31.0.0 Red Diamond
IR
337044
CloudBasic
16:32:47
07/01/2021
info.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
407e5e05f725d0443a0a6d0d3db22e1f
db34ce7024b5320991b464fa08cfb1d7d9a70d75
174649f1b3e64a89faba9684bd2a160f7785b56449193c9dc412e2ac9672b1ca
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55694A94-8E09-401E-A760-1A1C7B299BE3}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
800B7561DDD338565F53FBEAF2415880
BE355EEBAD3649495CA4C51B30A25D591F686418
4B1A366CC926F8DE6FCD418CA512120DB9C1CC2602CAD88319CAA83B604CCBA7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\info.LNK
false
4DF194CE29C4323BAAFE7D61BB4771D9
9ECEEE2D0C8440C5D5AE1FB9B061B1AB75BA7384
D99AE496E82434959214FF68405C040ECDFEA4826B6BD91AB49A5D43815A0C99
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\92E3LI4JX7C5KZ1U7T5K.temp
false
8A1DB58C7320C6A4481EBE01CC1A3568
FC121B65C3445ADF08C94212E6D6FC13C2319AFA
D716C84859DD7B67ECBC6485B001FF34C4EC176B12705B139B34D8E2F90D4B7A
C:\Users\user\Desktop\~$info.doc
true
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Xts_nmf\P4188qk\U95D.dll
true
348210F57D94734B89341DAD8F492E7C
6432B34F6BF2C1FA066B85D50F57BA3DF742A90B
7A045B94A661BA72BD4EC82E99032232C195E7249A386CA04C3349FA8A977B8C
152.170.79.100
190.247.139.101
35.208.84.24
138.197.99.250
fmcav.com
true
35.208.84.24
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet