31.0.0 Red Diamond
IR
337155
CloudBasic
21:04:53
07/01/2021
INFO.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
db4acdd2b017403aedb8445fb1666ecd
64c2adf24294ffc766f6d596bc5d5cab7bb2f174
de29cbde6917f81370caa0b06538259d4eba1c6aa0c8df70b17e218e78c5cf11
Microsoft Word document (32009/1) 79.99%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{784D4F8B-DE8E-4300-98F0-AE5841A8170E}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
false
3B7B4F5326139F48EFA0AAE509E2FE58
209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INFO.LNK
false
876543E992045380E5F476C436868057
A212035655E4A975B093F17F8D2710C42757F454
FAE75D09AADCB3F0EB730ACD8ECF345902620650B4525B57A881D9F2C96DA8D4
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
352E8E469D97790BE4608A5F946AF702
1CF781AED5E3E6DF1875CCA068A875F6012DAA02
7CDD0C1E040D8EF3A29CF52C4795A2EA4808DE86F0C1F3A4A82C78C098C54B58
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O3NSRFZ6TUCDZZ925BCL.temp
false
541235554582DF35BB94AA9488A265DC
B7BD025431D8D10754FABB9144038EA34AF6FDF7
0D11CD886AA9E13C41C3ADAF8CEF12F0FAEEA333ED255EF4633B1DD9DC304EC4
C:\Users\user\Desktop\~$INFO.doc
true
6AF5EAEBE6C935D9A5422D99EEE6BEF0
6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll
false
378838C98067F0858F9688A73D800005
00F07D0367E01F9A7D0DEBA72DE09B620C751282
5F0400C5286EA4D6DFA9E23DB22D2BB7BDC632B20D8D5AC346ED990ECFDCC665
104.27.145.251
210.86.239.69
209.59.139.39
104.18.61.59
45.130.229.91
5.2.136.90
veterinariadrpopui.com
true
209.59.139.39
wpsapk.com
true
104.18.61.59
sofsuite.com
true
104.27.145.251
khanhhoahomnay.net
true
210.86.239.69
shop.elemenslide.com
true
45.130.229.91
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet