34.0.0 Boulder Opal
IR
552782
CloudBasic
18:16:09
13/01/2022
PO789.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
6c28e31d32e97db724188025636ac25e
c5818d1883785293dfab00d2c1389b82cc74ad60
c24d7ca6493677f640cf6d4a90c746f949749f46e45873d77a71b94ab707a21f
Rich Text Format (5005/1) 55.56%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe
true
8807C2E0F2973A22812AF6E61BA72667
20BDCA62A8D0C98F8DB2C9FF1E3AB13DC4849514
4228CCE8278F840721D9F04FEA140B942C14D45938D07C1FA36A29712DDA441C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp
true
6D550004A108E472ACB60AFA74AECBAD
A43A215E06FEAA84FD26BBB00439A041448B484A
5B58844E1C55D5D069C4E7D10EF267AD2F0C93E239265FD8FB51930CED238C6C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8CA50CAD-0168-40C5-9DE5-3A2EB92A8144}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A1ACA359-D73C-4E90-86E8-AE0089CF8F67}.tmp
false
1ED77075EA7EA8E9B6386E63B1F8F682
7F3E9A5B4FEC84D3298D32A6BB1D8A8E89866C24
AB2DDDC94896F581777EA638395F5FAC4F42F368AEC3932BDF1EDA21328B5866
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO789.LNK
false
8BDC5B1FDC8B42BFCED301566877791E
D296ED0B91FA1FD37358AD09E026DD88C1270962
65F2C698BA65C4FD314A4470EC3940F5EA2CD6E1C19AC315D0DF1932FEE46F3C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
DAE12E95560EA2CA4F86AC4515A68F33
5A1ACBDF73F62480BEFE51B3DF654745BF6AAE74
141FA7A3959432D83CCA3841FDDFDA6108B2BCA2FFAED58CE4146A9D2BF898AD
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\medicomsh78694.exe
true
8807C2E0F2973A22812AF6E61BA72667
20BDCA62A8D0C98F8DB2C9FF1E3AB13DC4849514
4228CCE8278F840721D9F04FEA140B942C14D45938D07C1FA36A29712DDA441C
C:\Users\user\Desktop\~$PO789.doc
true
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
2.58.149.41
23.227.38.74
34.102.136.180
109.94.209.123
91.195.240.13
peak-tv.tk
true
2.58.149.41
www.extraordinarymiracle.com
true
109.94.209.123
www.realstakepool.com
true
91.195.240.13
shops.myshopify.com
true
23.227.38.74
muzicalbox.com
false
34.102.136.180
www.danielkcarter.store
false
172.67.181.75
www.muzicalbox.com
true
unknown
www.prestigiousuniforms.com
true
unknown
Sample uses process hollowing technique
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Yara detected AntiVM3
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Droppers Exploiting CVE-2017-11882
Office equation editor drops PE file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Sigma detected: File Dropped By EQNEDT32EXE
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file