31.0.0 Red Diamond
IR
336301
CloudBasic
19:04:25
05/01/2021
6Cprm97UTl
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
29c8b5edc30eadf757b72b0a14857903
77d432fb96a0a453bae30107990c2c9ee0314330
a174abce368b775138c203d66fa8a3845aead2d53d87f220c58a2fe8ee7d9cf0
Microsoft Excel sheet (30009/1) 47.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
89A188366EFFB46949AD9093EDA55CF1
6F3931CD5BA324C598AE0B45F7A1EA387E7DD1F2
9FBCA6A1EEDBC56E0350C4D21F36077F429AE6452F579A3864D44D11AD49A909
C:\Users\user\AppData\Local\Temp\05DE0000
false
2A97A372C7AC14DDAF2BC6CECA6BCDE8
6509EB9A038444C7CD44BF03B7B6536CCEBB73F0
DBC762A96077FDB3858F84F2642813C5CAA88A1B41FFEB34C1FD5BAB9F6F2D9D
C:\Users\user\AppData\Local\Temp\Cab8018.tmp
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\RegAsm.exe
true
ADF76F395D5A0ECBBF005390B73C3FD2
017801B7EBD2CC0E1151EEBEC14630DBAEE48229
5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
C:\Users\user\AppData\Local\Temp\Tar8019.tmp
false
D0682A3C344DFC62FB18D5A539F81F61
09D3E9B899785DA377DF2518C6175D70CCF9DA33
4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
false
AD0D2FB7F4EC355D0D8CBF5C9235259B
C875BB3B2020FB4A1C8E6E694BA2296EBB31DF81
2598083577FF245674401A33AE940D5AE389E972B1DBB147FAA47B40156D965E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\6Cprm97UTl.LNK
false
73C3A39789CB2C2692EF7B7D1BE021AF
9B6DCC9611BABA41FE6CC83D220EEEA88E69B346
F01B6D9921D1A2744419D9283E221C129FAEF7C40CB5EC09BB47D9BE6BC2992C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
false
6998A322A53314E59F4908073525B31A
F6A12ABF5E811E73424968267E355D9FE3FBB930
E2F9EF677017D5ED6785546BAFA65854E49111D370873CD60BD34ED2DE4A3496
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
E843814B96F07781747EFD43C6082AEC
C2F6049FE788D4C8B5492EA8531FB23655E52BB1
7D5160CFBB0EF9CF50C2AA8430F9841E1A6FDCFBA3EAE6D9BD061D0DFEBD1AD5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B0BO471L5716CBJPX3UA.temp
false
21EE1956990A0AFF41BE3228CA473491
11A3F9FF19BDECB2F40618F1DFDDDD0E3B4F048B
6135B7117C17789ADF7FE18263D645F33F26AD38AE9AA247B058E0B34F1750C7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LE6CBUNRM6U6BL3TCXE0.temp
false
21EE1956990A0AFF41BE3228CA473491
11A3F9FF19BDECB2F40618F1DFDDDD0E3B4F048B
6135B7117C17789ADF7FE18263D645F33F26AD38AE9AA247B058E0B34F1750C7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PXJFD74DLMN8ONH9QYBS.temp
false
21EE1956990A0AFF41BE3228CA473491
11A3F9FF19BDECB2F40618F1DFDDDD0E3B4F048B
6135B7117C17789ADF7FE18263D645F33F26AD38AE9AA247B058E0B34F1750C7
C:\Users\user\Desktop\B5DE0000
false
0873A1826881700041830C5B6254A989
1B3A26F038342930CF0E86AC6809DE68DCBD057F
4DB366DD1391F89E6B9628CCD197D22B3C943B41B427E6830D13F8F9508FED25
C:\Users\user\Documents\12.exe
true
1D11ABB9DAC9B15823D1BCAD2B8B3675
CB2A4711C5F192EDBDE50229D976FCC95A5A314C
DCC94B0C8FDF6952BD3018D92C1264651D50AAA7911195BB6F9BC6B97618B191
C:\Users\user\ntrwe.exe
true
1D11ABB9DAC9B15823D1BCAD2B8B3675
CB2A4711C5F192EDBDE50229D976FCC95A5A314C
DCC94B0C8FDF6952BD3018D92C1264651D50AAA7911195BB6F9BC6B97618B191
83.172.144.37
104.22.0.232
185.206.215.56
cutt.ly
true
104.22.0.232
bighoreca.nl
true
83.172.144.37
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot