users\user\33920049\dngb.txt
false
7F801B2F630068DE6D4B7F9358261246
9F1FA78880CC820B11BF4F50FAF02B47E717F0B8
2BDC81B1E28470666DB0FB6E23AA590C4B9CA2E251170DEB506FAD164B8ADD4A
C:\Users\user\33920049\dopnobhqej.xml
false
9F6E0D61C826AC091CD857D118713477
327C7FD7ED8AA08C09C104FFC7BA15894C25424A
44269193851D3CEA2ABBADCD4DF83DEF02397189A74E239D0719D9D2F69BA8FC
C:\Users\user\33920049\dwipjhaqq.jpg
false
A36CB4828F8264BF744ABAA2F8842B53
1E0B2BF80891B29BD078129A90364B14ED95EE57
1F7F52165714243C75171CCDA40E5E0C66F8B6EEE59C2F224B9C5033A7D32FE0
C:\Users\user\33920049\eeppjmhbj.icm
false
4050A7160604551C4CB625F60086536C
4110CAFA390AE23E74DC5B110CE98F0C3B342CF2
8AE0F3572F5B03EFA9C93C88E62F61DF4C59341817BD5E883E7B0D48A82B2346
C:\Users\user\33920049\egwevtj.xl
false
B8B1C71088CA6B30B3029554CE05CEF8
67D1C180AA7C8B079819F9013828827947456D29
A5FC7DBE940C698DE68E900516AE4EA33BC7B7AB2435C0D5B74E9E474A58A09E
C:\Users\user\33920049\ewkvwqles.xl
false
A7864C4D1F211A09CB7BCDB60FC1BB9C
06CD14C958FA5C0870C3148BCD874208D6EBA192
D3BEFD3CD87AA43091B2043616C0D57B5DD5C86A9BBB933BC7F1CE359FDF2848
C:\Users\user\33920049\fmkkelc.omp
false
66D7B16F566AD4D6F73CD6083C7B1D51
C71715B2546908A05A28A91555534F04BDF11432
440D3B688F65BD11C021206C50D7B7C4A75C7BA66BD2E1AA4137ABE65D41079A
C:\Users\user\33920049\ggaoddlfq.pdf
false
97DB150F517B42A67914B55B9FCC0855
53FA78E1F13BB71038D02D9C8911415B5C2912C5
D4FC9603286BC88744BDA31D71B8464EA7CAB510244B3C21128774513302BFC8
C:\Users\user\33920049\hmjc.jpg
false
DCC53F5459120236A9DD260CBCC7CFFF
4039FCA91DD943A269B6180906E347F44E26AD45
2DD6BC5BC770D576565692E8D014611ECE5614A615B83832756959163EDA3329
C:\Users\user\33920049\ipltm.pdf
false
239B0A24A1A86CDB9E336BAFB9671B60
D604B815B4C5FC72E38700E060016980CD3F013C
F71F990B573AA4CC7724769C08F9EF0FD5E3897FDEB567966323E1AA5C7AAF84
C:\Users\user\33920049\kwhibpnou.exe
false
D60ADFE8CC5346DF0C2C5A191039AFB7
B2760A6B3E71AA9441F771A31FA7CAB80DDB792C
4D5CB8CFF9DCC0F1536CAE9299295B4422F49B8377FDAA9057427AE40D74EB8B
C:\Users\user\33920049\lueww.jpg
false
F25CE49283A8CBCDAE2F3D447B00DE0B
5ED22433392F6FBD1804EF94473CF465837575AD
C6B4F1EA2A48D13050C20A3D4CC3614909E694B494037432610053DA675FC627
C:\Users\user\33920049\lxvjfmbxgn.icm
false
B8D1527AD41B6877D1B63609604A2114
831D9DB5D7ED05A8397EE8A3E34C35C3DC769CE0
86DAACE3C786D9AA8BBDBDA09F69456A0260A20E5AB4CFE9A02628A73A9E0AA4
C:\Users\user\33920049\meuuljggm.jpg
false
909355BA1B2ADA7E01CB81E2899B6B96
98ED232FB52CB179C60C6988480BB28D5B247263
8ED9F9F9295D32C849D9939BEB83763955BC0C6925793FADB4A0A0735378338A
C:\Users\user\33920049\mmbdcs.xl
false
1A4DB14134A67966C903508FF04DCB28
612D22CDCF9CA81EBB295642346E3F0F9214D522
9C66FABC8AC533B56109E3BA00591892A18B30831DE74B933532C5727E0F4AC7
C:\Users\user\33920049\mmuiqlcvwo.pif
true
8E699954F6B5D64683412CC560938507
