34.0.0 Boulder Opal
IR
626601
CloudBasic
15:18:09
14/05/2022
DL03327INV.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
5b4a67ac532a5d8900b815144f0fb845
6da306004e084780e9f57f3702a5ec22e72fff6c
98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
true
DE76EF6A11A63EFC00B0303888BC0B7F
7AB24456A49F6B61BC54D20A4D9C0B84F3AE696B
FC6EBE8BC215A292BB3DF340A84350CEB2BE7187EFC8E10381235CFA8D82F734
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21AA51C5.wmf
false
1A4FF280B6D51A6ED16C3720AF1CD6EE
277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5042D1B.wmf
false
1A4FF280B6D51A6ED16C3720AF1CD6EE
277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52D20C60.wmf
false
30935B0D56A69E2E57355F8033ADF98B
5F7C13E36023A1B3B3DAF030291C02631347C2AB
077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77AC4BD4.emf
false
8E3A74F7AA420B02D34C69E625969C0A
4743F57F0F702C5B47FA1668D9173E08ADA16448
0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E77A502.wmf
false
30935B0D56A69E2E57355F8033ADF98B
5F7C13E36023A1B3B3DAF030291C02631347C2AB
077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
C:\Users\user\AppData\Local\Temp\boswagvgna
false
D4AA661B180DF0D15BB6D0DC8342B8BA
07310F7D0C29CD6A18AE1174578F61B08E2BA844
E12B146FD62913D6650FCAF490CF973008929E47FD247CB3BD75B6E854CFDD89
C:\Users\user\AppData\Local\Temp\l4nnhna3wvu7agf
false
0B70240F412D375469A67F4E364E6EDD
877D66CBFFF0712D91ED65C7545577729B34CB1A
DAAE8081EFFED8BB74D40479D2264D791A8539F1ED8565438640EE6681D5DC64
C:\Users\user\AppData\Local\Temp\nss8A2D.tmp
false
C2F526011A8F4C1202583C0F68C272D7
6E43958FE2A7B13C248C45369E6B4113185A1B78
E3AA52846C6BC0E920C12B442E4E08EDE1D409D0A99069A19BB801162204A38B
C:\Users\user\AppData\Local\Temp\yldnat.exe
true
BC3C746DB1D3F8A821BBDF17CA023450
12459C0EF96BDE1490B00FC9C6F09D69FBEC046F
C503A6FBE974E2C177FAFFFC2F2D9F7C26473909A2AB054E305B0E231C54B785
C:\Users\user\AppData\Local\Temp\~DF8200AD3C92400B31.TMP
false
5B4A67AC532A5D8900B815144F0FB845
6DA306004E084780E9F57F3702A5EC22E72FFF6C
98FC7157DAFDE651C3AB515663E3A91F034B49175E2E2495C00576C4B8E9E96D
C:\Users\user\AppData\Local\Temp\~DFA02A15C6E61E2243.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFB8C99282338AF6F8.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFD268A41FBC2DE634.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$DL03327INV.xlsx
true
797869BB881CFBCDAC2064F92B26E46F
61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe
true
DE76EF6A11A63EFC00B0303888BC0B7F
7AB24456A49F6B61BC54D20A4D9C0B84F3AE696B
FC6EBE8BC215A292BB3DF340A84350CEB2BE7187EFC8E10381235CFA8D82F734
23.81.214.26
34.102.136.180
198.54.117.212
104.168.33.31
164.155.217.57
www.tw-life.net
true
164.155.217.57
parkingpage.namecheap.com
false
198.54.117.212
www.yiwanggkm.com
true
23.81.214.26
hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
false
18.119.154.66
arjimni.com
false
34.102.136.180
www.arjimni.com
true
unknown
www.contractornurd.com
true
unknown
www.skinclash.com
true
unknown
http://www.windows.com/pctv.
false
unknown
http://investor.msn.com
false
unknown
http://www.msnbc.com/news/ticker.txt
false
unknown
http://www.yiwanggkm.com/nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh
true
23.81.214.26
http://wellformedweb.org/CommentAPI/
false
unknown
http://www.tw-life.net/nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh
true
164.155.217.57
www.arjimni.com/nc39/
true
http://www.arjimni.com/nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh
false
34.102.136.180
http://www.iis.fhg.de/audioPA
false
unknown
http://www.piriform.com/ccleanerq
false
unknown
http://www.piriform.com/ccleaner1SPS0
false
unknown
http://104.168.33.31/75/vbc.exehhC:
true
unknown
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
false
unknown
http://www.hotmail.com/oe
false
unknown
http://treyresearch.net
false
unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
false
unknown
http://java.sun.com
false
unknown
http://www.icra.org/vocabulary/.
false
unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
false
unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
false
unknown
http://104.168.33.31/75/vbc.exe
true
104.168.33.31
http://investor.msn.com/
false
unknown
http://www.piriform.com/ccleaner
false
unknown
http://104.168.33.31/75/vbc.exej
true
unknown
http://computername/printers/printername/.printer
false
unknown
http://www.%s.comPA
false
unknown
http://www.autoitscript.com/autoit3
false
unknown
https://support.mozilla.org
false
unknown
http://www.contractornurd.com/nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh
true
198.54.117.212
http://www.piriform.com/ccleanerv
false
unknown
http://servername/isapibackend.dll
false
unknown
Sample uses process hollowing technique
Found malware configuration
Maps a DLL or memory area into another process
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Sigma detected: File Dropped By EQNEDT32EXE
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Antivirus detection for URL or domain
Drops PE files to the user root directory
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic