34.0.0 Boulder Opal
IR
626146
CloudBasic
16:40:44
13/05/2022
PO 65738963578 Revise Settlement.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
e5c9c992c088a778a6348f4a58dd78d3
754f386df06785ddd4cb4a04bed626ceab65d5ab
6b8ffb251308a2396f35780df9376b329a6c741419db44ea4f89d88ed932fbf2
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe
true
029BBE98A216416EB698CA543A5C0830
A24173F1DAF45D7444E3C698C3AE09A540A818DD
E73B7DE772353638ADDD480041E90A67F27D8D5B087BF222B1C6649C54B9CC57
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF36CD9.wmf
false
30935B0D56A69E2E57355F8033ADF98B
5F7C13E36023A1B3B3DAF030291C02631347C2AB
077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CBD0238.wmf
false
1A4FF280B6D51A6ED16C3720AF1CD6EE
277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D623D4F.wmf
false
30935B0D56A69E2E57355F8033ADF98B
5F7C13E36023A1B3B3DAF030291C02631347C2AB
077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EBFD06.wmf
false
1A4FF280B6D51A6ED16C3720AF1CD6EE
277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8559C53.emf
false
8E3A74F7AA420B02D34C69E625969C0A
4743F57F0F702C5B47FA1668D9173E08ADA16448
0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
C:\Users\user\AppData\Local\Temp\bn5z71pvulub10vjar
false
40FF96237005585BB3469F7844D579EA
CB38299275DA36B767A8EDD8AF4546CF0165B6D6
81B2280B25F3F4BEF5A87D35291A9D6FD9D57E754FFDE05628663AC65F324257
C:\Users\user\AppData\Local\Temp\dknqrab
false
05102B10AF50DD080DF138356B05637D
BFB1ABB77EA1CE16E41D207C10FF31D6509558AB
865D3959F838A6F4D41B9CF369C5863A10CD322A5F0410FD03A577890166D891
C:\Users\user\AppData\Local\Temp\idcqz.exe
true
51F62DEF6DC686B87CC0BAFC31685546
C99222ABD6547D34DED56B44CC5818675D902F07
9E398BB06FD1CBF54E40BFB36211CBD5C73AF57E652603C9B6A37A70DAB5AF4D
C:\Users\user\AppData\Local\Temp\nswAB85.tmp
false
6EFB91B44285F8050C8CBCC272E54FDB
2B6B1160680ACA8809287FE2D055BA30963A04EE
54719DDAC4D092D918795FD291A01E1F03A203C49AE742D6077D201E2622BFE5
C:\Users\user\AppData\Local\Temp\~DF676A4AF24BE52768.TMP
false
E5C9C992C088A778A6348F4A58DD78D3
754F386DF06785DDD4CB4A04BED626CEAB65D5AB
6B8FFB251308A2396F35780DF9376B329A6C741419DB44EA4F89D88ED932FBF2
C:\Users\user\AppData\Local\Temp\~DF6A1E229B1B4407B7.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFCE6EE0378A984A97.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFEB8550F8DC457C8E.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$PO 65738963578 Revise Settlement.xlsx
true
797869BB881CFBCDAC2064F92B26E46F
61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe
true
029BBE98A216416EB698CA543A5C0830
A24173F1DAF45D7444E3C698C3AE09A540A818DD
E73B7DE772353638ADDD480041E90A67F27D8D5B087BF222B1C6649C54B9CC57
198.12.81.20
www.cortesdisenosroutercnc.com/itq4/
true
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://198.12.81.20/busy/BUSY.exeC:
true
unknown
http://198.12.81.20/busy/BUSY.exeiiC:
true
unknown
http://198.12.81.20/busy/BUSY.exej
true
unknown
http://198.12.81.20/busy/BUSY.exe
true
198.12.81.20
Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Machine Learning detection for dropped file
Sigma detected: File Dropped By EQNEDT32EXE
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Antivirus detection for URL or domain
Drops PE files to the user root directory