8CA6708B0F158EACCE3AC28B23C23ED42C168C29
C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
C:\Users\user\33920049\qhqulleu.mp3
false
5DC5D3365BAE36FC41072D92D22F69CB
91CE48060DCCCC9806AFB9979A3A1759041036DF
067820A70679BC812C16421E4F759533DD91D8124ED36966436601B1F2013C94
C:\Users\user\33920049\sdstvfk.ico
false
84DFE2A08AFBC32793395799841D38E4
1E040C2A1032335F15C39C60A01343A58889B5DC
AC294F23A91818659CFC3210CB058D3D9C7DDA4EF9D4CD933269C8428DED3AC5
C:\Users\user\33920049\srslmbkgam.xml
false
B98459F0500F47B7B583B0C519CCF3CB
5D8012DB878B3F72B7A5736525F587330F988A96
E52F7062BE09E0B5653629D3E3738EF2B514BA971CFA25EED7BE051466EE0E26
C:\Users\user\33920049\suktleoxtu.msc
false
BA57AA240C24091DC77E1E2EF7A99C10
A013814DFDF3086EA88DBAA42D1D5269CE08DC0D
619C6857EA9C69C098E3AC990BE2B99B25EC1A75821081EAD723C9EF6F718FB2
C:\Users\user\33920049\ujhg.cpl
false
5F2BBE62D3EB28228186CD6964305381
46E019DA6F7ECE17D7500B963C80FF076B3B449C
68C1BA695059F1E975FA07FF00BF77FD3B6E56EA4940E9E4AB5F7AA0FA33416E
C:\Users\user\33920049\vusklntwi.docx
false
9D55DE9BCF880293EFC22A6EDF63D727
91BFA94E624F6A6C9891922931A650F3BDF014AF
2EF84FFD76915FDBBAF0CC328B1AD11F7F0967D295AC7077F68C44F2DA67B75F
C:\Users\user\33920049\weqn.txt
false
E887844DDB3C6BC8C9BA7ABF0963B162
5B1955F3EC2985EDA50632650FB71150AD311794
4E47AFF41CBC53A8C36A9F3446DB8EFCF8B4BADD7808F7B58D57BB6F4082CA1F
C:\Users\user\33920049\wsxedltsm.cpl
false
CEE5E8C575EC77654A20CB99615CEBF6
D43519CD61E556D88080FF2640150B2BBE34AE7D
2A4C2DF427A70334733E5CB06304BFF74499D6850AE736F82B06A52B0D850D61
C:\Users\user\33920049\xtax.log
false
32834BAFB3B1871301A6BA9BEF2C5687
786CD933E49C5657480DB1485B0609F8DFEC11CE
DF899EAC1B5F6515CBDA8B816319FF0F89D7FF9E4FBDAEC52C75E1505105CD95
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe
true
B866823E1F8F4A52376BD108C457DD78
FE99849EC27630463080445337798EEBA8000A02
EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\asdERTYgh56F[1].htm
false
4FAA690718E86B391CBF386BAB2C578D
3349E293E3E63929F8EDFCFA93CF393B0BACAC61
F70CAB022EB2B94C482515B83655102FED91D729161C322273C6234B6FF00FDC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26B84B08.png
false
9F9A7311810407794A153B7C74AED720
EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0CBBE5F.png
false
9513E5EF8DDC8B0D9C23C4DFD4AEECA2
E7FC283A9529AA61F612EC568F836295F943C8EC
88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B908FF69.png
false
66EF10508ED9AE9871D59F267FBE15AA
E40FDB09F7FDA69BD95249A76D06371A851F44A6
461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDBC2463.jpeg
false
738BDB90A9D8929A5FB2D06775F3336F
6A92C54218BFBEF83371E825D6B68D4F896C0DCE
8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF7984D4.jpeg
false
738BDB90A9D8929A5FB2D06775F3336F
6A92C54218BFBEF83371E825D6B68D4F896C0DCE
8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C009AF6A.png
false
9513E5EF8DDC8B0D9C23C4DFD4AEECA2
E7FC283A9529AA61F612EC568F836295F943C8EC
88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5A013CD.png
false
9B8C6AB5CD2CC1A2622CC4BB10D745C0
E3C68E3F16AE0A3544720238440EDCE12DFC900E
AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D57D5BFC.png
false
66EF10508ED9AE9871D59F267FBE15AA
E40FDB09F7FDA69BD95249A76D06371A851F44A6
461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6B61027.png
false
9F9A7311810407794A153B7C74AED720
EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EC79CE56.png
false
9B8C6AB5CD2CC1A2622CC4BB10D745C0
E3C68E3F16AE0A3544720238440EDCE12DFC900E
AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf
false
C222CCD1034332B55B2897F143B03581
FE8FC79E1DE315C4371B5872CDABD5338A2AD5C6
595356BB0D0F0B98BF0D8E41FA5CF1D7EE900F392BC4B3DE0106281357E4A750
C:\Users\user\AppData\Local\Temp\RegSvcs.exe
false
62CE5EF995FD63A1847A196C2E8B267B
114706D7E56E91685042430F783AE227866AA77F
89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
C:\Users\user\AppData\Local\Temp\tmp7677.tmp
true
8ECDD2338BF1DCD4DDA0C0FB1AA7216B
BA3A56765CF577D12CFDCEC6D1BA79A1425AC65A
E68557FA69E3E09BC76444A92B98313C8BFEA14AB42E581CF4129117702386DC
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
true
026FE3A73F30ED51820D936A03AF9C95
62D292056CF26A58D860D75F4C2A98BC4F91EF64
AA1E1FDACFC0C58F21BF51B6F1E54A8B827DC31F6B4F2EDFFEAEFD45E7DE8583
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat
false
274639AEBFFC3A903D57150C8E7E3D80
A5B43DB77933BAC72A1E991DA56128136C776C30
C5E8989F5CE86EB4B4058D058C4F4ADB2D360BB55E2D4152397CF772B1D02E1C
C:\Users\user\Desktop\~$Import order764536.xlsx
false
96114D75E30EBD26B572C1FC83D1D02E
A44EEBDA5EB09862AC46346227F06F8CFAF19407
0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\temp\qhqulleu.mp3
false
E241BA8C7BF12A7128E7C0AD28348930
ACFC821D16BAB7535369917F41BB21ADA15E3BC0
0B64183C8B6E30C78D7EB1997E3686A1CE832B3CB0092F09CA76BA5FD5EE0B9C
C:\Users\Public\vbc.exe
true
B866823E1F8F4A52376BD108C457DD78
FE99849EC27630463080445337798EEBA8000A02
EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8
194.5.98.48
97.107.138.110
ezeani.duckdns.org
true
194.5.98.48
demopicking.renova-sa.net
true
97.107.138.110
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: NanoCore
Yara detected AntiVM3
Allocates memory in foreign processes
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Yara detected AntiVM autoit script
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Yara detected Nanocore RAT
Found malware configuration
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Malicious sample detected (through community Yara rule)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Multi AV Scanner detection for dropped file